Re: AT-TLS and CSSMTP setup

[Phil Smith III]

Brian Westerman asked:
>so you can use authsmtp.com to send directly from CSSMTP?

It's just an SMTP server, so if you can get there from your network, sure.

>When you send the email, does it come from where you say it should or
>do you have to use a special email that they give you?

You tell it the valid sending domains. You need to set your SPF record 
correctly, of course.

>That would be great. I assume they have an smtp server that you set up
>in the targetname field. Do you know if they use port 25, 26 or 587?

2525. Avoids all those blocked-port hassles! See 
https://www.authsmtp.com/features.php for details.

>I think if it works, it would be a great solution.
>I tried sending them a question, but there contact form fails.

Ouch. I've emailed them, CCed you.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

[Brian Westerman]

so you can use authsmtp.com to send directly from CSSMTP?  

When you send the email, does it come from where you say it should or do you 
have to use a special email that they give you?

That would be great.  I assume they have an smtp server that you set up in the 
targetname field.  Do you know if they use port 25, 26 or 587?  

I think if it works, it would be a great solution.

I tried sending them a question, but there contact form fails.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

[Phil Smith III]

Brian Westerman asked:
>I think there are 3rd party sites that offer the use of SMTP for forwarding 
>that I might want to give a try. 

I've used authsmtp.com for ~20 years. Good folks and it Just Works. When I've 
had weird issues, they do the analysis and get right back to me, even though 
it's never been their fault.

Another good ISP is EasyDNS out of Toronto. I switched to them for domain 
hosting when SPF started to matter and my previous provider didn't support SRS 
rewrites, causing replies to me to fail. Also good folks, same comment about 
jumping in on problems and proving cheerfully and clearly that it's not them.

HTH


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

[Seymour J Metz]

fastmail?


From: IBM Mainframe Discussion List  on behalf of 
Brian Westerman 
Sent: Monday, July 31, 2023 3:20 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS and CSSMTP setup

Hi,

Peters directions for setting up the trace were very simple and easy to follow. 
 It was discovered that I was missing a CA cert that was not called out by the 
host site.  (which he sent me).  Now I'm at a stopping place because the 
webhost site is requiring authentication on each email (as if it's a client), 
instead of using the "POP before SMTP" setting which merely requires that the 
email address have authenticated within 60 minutes of the attempt to send via 
SMTP.  That setting was the default previously and when they upgraded the smtp 
server on their end it was changed to not use that option.

They are currently "thinking" on the request to turn it back on.  In the 
meantime, I think there are 3rd party sites that offer the use of SMTP for 
forwarding that I might want to give a try.  Does anyone on this list use one 
that they can recommend?

Brian

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

[Brian Westerman]

Hi,

Peters directions for setting up the trace were very simple and easy to follow. 
 It was discovered that I was missing a CA cert that was not called out by the 
host site.  (which he sent me).  Now I'm at a stopping place because the 
webhost site is requiring authentication on each email (as if it's a client), 
instead of using the "POP before SMTP" setting which merely requires that the 
email address have authenticated within 60 minutes of the attempt to send via 
SMTP.  That setting was the default previously and when they upgraded the smtp 
server on their end it was changed to not use that option.  

They are currently "thinking" on the request to turn it back on.  In the 
meantime, I think there are 3rd party sites that offer the use of SMTP for 
forwarding that I might want to give a try.  Does anyone on this list use one 
that they can recommend?

Brian

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

[Allan Staller]

Classification: Confidential

Have you updated the TCP/IP policy agent accordingly?

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Brian Westerman
Sent: Saturday, July 29, 2023 9:12 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS and CSSMTP setup

[CAUTION: This Email is from outside the Organization. Unless you trust the 
sender, Don’t click links or open attachments as it may be a Phishing email, 
which can steal your Information and compromise your Computer.]

I get
BPXF024I (TCPIP) Jul 30 01:12:45 TTLS[16777256]: 18:12:45 TCPIP  639 EZD1286I 
TTLS Error GRPID: 0007 ENVID: 0009 CONNID: 009B
LOCAL: 192.168.1.66..1122 REMOTE: 99.198.97.250..587 JOBNAME: CSSMTP
USERID: CSSMTP RULE: CSSMTP  RC:8 Initial Handshake 00
00 005187621CF0 

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
::DISCLAIMER::

The contents of this e-mail and any attachment(s) are confidential and intended 
for the named recipient(s) only. E-mail transmission is not guaranteed to be 
secure or error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or may contain viruses in transmission. 
The e mail and its contents (with or without referred errors) shall therefore 
not attach any liability on the originator or HCL or its affiliates. Views or 
opinions, if any, presented in this email are solely those of the author and 
may not necessarily reflect the views or opinions of HCL or its affiliates. Any 
form of reproduction, dissemination, copying, disclosure, modification, 
distribution and / or publication of this message without the prior written 
consent of authorized representative of HCL is strictly prohibited. If you have 
received this email in error please delete it and notify the sender 
immediately. Before opening any email and/or attachments, please check them for 
viruses and other defects.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

[Phil Smith III]

Since I know almost nothing about AT-TLS config, this might be dumb, but: 
Don't forget to try the *AUTH*/* key ring. That's a "virtual key ring" that 
represents all the trusted certs, and is a great shortcut for saying "Do I have 
the right cert in there somewhere but the key ring setup isn't right yet?"

After getting badly burned by a customer problem that went on way too long, 
I'm also always chary of AT-TLS being turned on without necessarily 
understanding both ends well enough. To wit: our customer was using AT-TLS for 
various stuff, and turned it on for the connection from our product (outbound 
from z/OS) to our server. However, our product and server were both already 
using TLS. So we then had:

1.  Product asks gsk to start a connection
2.  gsk requests a handshake
3.  AT-TLS jumps in, wraps that connection, and starts its own handshake
4.  Our server gets that handshake, says "OK, sure" and they do the dance
5.  Once that's established, the handshake request from z/OS arrives, 
wrapped, at our server
6.  It unwraps it and then says "What the heck is THAT?!!" because it sure 
doesn't look like what it was expecting from an established connection and we 
get an incomprehensible error


Your problem probably isn't, but could be, sort of the invers: because AT-TLS 
is adding the handshake and the server isn't expecting it, it's also saying 
"What the heck is THAT?!"


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

[Colin Paice]

Getting a GSK trace is non trivial.  See here

for instructions

On Sun, 30 Jul 2023 at 05:36, Peter Vels  wrote:

> That is OK.  But I need to see the output from the GSKSRVR trace to get to
> the bottom of the issue.  I suspect that you are missing a CA somewhere,
> and the trace will tell us WHICH certificate that is.
>
> On Sun, 30 Jul 2023 at 14:23, Brian Westerman <
> brian_wester...@syzygyinc.com>
> wrote:
>
> > This is what I get from your command:
> >
> > racdcert id(CSSMTP) listr(CSSMTPRing)
> > Digital ring information for user CSSMTP:
> >
> >Ring:
> > >CSSMTPRing<
> >Certificate Label Name Cert Owner USAGE  DEFAULT
> >         ---
> >CSSMTPCA   CERTAUTH   CERTAUTH NO
> >CSSMTPServer   ID(CSSMTP) PERSONAL YES
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

[Peter Vels]

That is OK.  But I need to see the output from the GSKSRVR trace to get to
the bottom of the issue.  I suspect that you are missing a CA somewhere,
and the trace will tell us WHICH certificate that is.

On Sun, 30 Jul 2023 at 14:23, Brian Westerman 
wrote:

> This is what I get from your command:
>
> racdcert id(CSSMTP) listr(CSSMTPRing)
> Digital ring information for user CSSMTP:
>
>Ring:
> >CSSMTPRing<
>Certificate Label Name Cert Owner USAGE  DEFAULT
>         ---
>CSSMTPCA   CERTAUTH   CERTAUTH NO
>CSSMTPServer   ID(CSSMTP) PERSONAL YES
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

[Brian Westerman]

This is what I get from your command: 

racdcert id(CSSMTP) listr(CSSMTPRing)
Digital ring information for user CSSMTP:  

   Ring:
>CSSMTPRing< 
   Certificate Label Name Cert Owner USAGE  DEFAULT  
            ---  
   CSSMTPCA   CERTAUTH   CERTAUTH NO 
   CSSMTPServer   ID(CSSMTP) PERSONAL YES
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

[Peter Vels]

"ADD" adds a certificate (contained in a data set) to RACF, but *not* to a
keyring.  For that you need "CONNECT".

RC 8 means: An error is detected while validating a certificate, so a CA is
missing from the keyring (even though you might've ADDed it to RACF).

IBM says (edited for brevity):

1. Verify that the root CA certificate is in the SAF key ring and is marked
as trusted.

Does...

*racdcert id(CSSMTP) listr(CSSMTPRing)*

...now show that the CSSMTPRing has the mail server's certificate added as
a CERTAUTH?  If not then:






*RACDCERT CONNECT(CERTAUTH +  LABEL('Email server CA') +  RING(CSSMTPRing)
+USAGE(CERTAUTH) +  ) +  ID(CSSMTP)*


2. Check all certificates in the certification chain and verify that they
are trusted and are not expired:

*RACFCERT ID(CSSMTP) LISTCHAIN*

3. Issue the *SETROPTS RACLIST (DIGTCERT, DIGTRING) REFRESH* command to
refresh the profiles to ensure that the latest changes are available.

On Sun, 30 Jul 2023 at 12:12, Brian Westerman 
wrote:

> I get
> BPXF024I (TCPIP) Jul 30 01:12:45 TTLS[16777256]: 18:12:45 TCPIP  639
> EZD1286I TTLS Error GRPID: 0007 ENVID: 0009 CONNID: 009B
> LOCAL: 192.168.1.66..1122 REMOTE: 99.198.97.250..587 JOBNAME: CSSMTP
> USERID: CSSMTP RULE: CSSMTP  RC:8 Initial Handshake 00
> 00 005187621CF0 
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

[Brian Westerman]

I get 
BPXF024I (TCPIP) Jul 30 01:12:45 TTLS[16777256]: 18:12:45 TCPIP  639   
EZD1286I TTLS Error GRPID: 0007 ENVID: 0009 CONNID: 009B   
LOCAL: 192.168.1.66..1122 REMOTE: 99.198.97.250..587 JOBNAME: CSSMTP   
USERID: CSSMTP RULE: CSSMTP  RC:8 Initial Handshake 00 
00 005187621CF0 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

[Phil Smith III]

Gil asked about Hansen's Law. Different Hansen-this is a guy we worked with. 

We also had Weald's Corollary:
Even when it isn't a certificate issue, it's a certificate issue.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

[Colin Paice]

Please paste the messages you get.
You can configure an ATTLS  traceI tend to use TRACE(2)
This can be configured in TTLSGroupAction TTLSEnvironmentAction and
TTLSConnectionAction


If syslogd is not running I get messages on the system log
EZD1286I TTLS Error GRPID: 0007 ENVID: 0002 CONNID: 0036
LOCAL: 10.1.1.2..1032 REMOTE: 10.1.0.2..25 JOBNAME: CSSMTP USERID:
START1 RULE: CSSMTPRule  RC:  417 Initial Handshake 
005011421D10 

If syslogd is running I get messages in ( for me) /var/log

My (badly configured ) syslog puts messages in
TCPIPinfo.2023.07.29
TCPIPerr.2023.07.29
TCPIPdebug.2023.07.29
TCPIP.2023.07.29

Please feel free to contact me offline

Colin

On Sat, 29 Jul 2023 at 02:56, Brian Westerman 
wrote:

> Hi,
>
> Has anyone got working directions for setting up AT-TLS with the CSSMTP
> server.  I found the IBM manual Steps for using Transport Layer Security
> for CSSMTP, and went through all of the steps, but I still get stuck when I
> change secure=Yes in CSSMTP on a RC=8 (initial handshake) error with the
> external smtp server.
>
> I get the messages to the point where the STARTTLS command happens, but
> then the RC=8 failure on initial handshake.
>
> Any detailed pointers on what could be missing.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

[Paul Gilmartin]

On Sat, 29 Jul 2023 00:48:00 -0400, Phil Smith III wrote:

>No errors anywhere? Just RC=8?
>
>"It's a certificate error" -Hansen's Law
>
Or the firewall.

??? 

-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

[kekronbekron]

Hi Brian,

You may find useful bits of info here - 
https://colinpaice.blog/2023/02/21/sending-an-email-from-z-os/
Either in this post or generally in this blog.

- KB

--- Original Message ---
On Saturday, July 29th, 2023 at 10:18 AM, Phil Smith III  
wrote:


> No errors anywhere? Just RC=8?
> 
> 
> 
> "It's a certificate error" -Hansen's Law
> 
> 
> 
> https://bit.listserv.ibm-main.narkive.com/4Iu5ZeUA/setting-up-gmail-as-outbound-mail-server-on-z-os
>  might be a hint, especially the
> bit about enabling gsktrace, which is your friend.
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

[Phil Smith III]

No errors anywhere? Just RC=8?

 

"It's a certificate error" -Hansen's Law

 

https://bit.listserv.ibm-main.narkive.com/4Iu5ZeUA/setting-up-gmail-as-outbound-mail-server-on-z-os
 might be a hint, especially the
bit about enabling gsktrace, which is your friend. 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

AT-TLS and CSSMTP setup

[Brian Westerman]

Hi,

Has anyone got working directions for setting up AT-TLS with the CSSMTP server. 
 I found the IBM manual Steps for using Transport Layer Security for CSSMTP, 
and went through all of the steps, but I still get stuck when I change 
secure=Yes in CSSMTP on a RC=8 (initial handshake) error with the external smtp 
server.  

I get the messages to the point where the STARTTLS command happens, but then 
the RC=8 failure on initial handshake.

Any detailed pointers on what could be missing.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN