Re: Operation timed out with smtp.gmail.com - please help
Date: Fri, 29 Mar 2013 15:36:19 -0400 From: Jerry je...@seibercom.net To: FreeBSD freebsd-questions@freebsd.org Subject: Re: Operation timed out with smtp.gmail.com - please help On Fri, 29 Mar 2013 18:32:34 GMT Anton Shterenlikht articulated: Please help debug sendmail / smtp.gmail config. My University just switched to gmail (dickheads) and I'm trying to figure out how to set it up. It used to work ok with the University smtp auth server. Now I get in /var/log/maillog: sm-mta[72300]: r2TI0vQc072134: to=me...@bris.ac.uk, ctladdr=me...@.men.bris.ac.uk (1001/1001), delay=00:20:01, xdelay=00:00:00, mailer=relay, pri=210424, relay=smtp.gmail.com, dsn=4.0.0, stat=Deferred: Operation timed out with smtp.gmail.com I switched the firewall off completely. I have: # cat /etc/mail/auth/client-info AuthInfo:smtp.gmail.com U:root I:me...@bristol.ac.uk P:x # and this in /etc/mail/freebsd.mc: define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`SMART_HOST', `smtp.gmail.com')dnl I rebuilt (run make under /etc/mail. This just renames freebsd.mc to hostname.mc, and freebsd.submit.mc to hostname.submit.mc) and restarted sendmail. I also use: MASQUERADE_AS(`bristol.ac.uk') MASQUERADE_DOMAIN(`bristol.ac.uk') to use the university domain instead of may .men.bris.ac.uk, which is not acceptable. Try this at the command line: openssl s_client -connect smtp.gmail.com:25 -starttls smtp If it times out, change the port number to 587 and try it again. If you cannot make a connect using either port number then you have a firewall problem. Thank you, I get: $ openssl s_client -connect smtp.gmail.com:25 -starttls smtp connect: Operation timed out connect:errno=60 $ $ openssl s_client -connect smtp.gmail.com:587 -starttls smtp CONNECTED(0003) depth=1 C = US, O = Google Inc, CN = Google Internet Authority verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com i:/C=US/O=Google Inc/CN=Google Internet Authority 1 s:/C=US/O=Google Inc/CN=Google Internet Authority i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- Server certificate -BEGIN CERTIFICATE- MIIDgDCCAumgAwIBAgIKO3T/ewBoqDANBgkqhkiG9w0BAQUFADBGMQswCQYD VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu dGVybmV0IEF1dGhvcml0eTAeFw0xMjA5MTIxMTU3NTBaFw0xMzA2MDcxOTQzMjda MGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRcwFQYDVQQDEw5zbXRw LmdtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAv0UvQmjW1y96 cOK6AdQVEYPRd3ZQ9UhxkKfuVaYS9riOESFkWxkz+b3Ts/EOA5SY8axkaJS7Qa/v N7laztYY8tTkx9Ml+eCY4xh0fFq9z4/WWADGqTY5I0wvqjZr+jBuYGulK1fU4ZUS QpuZMMO9x7Bmr5LVP9C5r2qnoqtMtJUCAwEAAaOCAVEwggFNMB0GA1UdJQQWMBQG CCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUaCtARMZ9urIDfdpR6v1AkQsr 44owHwYDVR0jBBgwFoAUv8Aw6/VDET5nup6R+/xq2uNrEiQwWwYDVR0fBFQwUjBQ oE6gTIZKaHR0cDovL3d3dy5nc3RhdGljLmNvbS9Hb29nbGVJbnRlcm5ldEF1dGhv cml0eS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS5jcmwwZgYIKwYBBQUHAQEEWjBY MFYGCCsGAQUFBzAChkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dvb2dsZUludGVy bmV0QXV0aG9yaXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNydDAMBgNVHRMB Af8EAjAAMBkGA1UdEQQSMBCCDnNtdHAuZ21haWwuY29tMA0GCSqGSIb3DQEBBQUA A4GBADSkwmtEUhy/AhX2sIULT0Q5S9OlfKxbyE8hEc8nxls3jbk5yKZYd35Bzyy8 raoUPFuD3IH+zP/FGj5LPQirjnJLUvuFDsiM4eowPUthQad9SGWWdz6hCx8HpEUZ 1ssGnwb3HX34e9RH57v9LdtVUPdFYQsBJ36miGPylWk6r0xx -END CERTIFICATE- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com issuer=/C=US/O=Google Inc/CN=Google Internet Authority --- No client certificate CA names sent --- SSL handshake has read 2317 bytes and written 476 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher: ECDHE-RSA-RC4-SHA Session-ID: 8CAF4204FADB72F58FA6334A62F65B7182EF06F3C9AD8042FD44B9F726E8C9D5 Session-ID-ctx: Master-Key: 45312AE23341AAFA1414BDDD30740E4FB40655986FD410A606CD351206BBAC5E5496F77DDF4DBE32B0E9B7E7FFA1057 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 100800 (seconds) TLS session ticket: - 63 53 11 b3 92 0d 59 63-15 90 58 10 84 f2 f7 6a cSYc..Xj 0010 - 7c 7c 62 96 c5 3d cb 52-ca 32 2d 97 de 51 10 6d ||b..=.R.2-..Q.m 0020 - d2 97 ca 69 f8 cf 3d 6e-c9 60 73 3a 49 3a 4a 74
Re: Operation timed out with smtp.gmail.com - please help
On 30/03/2013 10:14, Anton Shterenlikht wrote: The university IT support page: http://www.bristol.ac.uk/it-services/applications/email/gmail/manual-config-gmail.html actually says that port 465 SSL should be used, so I also tried: $ openssl s_client -connect smtp.gmail.com:465 -starttls smtp CONNECTED(0003) ^C $ Not sure what to make of this. Is the port set by sendmail config files? Many thanks for your help Port 465 wouldn't use STARTTLS -- it requires SSL straight away. Try: % openssl s_client -connect smtp.gmail.com:465 If it works you should see output to do with setting up session keys etc. However, SMTP on port 465 seems to be mostly a windows thing, and generally discouraged -- use of STARTTLS or equivalent to allow both SSL and plaintext without having to allocate a separate port for SSL is preferred. I'm pretty sure that gmail does support STARTTLS... $ openssl s_client -connect smtp.gmail.com:587 -starttls smtp CONNECTED(0003) depth=1 C = US, O = Google Inc, CN = Google Internet Authority verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com i:/C=US/O=Google Inc/CN=Google Internet Authority 1 s:/C=US/O=Google Inc/CN=Google Internet Authority i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- Given you're seeing that CONNECTED message there, it certainly does. The problem with that openssl command seems to be the 'unable to get local issuer certificate' part. That's possibly openssl being pickier about verifying certs than sendmail would be, but that certificate verification step is probably where you're coming adrift. You need to have the intermediate certs used by Google in your cacert.pem file, so sendmail will trust the smtp.gmail.com cert. Check the 'confCACERT' setting in your sendmail.mc. I have a block of code like this: define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/cacert.pem')dnl define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl which allows me to put all the keys and certs in /etc/mail/certs/ Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey signature.asc Description: OpenPGP digital signature
Re: Operation timed out with smtp.gmail.com - please help
On Sat, 30 Mar 2013 10:14:44 GMT Anton Shterenlikht articulated: Date: Fri, 29 Mar 2013 15:36:19 -0400 From: Jerry je...@seibercom.net To: FreeBSD freebsd-questions@freebsd.org Subject: Re: Operation timed out with smtp.gmail.com - please help On Fri, 29 Mar 2013 18:32:34 GMT Anton Shterenlikht articulated: Please help debug sendmail / smtp.gmail config. My University just switched to gmail (dickheads) and I'm trying to figure out how to set it up. It used to work ok with the University smtp auth server. Now I get in /var/log/maillog: sm-mta[72300]: r2TI0vQc072134: to=me...@bris.ac.uk, ctladdr=me...@.men.bris.ac.uk (1001/1001), delay=00:20:01, xdelay=00:00:00, mailer=relay, pri=210424, relay=smtp.gmail.com, dsn=4.0.0, stat=Deferred: Operation timed out with smtp.gmail.com I switched the firewall off completely. I have: # cat /etc/mail/auth/client-info AuthInfo:smtp.gmail.com U:root I:me...@bristol.ac.uk P:x # and this in /etc/mail/freebsd.mc: define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`SMART_HOST', `smtp.gmail.com')dnl I rebuilt (run make under /etc/mail. This just renames freebsd.mc to hostname.mc, and freebsd.submit.mc to hostname.submit.mc) and restarted sendmail. I also use: MASQUERADE_AS(`bristol.ac.uk') MASQUERADE_DOMAIN(`bristol.ac.uk') to use the university domain instead of may .men.bris.ac.uk, which is not acceptable. Try this at the command line: openssl s_client -connect smtp.gmail.com:25 -starttls smtp If it times out, change the port number to 587 and try it again. If you cannot make a connect using either port number then you have a firewall problem. Thank you, I get: $ openssl s_client -connect smtp.gmail.com:25 -starttls smtp connect: Operation timed out connect:errno=60 $ $ openssl s_client -connect smtp.gmail.com:587 -starttls smtp CONNECTED(0003) depth=1 C = US, O = Google Inc, CN = Google Internet Authority verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com i:/C=US/O=Google Inc/CN=Google Internet Authority 1 s:/C=US/O=Google Inc/CN=Google Internet Authority i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- Server certificate -BEGIN CERTIFICATE- MIIDgDCCAumgAwIBAgIKO3T/ewBoqDANBgkqhkiG9w0BAQUFADBGMQswCQYD VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu dGVybmV0IEF1dGhvcml0eTAeFw0xMjA5MTIxMTU3NTBaFw0xMzA2MDcxOTQzMjda MGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRcwFQYDVQQDEw5zbXRw LmdtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAv0UvQmjW1y96 cOK6AdQVEYPRd3ZQ9UhxkKfuVaYS9riOESFkWxkz+b3Ts/EOA5SY8axkaJS7Qa/v N7laztYY8tTkx9Ml+eCY4xh0fFq9z4/WWADGqTY5I0wvqjZr+jBuYGulK1fU4ZUS QpuZMMO9x7Bmr5LVP9C5r2qnoqtMtJUCAwEAAaOCAVEwggFNMB0GA1UdJQQWMBQG CCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUaCtARMZ9urIDfdpR6v1AkQsr 44owHwYDVR0jBBgwFoAUv8Aw6/VDET5nup6R+/xq2uNrEiQwWwYDVR0fBFQwUjBQ oE6gTIZKaHR0cDovL3d3dy5nc3RhdGljLmNvbS9Hb29nbGVJbnRlcm5ldEF1dGhv cml0eS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS5jcmwwZgYIKwYBBQUHAQEEWjBY MFYGCCsGAQUFBzAChkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dvb2dsZUludGVy bmV0QXV0aG9yaXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNydDAMBgNVHRMB Af8EAjAAMBkGA1UdEQQSMBCCDnNtdHAuZ21haWwuY29tMA0GCSqGSIb3DQEBBQUA A4GBADSkwmtEUhy/AhX2sIULT0Q5S9OlfKxbyE8hEc8nxls3jbk5yKZYd35Bzyy8 raoUPFuD3IH+zP/FGj5LPQirjnJLUvuFDsiM4eowPUthQad9SGWWdz6hCx8HpEUZ 1ssGnwb3HX34e9RH57v9LdtVUPdFYQsBJ36miGPylWk6r0xx -END CERTIFICATE- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com issuer=/C=US/O=Google Inc/CN=Google Internet Authority --- No client certificate CA names sent --- SSL handshake has read 2317 bytes and written 476 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher: ECDHE-RSA-RC4-SHA Session-ID: 8CAF4204FADB72F58FA6334A62F65B7182EF06F3C9AD8042FD44B9F726E8C9D5 Session-ID-ctx: Master-Key: 45312AE23341AAFA1414BDDD30740E4FB40655986FD410A606CD351206BBAC5E5496F77DDF4DBE32B0E9B7E7FFA1057 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 100800 (seconds) TLS session ticket: - 63 53 11 b3 92 0d 59 63-15 90 58 10 84 f2 f7 6a cSYc..Xj 0010 - 7c 7c 62 96 c5 3d cb 52-ca 32 2d 97 de 51 10 6d ||b..=.R.2-..Q.m 0020 - d2
Re: Operation timed out with smtp.gmail.com - please help
On Sat, 30 Mar 2013 10:49:45 + Matthew Seaman articulated: Given you're seeing that CONNECTED message there, it certainly does. The problem with that openssl command seems to be the 'unable to get local issuer certificate' part. That's possibly openssl being pickier about verifying certs than sendmail would be, but that certificate verification step is probably where you're coming adrift. You need to have the intermediate certs used by Google in your cacert.pem file, so sendmail will trust the smtp.gmail.com cert. Check the 'confCACERT' setting in your sendmail.mc. I have a block of code like this: define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/cacert.pem')dnl define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl which allows me to put all the keys and certs in /etc/mail/certs/ If you really need the Gmail certs, you can use this to get them: openssl s_client -connect smtp.gmail.com:587 -starttls smtp -showcerts If you feel you really need the Equifax Secure Certificate Authority pem, go here http://www.geotrust.com/resources/root-certificates/ and download it. Again, how to set up Sendmail is a task I leave for the student. -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ signature.asc Description: PGP signature
Re: Operation timed out with smtp.gmail.com - please help
Date: Sat, 30 Mar 2013 07:49:19 -0400 From: Jerry je...@seibercom.net To: FreeBSD freebsd-questions@freebsd.org Subject: Re: Operation timed out with smtp.gmail.com - please help On Sat, 30 Mar 2013 10:49:45 + Matthew Seaman articulated: Given you're seeing that CONNECTED message there, it certainly does. The problem with that openssl command seems to be the 'unable to get local issuer certificate' part. That's possibly openssl being pickier about verifying certs than sendmail would be, but that certificate verification step is probably where you're coming adrift. You need to have the intermediate certs used by Google in your cacert.pem file, so sendmail will trust the smtp.gmail.com cert. Check the 'confCACERT' setting in your sendmail.mc. I have a block of code like this: =20 define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/cacert.pem')dnl define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl =20 which allows me to put all the keys and certs in /etc/mail/certs/ If you really need the Gmail certs, you can use this to get them: openssl s_client -connect smtp.gmail.com:587 -starttls smtp -showcerts If you feel you really need the Equifax Secure Certificate Authority pem, go here http://www.geotrust.com/resources/root-certificates/ and download it. Again, how to set up Sendmail is a task I leave for the student. Jerry, Matthew, thank you I think I got it working. In addition to your advice, this guide was very helpful: http://www.phinesolutions.com/sendmail-gmail-smtp-relay-howto.html It seems these two options were required: define(`RELAY_MAILER_ARGS', `TCP $h 587') define(`ESMTP_MAILER_ARGS', `TCP $h 587') Thanks again Anton ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Operation timed out with smtp.gmail.com - please help
On Sat, 30 Mar 2013 10:17:55 -0700 (PDT) Anton Shterenlikht articulated: Jerry, Matthew, thank you I think I got it working. In addition to your advice, this guide was very helpful: http://www.phinesolutions.com/sendmail-gmail-smtp-relay-howto.html It seems these two options were required: define(`RELAY_MAILER_ARGS', `TCP $h 587') define(`ESMTP_MAILER_ARGS', `TCP $h 587') After reading that How-to, I am so glad I use Postfix. Anyway, glad you got it to work. You might find the idiot who wrote that first manual you referenced and tell him/her they are a dumb-ass and post a corrected manual. -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Operation timed out with smtp.gmail.com - please help
gmail has blocking mechanism when you use it from different devices, try this maybe it will help: https://accounts.google.com/DisplayUnlockCaptcha -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Operation timed out with smtp.gmail.com - please help
On Fri, 29 Mar 2013 18:32:34 GMT Anton Shterenlikht articulated: Please help debug sendmail / smtp.gmail config. My University just switched to gmail (dickheads) and I'm trying to figure out how to set it up. It used to work ok with the University smtp auth server. Now I get in /var/log/maillog: sm-mta[72300]: r2TI0vQc072134: to=me...@bris.ac.uk, ctladdr=me...@.men.bris.ac.uk (1001/1001), delay=00:20:01, xdelay=00:00:00, mailer=relay, pri=210424, relay=smtp.gmail.com, dsn=4.0.0, stat=Deferred: Operation timed out with smtp.gmail.com I switched the firewall off completely. I have: # cat /etc/mail/auth/client-info AuthInfo:smtp.gmail.com U:root I:me...@bristol.ac.uk P:x # and this in /etc/mail/freebsd.mc: define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`SMART_HOST', `smtp.gmail.com')dnl I rebuilt (run make under /etc/mail. This just renames freebsd.mc to hostname.mc, and freebsd.submit.mc to hostname.submit.mc) and restarted sendmail. I also use: MASQUERADE_AS(`bristol.ac.uk') MASQUERADE_DOMAIN(`bristol.ac.uk') to use the university domain instead of may .men.bris.ac.uk, which is not acceptable. Try this at the command line: openssl s_client -connect smtp.gmail.com:25 -starttls smtp If it times out, change the port number to 587 and try it again. If you cannot make a connect using either port number then you have a firewall problem. -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org