Re: Setting up GMAIL as outbound mail server on z/OS
On 4/10/19 2:47 AM, Don Poitras wrote: You don't want to add the gmail cert to RACF, you just need the CA cert to validate it. See (this is for SMP/E, but I think also applies to your problem): I agree, you /usually/ want the Root CA cert to be trusted so that the trust can flow down to any cert signed by said Root CA cert. That being said, it may be possible to install Gmail's public cert as a trusted Root CA cert and achieve the same result. You are establishing a trusted point. The downside of using the actual public cert as opposed to the Root CA cert is that end certs usually expire much sooner than Root CA certs. So you'd get to play a game of periodically updating the cert in RACF's keyring. Much more often than you would with the Root CA's cert. -- Grant. . . . unix || die -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Setting up GMAIL as outbound mail server on z/OS
In article <0451fc8d-792f-4df2-964c-2691e4e76...@googlegroups.com> you wrote: > On Monday, April 8, 2019 at 10:27:24 PM UTC+3, Grant Taylor wrote: > > On 4/8/19 1:22 PM, Dan Kalmar wrote: > > > I tried the same Java program on an Ubuntu system and it sends mail to > > > Gmail just fine. > > > > I take it that the Java was portable without modifications between your > > Ubuntu system and a Mainframe. - Good to know. - I should be, but > > I've not seen first hand experience before this. > > > > > So I tend to agree that CERTs are missing on RACF to enable the TLS > > > session to work properly against the Gmail server. > > > > > > I'll look around for any hints on how to get those CA certs installed > > > on RACF. > > > > Take a look at the links that Don P. posted about 8 (?) hours ago. I > > think at least one of the links had a link to adding certs to RACF keyring. > > -- > > Grant. . . . > > unix || die > I found a post where the following command would extract a certificate from > the target SMTP server: > openssl s_client -connect smtp.gmail.com:465 -showcerts 2>/dev/null|openssl x509 -outform PEM >mycertfile.pem > This comnmand actually works and I get a certificate created in > mycertfile.pem. > I can take this certificate and add it to RACF but not sure under what > credentials ? You don't want to add the gmail cert to RACF, you just need the CA cert to validate it. See (this is for SMP/E, but I think also applies to your problem): https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.gim3000/acac.htm -- Don Poitras - SAS Development - SAS Institute Inc. - SAS Campus Drive sas...@sas.com (919) 531-5637Cary, NC 27513 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Setting up GMAIL as outbound mail server on z/OS
On Mon, 8 Apr 2019 18:46:10 -0600, Grant Taylor wrote: >On 4/8/19 4:26 PM, Steve Horein wrote: >> I can assure you the listserv is NOT receiving from Dan K. or Grant T., >> only from Don P. > >Based on that information I'll move my participation to email. As an alternative, you can use the web interface at https://listserv.ua.edu/cgi-bin/wa?A0=IBM-MAIN -- Tom Marchant -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Setting up GMAIL as outbound mail server on z/OS
On 4/8/19 4:26 PM, Steve Horein wrote: I can assure you the listserv is NOT receiving from Dan K. or Grant T., only from Don P. Based on that information I'll move my participation to email. Thank you for the clarification Steve. -- Grant. . . . unix || die -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Setting up GMAIL as outbound mail server on z/OS
I can assure you the listserv is NOT receiving from Dan K. or Grant T., only from Don P. On Mon, Apr 8, 2019 at 2:50 PM Don Poitras wrote: > In article you wrote: > > On 4/8/19 11:59 AM, Don Poitras wrote: > > > Well, it sounds like Google requires TLS. I don't see how CSSMTP is > going > > > to validate Google's cert if all he has in his RACF is self-signed > certs. > > I think the crux is "all he has in his RACF is self-signed certs". > > I'm getting the impression that the RACF keyring (?) doesn't include or > > have access to Root CA (public) certificates like other platforms have. > > In that case, the appropriate public root certificate from the CA that > > Google uses will need to be added to the RACF keyring. > > > A very small percentage of us read via the newsgroup. Most use the > > > listserv. It used to be bi-directional, but that changed years ago. > > > If you look in the archive, you'll see that only my replies are there. > > I believe it is (again) bi-directional. I'm reading & replying from the > > newsgroup. If you're reading & replying from email, then it is in fact > > working bi-bidirectionally. > > I use a news server to read the group. I have my listserv subscription > set to NO-MAIL. I only reply by emailing to the listserv. Anything you > see on the newsgroup with the IBM-MAIN boilerplate at the bottom has > gone through the listserv and ends up going to all the subscribers and > saved at in the archives (and mirrored to the newsgroup.) Anything you > see without the boilerplate will only be seen (and not archived) by > those reading via the newsgroup. > > https://listserv.ua.edu/cgi-bin/wa?A1=ind1904=ibm-main > > > -- > > Grant. . . . > > unix || die > > -- > Don Poitras - SAS Development - SAS Institute Inc. - SAS Campus Drive > sas...@sas.com (919) 531-5637Cary, NC 27513 > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Setting up GMAIL as outbound mail server on z/OS
In article you wrote: > On 4/8/19 11:59 AM, Don Poitras wrote: > > Well, it sounds like Google requires TLS. I don't see how CSSMTP is going > > to validate Google's cert if all he has in his RACF is self-signed certs. > I think the crux is "all he has in his RACF is self-signed certs". > I'm getting the impression that the RACF keyring (?) doesn't include or > have access to Root CA (public) certificates like other platforms have. > In that case, the appropriate public root certificate from the CA that > Google uses will need to be added to the RACF keyring. > > A very small percentage of us read via the newsgroup. Most use the > > listserv. It used to be bi-directional, but that changed years ago. > > If you look in the archive, you'll see that only my replies are there. > I believe it is (again) bi-directional. I'm reading & replying from the > newsgroup. If you're reading & replying from email, then it is in fact > working bi-bidirectionally. I use a news server to read the group. I have my listserv subscription set to NO-MAIL. I only reply by emailing to the listserv. Anything you see on the newsgroup with the IBM-MAIN boilerplate at the bottom has gone through the listserv and ends up going to all the subscribers and saved at in the archives (and mirrored to the newsgroup.) Anything you see without the boilerplate will only be seen (and not archived) by those reading via the newsgroup. https://listserv.ua.edu/cgi-bin/wa?A1=ind1904=ibm-main > -- > Grant. . . . > unix || die -- Don Poitras - SAS Development - SAS Institute Inc. - SAS Campus Drive sas...@sas.com (919) 531-5637Cary, NC 27513 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Setting up GMAIL as outbound mail server on z/OS
In article you wrote: > How does Google validate sending emails from Windows ? There is no need to > purchase any CA certs so those must exist inside the Browser when accessing > Gmail. I think all the browsers come with CA certs these days. > I have a Java program that I found on the internet that I can run on windows > to send mail using TLS on port 587 to the Gmail SMTP server. > Same java program does not work from z/OS. > The error is: > javax.mail.MessagingException: Could not convert socket to TLS; > I am assuming that TLS won't work without having the required certs installed > on a RACF keyring for TLS to use. > Maybe it is possible to export those certs from windows ? I see some kludges for this java error where you just "trust" the domain. I think putting in a CA cert in RACF is the way to go, whether copying from Firefox or getting from some 3rd party is something I don't know. I don't even play a sysprog on TV. :) -- Don Poitras - SAS Development - SAS Institute Inc. - SAS Campus Drive sas...@sas.com (919) 531-5637Cary, NC 27513 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Setting up GMAIL as outbound mail server on z/OS
In article you wrote: > On 4/8/19 5:03 AM, Don Poitras wrote: > > Here's what Google says (or so says digicert): > > > > https://www.digicert.com/ssl-support/gmail-pop3-troubleshooting.htm > > > > "you need to purchase and install one from a trusted CA like DigiCert" > I thought that the OP was wanting to use CSSMTP to send email (act as an > SMTP client) to Gmail. So, what does Google's requirement for a POP3 > server having a valid SSL / TLS certificate have to do with what the > OP's wanting to do? Well, it sounds like Google requires TLS. I don't see how CSSMTP is going to validate Google's cert if all he has in his RACF is self-signed certs. > > You'll get better results if you email to the listserv rather than using > > the newsgroup. See the info below my sig below for instructions. > Why do you say that? What's wrong with using the newsgroup? A very small percentage of us read via the newsgroup. Most use the listserv. It used to be bi-directional, but that changed years ago. If you look in the archive, you'll see that only my replies are there. -- Don Poitras - SAS Development - SAS Institute Inc. - SAS Campus Drive sas...@sas.com (919) 531-5637Cary, NC 27513 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Setting up GMAIL as outbound mail server on z/OS
In article <7034c11c-93cd-4b68-bd6d-adf4114c7...@googlegroups.com> you wrote: > That may well be an SSL error, cause I have not figured out yet what > certificates need to be placed on the keyring defined in the AT-TLS policy Here's what Google says (or so says digicert): https://www.digicert.com/ssl-support/gmail-pop3-troubleshooting.htm "you need to purchase and install one from a trusted CA like DigiCert®" You'll get better results if you email to the listserv rather than using the newsgroup. See the info below my sig below for instructions. -- Don Poitras - SAS Development - SAS Institute Inc. - SAS Campus Drive sas...@sas.com (919) 531-5637Cary, NC 27513 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Setting up GMAIL as outbound mail server on z/OS
In article you wrote: > This is the error I see in the AT-TLS trace: > EZD1287I TTLS Error RC:8 Initial Handshake 148 > LOCAL: 192.168.1.249..1064 > REMOTE: 64.233.167.109..587 > JOBNAME: CSSMTP RULE: CSSMTPRule > USERID: START1 GRPID: 0002 ENVID: 0002 CONNID: 0168 > This RC value is not even documented. How nice But it is. It's an ssl error: https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.gska100/sssl2msg1000885.htm 8 - Certificate validation error. Set the gsk env variables to capture a trace and run again. Then run the trace output through the gsktrace utility. https://www.ibm.com/support/knowledgecenter/en/SSB27U_6.4.0/com.ibm.zvm.v640.kijl0/kijl049.htm -- Don Poitras - SAS Development - SAS Institute Inc. - SAS Campus Drive sas...@sas.com (919) 531-5637Cary, NC 27513 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN