Re: [rt-users] msmtp setup woes (continued)
Ok, so I found the right certificate, but when I run a test with msmtp -a default usern...@domain.com...it just hangs. Tried it with all three SSL ports (465, 587, 25) with the same resultwhat happens now? I can't troubleshoot without error messages... Thanks for everyone's assistance so far. On Sun, May 13, 2012 at 10:00 PM, Ram ram0...@gmail.com wrote: From: Scott Sjodin scott.sjo...@gmail.com Message-ID: caafaoiwep9zh3mceggtnq0kom4fzaa+yaj7qrkjgkycuolm...@mail.gmail.com So I've got my msmtp setup (almost). It's running. I can telnet in to smtp.mydomain.com 587 and 25 and send over the creds (but not with 465) successfully. I can run openssl, with 465 I get the following: openssl s_client -CApath /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer -connect smtp.mydomain.com:465 Verify return code: 20 (unable to get local issuer certificate) When testing msmtp -a default usern...@domain.com I get the following results (with port numbers corresponding to changes in the msmtprc file) When I change up the port number to 587: msmtp: TLS certificate verification failed: the certificate is not trusted When I change up the port number to 25: msmtp: TLS certificate verification failed: the certificate is not trusted When I change up the port number to 465: msmtp: network read error: Connection reset by peer. My msmtprc file is listed below: defaults tls on tls_starttls on tls_trust_file /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer #this was downloaded direct from GeoTrust's website - #http://www.geotrust.com/resources/root-certificates/index.html I suspect the server does not have it's certificate installed properly - specifically the intermediate or chain certificate is probably not installed/configured. Ideally this would be fixed on the server side but you can work around it by adding the correct chain certificate(s) to the client trusted certificate list. As a test try going to that same port and dump the certificates it offers up like so: # openssl s_client -connect example.com.:443 You should see a section in the output like so: --- Certificate chain 0 s:/serialNumber=1234/C=US/O=example.com/OU=NoAuthFromUs/OU=See someurl/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=example.com i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA 1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority You should see three entries (0, 1, 2) though the names will be different than above. If you only see two then the the chain certificate is missing from the server. cheers
Re: [rt-users] msmtp setup woes (continued)
The command line you specified just establishes a connection and it's waiting for you to do something -- I think it's working as designed. Typically you'd pipe something from STDIN to create a message, or use it as a backend for another program. http://msmtp.sourceforge.net/doc/msmtp.html good luck :-) Regards, Stephen J Alexander MPBX, LLC http://mpbx.com 832-713-6729 On Mon, May 14, 2012 at 2:38 PM, Scott Sjodin scott.sjo...@gmail.comwrote: Ok, so I found the right certificate, but when I run a test with msmtp -a default usern...@domain.com...it just hangs. Tried it with all three SSL ports (465, 587, 25) with the same resultwhat happens now? I can't troubleshoot without error messages... Thanks for everyone's assistance so far. On Sun, May 13, 2012 at 10:00 PM, Ram ram0...@gmail.com wrote: From: Scott Sjodin scott.sjo...@gmail.com Message-ID: caafaoiwep9zh3mceggtnq0kom4fzaa+yaj7qrkjgkycuolm...@mail.gmail.com So I've got my msmtp setup (almost). It's running. I can telnet in to smtp.mydomain.com 587 and 25 and send over the creds (but not with 465) successfully. I can run openssl, with 465 I get the following: openssl s_client -CApath /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer -connect smtp.mydomain.com:465 Verify return code: 20 (unable to get local issuer certificate) When testing msmtp -a default usern...@domain.com I get the following results (with port numbers corresponding to changes in the msmtprc file) When I change up the port number to 587: msmtp: TLS certificate verification failed: the certificate is not trusted When I change up the port number to 25: msmtp: TLS certificate verification failed: the certificate is not trusted When I change up the port number to 465: msmtp: network read error: Connection reset by peer. My msmtprc file is listed below: defaults tls on tls_starttls on tls_trust_file /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer #this was downloaded direct from GeoTrust's website - #http://www.geotrust.com/resources/root-certificates/index.html I suspect the server does not have it's certificate installed properly - specifically the intermediate or chain certificate is probably not installed/configured. Ideally this would be fixed on the server side but you can work around it by adding the correct chain certificate(s) to the client trusted certificate list. As a test try going to that same port and dump the certificates it offers up like so: # openssl s_client -connect example.com.:443 You should see a section in the output like so: --- Certificate chain 0 s:/serialNumber=1234/C=US/O=example.com/OU=NoAuthFromUs/OU=See someurl/cps http://example.com/OU=NoAuthFromUs/OU=Seesomeurl/cps(c)11/OU=Domain Control Validated - RapidSSL(R)/CN=example.com i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA 1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority You should see three entries (0, 1, 2) though the names will be different than above. If you only see two then the the chain certificate is missing from the server. cheers
Re: [rt-users] msmtp setup woes (continued)
What was the output - specifically the section I called out? On Mon, May 14, 2012 at 12:45 PM, Stephen J Alexander sjalexan...@mpbx.com wrote: The command line you specified just establishes a connection and it's waiting for you to do something -- I think it's working as designed. Typically you'd pipe something from STDIN to create a message, or use it as a backend for another program. http://msmtp.sourceforge.net/doc/msmtp.html good luck :-) Regards, Stephen J Alexander MPBX, LLC http://mpbx.com 832-713-6729 On Mon, May 14, 2012 at 2:38 PM, Scott Sjodin scott.sjo...@gmail.com wrote: Ok, so I found the right certificate, but when I run a test with msmtp -a default usern...@domain.com...it just hangs. Tried it with all three SSL ports (465, 587, 25) with the same resultwhat happens now? I can't troubleshoot without error messages... Thanks for everyone's assistance so far. On Sun, May 13, 2012 at 10:00 PM, Ram ram0...@gmail.com wrote: From: Scott Sjodin scott.sjo...@gmail.com Message-ID: caafaoiwep9zh3mceggtnq0kom4fzaa+yaj7qrkjgkycuolm...@mail.gmail.com So I've got my msmtp setup (almost). It's running. I can telnet in to smtp.mydomain.com 587 and 25 and send over the creds (but not with 465) successfully. I can run openssl, with 465 I get the following: openssl s_client -CApath /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer -connect smtp.mydomain.com:465 Verify return code: 20 (unable to get local issuer certificate) When testing msmtp -a default usern...@domain.com I get the following results (with port numbers corresponding to changes in the msmtprc file) When I change up the port number to 587: msmtp: TLS certificate verification failed: the certificate is not trusted When I change up the port number to 25: msmtp: TLS certificate verification failed: the certificate is not trusted When I change up the port number to 465: msmtp: network read error: Connection reset by peer. My msmtprc file is listed below: defaults tls on tls_starttls on tls_trust_file /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer #this was downloaded direct from GeoTrust's website - #http://www.geotrust.com/resources/root-certificates/index.html I suspect the server does not have it's certificate installed properly - specifically the intermediate or chain certificate is probably not installed/configured. Ideally this would be fixed on the server side but you can work around it by adding the correct chain certificate(s) to the client trusted certificate list. As a test try going to that same port and dump the certificates it offers up like so: # openssl s_client -connect example.com.:443 You should see a section in the output like so: --- Certificate chain 0 s:/serialNumber=1234/C=US/O=example.com/OU=NoAuthFromUs/OU=See someurl/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=example.com i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA 1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority You should see three entries (0, 1, 2) though the names will be different than above. If you only see two then the the chain certificate is missing from the server. cheers
[rt-users] msmtp setup woes (continued)
So I've got my msmtp setup (almost). It's running. I can telnet in to smtp.mydomain.com 587 and 25 and send over the creds (but not with 465) successfully. I can run openssl, with 465 I get the following: openssl s_client -CApath /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer -connect smtp.mydomain.com:465 Verify return code: 20 (unable to get local issuer certificate) When testing msmtp -a default usern...@domain.com I get the following results (with port numbers corresponding to changes in the msmtprc file) When I change up the port number to 587: msmtp: TLS certificate verification failed: the certificate is not trusted When I change up the port number to 25: msmtp: TLS certificate verification failed: the certificate is not trusted When I change up the port number to 465: msmtp: network read error: Connection reset by peer. My msmtprc file is listed below: defaults tls on tls_starttls on tls_trust_file /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer #this was downloaded direct from GeoTrust's website - #http://www.geotrust.com/resources/root-certificates/index.html logfile /var/log/msmtp.log account default host smtp.mydomain.com port 465 # have also tried 587 and 25 with results varying auth on user supp...@mydomain.com password suparsekrat from supp...@mydomain.com password suparsekrat auto_from off timeout 120 Thoughts? I feel like I am so close!
Re: [rt-users] msmtp setup woes (continued)
Port 465 is not open, or it's firewalled, so you can't use it. But it looks like 587 or 25 might work. The error messages indicate that you're getting a certificate from both those ports. But you don't have their proper root certificate for your server's cert in your certificate store; you will need to install it. If this is a self-signed cert or if you explicitly trust it you can put the server's own certificate into your cert store. How to do this will depend on the specific implementation of SSL for msmtp: I don't know anything about msmtp specifically so I don't know whether it uses openssl or something else; you'll need to attend the documentation to determine where to put the certs, how to put them there, and how to configure the software to read and recognize them. You're right; you're almost there - just need to sort out the SSL situation. Regards, Stephen J Alexander MPBX, LLC http://mpbx.com 832-713-6729 On Sun, May 13, 2012 at 9:21 AM, Scott Sjodin scott.sjo...@gmail.comwrote: So I've got my msmtp setup (almost). It's running. I can telnet in to smtp.mydomain.com 587 and 25 and send over the creds (but not with 465) successfully. I can run openssl, with 465 I get the following: openssl s_client -CApath /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer -connect smtp.mydomain.com:465 Verify return code: 20 (unable to get local issuer certificate) When testing msmtp -a default usern...@domain.com I get the following results (with port numbers corresponding to changes in the msmtprc file) When I change up the port number to 587: msmtp: TLS certificate verification failed: the certificate is not trusted When I change up the port number to 25: msmtp: TLS certificate verification failed: the certificate is not trusted When I change up the port number to 465: msmtp: network read error: Connection reset by peer. My msmtprc file is listed below: defaults tls on tls_starttls on tls_trust_file /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer #this was downloaded direct from GeoTrust's website - #http://www.geotrust.com/resources/root-certificates/index.html logfile /var/log/msmtp.log account default host smtp.mydomain.com port 465 # have also tried 587 and 25 with results varying auth on user supp...@mydomain.com password suparsekrat from supp...@mydomain.com password suparsekrat auto_from off timeout 120 Thoughts? I feel like I am so close!
Re: [rt-users] msmtp setup woes (continued)
Actually now that I reread your email it's evident that you can specify the root cert in the msmtp config file. Looks like your mail server's cert does not have a chain back to the equifax certificate you're using. So, get the right certificate then specify the filename in the msmtp config. You can verify it with openssl just as you attempted to do above. Regards, Stephen J Alexander MPBX, LLC http://mpbx.com 832-713-6729 On Sun, May 13, 2012 at 10:17 AM, Stephen J Alexander sjalexan...@mpbx.comwrote: Port 465 is not open, or it's firewalled, so you can't use it. But it looks like 587 or 25 might work. The error messages indicate that you're getting a certificate from both those ports. But you don't have their proper root certificate for your server's cert in your certificate store; you will need to install it. If this is a self-signed cert or if you explicitly trust it you can put the server's own certificate into your cert store. How to do this will depend on the specific implementation of SSL for msmtp: I don't know anything about msmtp specifically so I don't know whether it uses openssl or something else; you'll need to attend the documentation to determine where to put the certs, how to put them there, and how to configure the software to read and recognize them. You're right; you're almost there - just need to sort out the SSL situation. Regards, Stephen J Alexander MPBX, LLC http://mpbx.com 832-713-6729 On Sun, May 13, 2012 at 9:21 AM, Scott Sjodin scott.sjo...@gmail.comwrote: So I've got my msmtp setup (almost). It's running. I can telnet in to smtp.mydomain.com 587 and 25 and send over the creds (but not with 465) successfully. I can run openssl, with 465 I get the following: openssl s_client -CApath /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer -connect smtp.mydomain.com:465 Verify return code: 20 (unable to get local issuer certificate) When testing msmtp -a default usern...@domain.com I get the following results (with port numbers corresponding to changes in the msmtprc file) When I change up the port number to 587: msmtp: TLS certificate verification failed: the certificate is not trusted When I change up the port number to 25: msmtp: TLS certificate verification failed: the certificate is not trusted When I change up the port number to 465: msmtp: network read error: Connection reset by peer. My msmtprc file is listed below: defaults tls on tls_starttls on tls_trust_file /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer #this was downloaded direct from GeoTrust's website - #http://www.geotrust.com/resources/root-certificates/index.html logfile /var/log/msmtp.log account default host smtp.mydomain.com port 465 # have also tried 587 and 25 with results varying auth on user supp...@mydomain.com password suparsekrat from supp...@mydomain.com password suparsekrat auto_from off timeout 120 Thoughts? I feel like I am so close!
Re: [rt-users] msmtp setup woes (continued)
Stephen, Thanks for the prompt reply and the reassurance that I'm going in the right direction. My hosting company's support is less than worthless and can't tell me what the root certificate they use for SMTP is. All that msmtp will tell me when I input the serverinfo switch is the following: msmtp --serverinfo --host=smtp.hostingprovider.com --tls=on --tls-certcheck=off SMTP server at smtp.hostingprovider.com ( xx.xx.xx.xx.static.hostingprovider.com [xx.xx.xx.xx]), port 25: ESMTP Sun, 13 May 2012 12:03:18 -0400: UCE strictly prohibited TLS certificate information: Owner: Common Name: smtp.hostingprovider.com Organization: smtp.hostingprovider.com Organizational unit: GT01039293 Country: US Issuer: Organization: Equifax Organizational unit: Equifax Secure Certificate Authority Country: US I'm not entirely sure how to interpret this. I may just go ahead and start grabbing all the certs I see and trying them out one by one... Any more insight? Thank you for the quick replies. On Sun, May 13, 2012 at 7:22 PM, Stephen J Alexander sjalexan...@mpbx.comwrote: Actually now that I reread your email it's evident that you can specify the root cert in the msmtp config file. Looks like your mail server's cert does not have a chain back to the equifax certificate you're using. So, get the right certificate then specify the filename in the msmtp config. You can verify it with openssl just as you attempted to do above. Regards, Stephen J Alexander MPBX, LLC http://mpbx.com 832-713-6729 On Sun, May 13, 2012 at 10:17 AM, Stephen J Alexander sjalexan...@mpbx.com wrote: Port 465 is not open, or it's firewalled, so you can't use it. But it looks like 587 or 25 might work. The error messages indicate that you're getting a certificate from both those ports. But you don't have their proper root certificate for your server's cert in your certificate store; you will need to install it. If this is a self-signed cert or if you explicitly trust it you can put the server's own certificate into your cert store. How to do this will depend on the specific implementation of SSL for msmtp: I don't know anything about msmtp specifically so I don't know whether it uses openssl or something else; you'll need to attend the documentation to determine where to put the certs, how to put them there, and how to configure the software to read and recognize them. You're right; you're almost there - just need to sort out the SSL situation. Regards, Stephen J Alexander MPBX, LLC http://mpbx.com 832-713-6729 On Sun, May 13, 2012 at 9:21 AM, Scott Sjodin scott.sjo...@gmail.comwrote: So I've got my msmtp setup (almost). It's running. I can telnet in to smtp.mydomain.com 587 and 25 and send over the creds (but not with 465) successfully. I can run openssl, with 465 I get the following: openssl s_client -CApath /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer -connect smtp.mydomain.com:465 Verify return code: 20 (unable to get local issuer certificate) When testing msmtp -a default usern...@domain.com I get the following results (with port numbers corresponding to changes in the msmtprc file) When I change up the port number to 587: msmtp: TLS certificate verification failed: the certificate is not trusted When I change up the port number to 25: msmtp: TLS certificate verification failed: the certificate is not trusted When I change up the port number to 465: msmtp: network read error: Connection reset by peer. My msmtprc file is listed below: defaults tls on tls_starttls on tls_trust_file /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer #this was downloaded direct from GeoTrust's website - #http://www.geotrust.com/resources/root-certificates/index.html logfile /var/log/msmtp.log account default host smtp.mydomain.com port 465 # have also tried 587 and 25 with results varying auth on user supp...@mydomain.com password suparsekrat from supp...@mydomain.com password suparsekrat auto_from off timeout 120 Thoughts? I feel like I am so close!
Re: [rt-users] msmtp setup woes (continued)
From: Scott Sjodin scott.sjo...@gmail.com Message-ID: caafaoiwep9zh3mceggtnq0kom4fzaa+yaj7qrkjgkycuolm...@mail.gmail.com So I've got my msmtp setup (almost). It's running. I can telnet in to smtp.mydomain.com 587 and 25 and send over the creds (but not with 465) successfully. I can run openssl, with 465 I get the following: openssl s_client -CApath /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer -connect smtp.mydomain.com:465 Verify return code: 20 (unable to get local issuer certificate) When testing msmtp -a default usern...@domain.com I get the following results (with port numbers corresponding to changes in the msmtprc file) When I change up the port number to 587: msmtp: TLS certificate verification failed: the certificate is not trusted When I change up the port number to 25: msmtp: TLS certificate verification failed: the certificate is not trusted When I change up the port number to 465: msmtp: network read error: Connection reset by peer. My msmtprc file is listed below: defaults tls on tls_starttls on tls_trust_file /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer #this was downloaded direct from GeoTrust's website - #http://www.geotrust.com/resources/root-certificates/index.html I suspect the server does not have it's certificate installed properly - specifically the intermediate or chain certificate is probably not installed/configured. Ideally this would be fixed on the server side but you can work around it by adding the correct chain certificate(s) to the client trusted certificate list. As a test try going to that same port and dump the certificates it offers up like so: # openssl s_client -connect example.com.:443 You should see a section in the output like so: --- Certificate chain 0 s:/serialNumber=1234/C=US/O=example.com/OU=NoAuthFromUs/OU=See someurl/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=example.com i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA 1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority You should see three entries (0, 1, 2) though the names will be different than above. If you only see two then the the chain certificate is missing from the server. cheers