On Tuesday, 23 January 2024 15:47:28 GMT Walter Dnes wrote: > On Tue, Jan 23, 2024 at 09:36:13AM +0000, Michael wrote > > > Since gnutls is playing up with mutt, you can try setting USE="-gnutls" > > and re-emerge mutt to see if it succeeds establishing a connection. > > If I emerge mutt with USE="-gnutls" and comment out > "set ssl_starttls=no", email fails... > > [2024-01-23 09:38:07] Looking up smtp.ebox.ca... > [2024-01-23 09:38:07] Connecting to smtp.ebox.ca... > [2024-01-23 09:38:07] Connected to smtp.ebox.ca:587 on fd=4 > [2024-01-23 09:38:07] 4< 220 smtp.ebox.ca ESMTP Postfix (Debian/GNU) > [2024-01-23 09:38:07] 4> EHLO waltdnes.org > [2024-01-23 09:38:07] 4< 250-smtp.ebox.ca > [2024-01-23 09:38:07] 4< 250-PIPELINING > [2024-01-23 09:38:07] 4< 250-SIZE 20000000 > [2024-01-23 09:38:07] 4< 250-VRFY > [2024-01-23 09:38:07] 4< 250-ETRN > [2024-01-23 09:38:07] 4< 250-STARTTLS > [2024-01-23 09:38:07] 4< 250-ENHANCEDSTATUSCODES > [2024-01-23 09:38:07] 4< 250-8BITMIME > [2024-01-23 09:38:07] 4< 250 DSN > [2024-01-23 09:38:07] 4> STARTTLS > [2024-01-23 09:38:07] 4< 220 2.0.0 Ready to start TLS > [2024-01-23 09:38:07] ssl_load_certificates: loading trusted certificates > [2024-01-23 09:38:07] mutt_ssl_starttls: Error loading trusted certificates > [2024-01-23 09:38:07] SSL failed: error:0A000102:SSL routines::unsupported > protocol [2024-01-23 09:38:08] Could not negotiate TLS connection
OpenSSL bails out just as gnutls did. I was hoping it could have been more forgiving. :-( > ssl_starttls (and ssl_force_tls) default to "yes" in muttrc. If > ssl_starttls and ssl_force_tls are not explicitly set to "no", mutt > *WILL* attempt a TLS connection if advertised. Whem mutt is built with > USE="-gnutls" and attempts a TLS connection, let's just say "it does not > end well". Both OpenSSL and GnuTLS fail to negotiate an encrypted connection with the server. From the logs you have shared we can safely guess this is because the Root CA used by the server is still using a SHA1 hash. > tldr; > > It's easier for me to build in gnutls support and then (un)comment one > or two lines in ~/.mutt/muttrc as needed rather than... > > * pop up an xterm > * su - (and enter password to root) > * emerge mutt with appropriate flag(s) > * exit to regular user You can revert/keep mutt compiled with USE="gnutls". It makes no difference in this case. You can also try to set deprecated TLS protocols in ~/.muttrc to see if this will allow for a successful connection: http://mutt.org/doc/manual/#ssl-use-tlsv1 You had a good crack at this, but TBH it would be easier and safer to find an email hosting company who use up to date TLS certificates. ;-)
signature.asc
Description: This is a digitally signed message part.
