On Fri, Jun 07, 2019 at 10:30:52AM -0700, Marc MERLIN wrote:
> > And also with gnutls-cli:
> >
> > $ gnutls-cli --crlf --starttls --port 25 smtp.example.net alt4.gmail-smtp-in.l.google.com
>
> Thanks for that suggestion.
> That seems to work
>
> magic:~# gnutls-cli --crlf --starttls --port 25 alt4.gmail-smtp-in.l.google.com
> Processed 99 CA certificate(s).
> Resolving 'alt4.gmail-smtp-in.l.google.com'...
> Connecting to '173.194.217.26:25'...
>
> - Simple Client Mode:
>
> 220 mx.google.com ESMTP 43si392782uam.102 - gsmtp
> EHLO foo.bar
> 250-mx.google.com at your service, [209.81.13.136]
> 250-SIZE 157286400
> 250-8BITMIME
> 250-STARTTLS
> 250-ENHANCEDSTATUSCODES
> 250-PIPELINING
> 250-CHUNKING
> 250 SMTPUTF8
> quit
> 221 2.0.0 closing connection 43si392782uam.102 - gsmtp
Actually, that did not work, I must have botched the command-line
arguments. The "STARTTLS" never happened, as can be seen from the
fact that the EHLO response still contains 'STARTTLS', which would
not be the case once starttls is established. Sorry, I am Postfix
and OpenSSL developer, not Exim or GnuTLS. Perhaps someone else
will post the correct options, or you can double-check the manpage.
With "posttls-finger", we see the pre and post-handshake EHLO
responses, with the latter not containing "STARTTLS" as expected.
$ posttls-finger -Lsummary "[alt4.gmail-smtp-in.l.google.com]"
posttls-finger: Connected to alt4.gmail-smtp-in.l.google.com[172.217.218.26]:25
posttls-finger: < 220 mx.google.com ESMTP m18si1519581ejq.1 - gsmtp
posttls-finger: > EHLO straasha.imrryr.org
posttls-finger: < 250-mx.google.com at your service, [100.2.39.101]
posttls-finger: < 250-SIZE 157286400
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-CHUNKING
posttls-finger: < 250 SMTPUTF8
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 Ready to start TLS
posttls-finger: certificate verification failed for alt4.gmail-smtp-in.l.google.com[172.217.218.26]:25: untrusted issuer /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
posttls-finger: Untrusted TLS connection established to alt4.gmail-smtp-in.l.google.com[172.217.218.26]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
posttls-finger: > EHLO straasha.imrryr.org
posttls-finger: < 250-mx.google.com at your service, [100.2.39.101]
posttls-finger: < 250-SIZE 157286400
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-CHUNKING
posttls-finger: < 250 SMTPUTF8
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 closing connection m18si1519581ejq.1 - gsmtp
--
Viktor.
