Re: [exim] TLS with gmail started failing

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MMarc MERLIN at <-
MViktor Dukhovni at ->
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: Exim-users
Subject: Re: [exim] TLS with gmail started failing
On Fri, Jun 07, 2019 at 10:30:52AM -0700, Marc MERLIN wrote:

> > And also with gnutls-cli:
> > 
> >     $ gnutls-cli --crlf --starttls --port 25 smtp.example.net alt4.gmail-smtp-in.l.google.com

>
> Thanks for that suggestion.
> That seems to work
>
> magic:~# gnutls-cli --crlf --starttls --port 25 alt4.gmail-smtp-in.l.google.com
> Processed 99 CA certificate(s).
> Resolving 'alt4.gmail-smtp-in.l.google.com'...
> Connecting to '173.194.217.26:25'...
>
> - Simple Client Mode:
>
> 220 mx.google.com ESMTP 43si392782uam.102 - gsmtp
> EHLO foo.bar
> 250-mx.google.com at your service, [209.81.13.136]
> 250-SIZE 157286400
> 250-8BITMIME
> 250-STARTTLS
> 250-ENHANCEDSTATUSCODES
> 250-PIPELINING
> 250-CHUNKING
> 250 SMTPUTF8
> quit
> 221 2.0.0 closing connection 43si392782uam.102 - gsmtp

Actually, that did not work, I must have botched the command-line
arguments. The "STARTTLS" never happened, as can be seen from the
fact that the EHLO response still contains 'STARTTLS', which would
not be the case once starttls is established. Sorry, I am Postfix
and OpenSSL developer, not Exim or GnuTLS. Perhaps someone else
will post the correct options, or you can double-check the manpage.

With "posttls-finger", we see the pre and post-handshake EHLO
responses, with the latter not containing "STARTTLS" as expected. 

    $ posttls-finger -Lsummary "[alt4.gmail-smtp-in.l.google.com]"
    posttls-finger: Connected to alt4.gmail-smtp-in.l.google.com[172.217.218.26]:25
    posttls-finger: < 220 mx.google.com ESMTP m18si1519581ejq.1 - gsmtp
    posttls-finger: > EHLO straasha.imrryr.org
    posttls-finger: < 250-mx.google.com at your service, [100.2.39.101]
    posttls-finger: < 250-SIZE 157286400
    posttls-finger: < 250-8BITMIME
    posttls-finger: < 250-STARTTLS
    posttls-finger: < 250-ENHANCEDSTATUSCODES
    posttls-finger: < 250-PIPELINING
    posttls-finger: < 250-CHUNKING
    posttls-finger: < 250 SMTPUTF8
    posttls-finger: > STARTTLS
    posttls-finger: < 220 2.0.0 Ready to start TLS
    posttls-finger: certificate verification failed for alt4.gmail-smtp-in.l.google.com[172.217.218.26]:25: untrusted issuer /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
    posttls-finger: Untrusted TLS connection established to alt4.gmail-smtp-in.l.google.com[172.217.218.26]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
    posttls-finger: > EHLO straasha.imrryr.org
    posttls-finger: < 250-mx.google.com at your service, [100.2.39.101]
    posttls-finger: < 250-SIZE 157286400
    posttls-finger: < 250-8BITMIME
    posttls-finger: < 250-ENHANCEDSTATUSCODES
    posttls-finger: < 250-PIPELINING
    posttls-finger: < 250-CHUNKING
    posttls-finger: < 250 SMTPUTF8
    posttls-finger: > QUIT
    posttls-finger: < 221 2.0.0 closing connection m18si1519581ejq.1 - gsmtp


-- 
    Viktor.


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] TLS with gmail started failingRe: [exim] TLS with gmail started failing->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)