Msmtp setup woes (continued)

So I’ve got my msmtp setup (almost). It’s running. I can telnet in to
smtp.mydomain.com 587 and 25 and send over the creds (but not with 465)
successfully. I can run openssl, with 465 I get the following:

openssl s_client -CApath
/etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer -connect
smtp.mydomain.com:465

Verify return code: 20 (unable to get local issuer certificate)

When testing msmtp -a default username@domain.com I get the following
results (with port numbers corresponding to changes in the msmtprc file)

When I change up the port number to 587:

msmtp: TLS certificate verification failed: the certificate is not trusted
When I change up the port number to 25:
msmtp: TLS certificate verification failed: the certificate is not trusted
When I change up the port number to 465:
msmtp: network read error: Connection reset by peer.

My msmtprc file is listed below:

defaults
tls on
tls_starttls on
tls_trust_file /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer

#this was downloaded direct from GeoTrust’s website -
#http://www.geotrust.com/resources/root-certificates/index.html

logfile /var/log/msmtp.log
account default
host smtp.mydomain.com
port 465

have also tried 587 and 25 with results varying

auth on
user support@mydomain.com
password suparsekrat
from support@mydomain.com
password suparsekrat
auto_from off
timeout 120

Thoughts? I feel like I am so close!

Port 465 is not open, or it’s firewalled, so you can’t use it. But it looks
like 587 or 25 might work. The error messages indicate that you’re getting
a certificate from both those ports. But you don’t have their proper root
certificate for your server’s cert in your certificate store; you will need
to install it.

If this is a self-signed cert or if you explicitly trust it you can put the
server’s own certificate into your cert store. How to do this will depend
on the specific implementation of SSL for msmtp: I don’t know anything
about msmtp specifically so I don’t know whether it uses openssl or
something else; you’ll need to attend the documentation to determine where
to put the certs, how to put them there, and how to configure the software
to read and recognize them.

You’re right; you’re almost there - just need to sort out the SSL situation.

Regards,

Stephen J Alexander
MPBX, LLC
http://mpbx.com
832-713-6729On Sun, May 13, 2012 at 9:21 AM, Scott Sjodin scott.sjodin@gmail.comwrote:

So I’ve got my msmtp setup (almost). It’s running. I can telnet in to
smtp.mydomain.com 587 and 25 and send over the creds (but not with 465)
successfully. I can run openssl, with 465 I get the following:

openssl s_client -CApath /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer -connect smtp.mydomain.com:465

Verify return code: 20 (unable to get local issuer certificate)

When testing msmtp -a default username@domain.com I get the following
results (with port numbers corresponding to changes in the msmtprc file)

When I change up the port number to 587:

msmtp: TLS certificate verification failed: the certificate is not trusted
When I change up the port number to 25:
msmtp: TLS certificate verification failed: the certificate is not trusted
When I change up the port number to 465:
msmtp: network read error: Connection reset by peer.

My msmtprc file is listed below:

defaults
tls on
tls_starttls on
tls_trust_file /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer

#this was downloaded direct from GeoTrust’s website -
#http://www.geotrust.com/resources/root-certificates/index.html

logfile /var/log/msmtp.log
account default
host smtp.mydomain.com
port 465

have also tried 587 and 25 with results varying

auth on
user support@mydomain.com
password suparsekrat
from support@mydomain.com
password suparsekrat
auto_from off
timeout 120

Thoughts? I feel like I am so close!

Actually now that I reread your email it’s evident that you can specify the
root cert in the msmtp config file. Looks like your mail server’s cert does
not have a chain back to the equifax certificate you’re using. So, get the
right certificate then specify the filename in the msmtp config. You can
verify it with openssl just as you attempted to do above.

Regards,

Stephen J Alexander
MPBX, LLC
http://mpbx.com
832-713-6729On Sun, May 13, 2012 at 10:17 AM, Stephen J Alexander sjalexander@mpbx.comwrote:

Port 465 is not open, or it’s firewalled, so you can’t use it. But it
looks like 587 or 25 might work. The error messages indicate that you’re
getting a certificate from both those ports. But you don’t have their
proper root certificate for your server’s cert in your certificate store;
you will need to install it.

If this is a self-signed cert or if you explicitly trust it you can put
the server’s own certificate into your cert store. How to do this will
depend on the specific implementation of SSL for msmtp: I don’t know
anything about msmtp specifically so I don’t know whether it uses openssl
or something else; you’ll need to attend the documentation to determine
where to put the certs, how to put them there, and how to configure the
software to read and recognize them.

You’re right; you’re almost there - just need to sort out the SSL
situation.

Regards,

Stephen J Alexander
MPBX, LLC
http://mpbx.com
832-713-6729

On Sun, May 13, 2012 at 9:21 AM, Scott Sjodin scott.sjodin@gmail.comwrote:

So I’ve got my msmtp setup (almost). It’s running. I can telnet in to
smtp.mydomain.com 587 and 25 and send over the creds (but not with 465)
successfully. I can run openssl, with 465 I get the following:

openssl s_client -CApath /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer -connect smtp.mydomain.com:465

Verify return code: 20 (unable to get local issuer certificate)

When testing msmtp -a default username@domain.com I get the following
results (with port numbers corresponding to changes in the msmtprc file)

When I change up the port number to 587:

msmtp: TLS certificate verification failed: the certificate is not trusted
When I change up the port number to 25:
msmtp: TLS certificate verification failed: the certificate is not trusted
When I change up the port number to 465:
msmtp: network read error: Connection reset by peer.

My msmtprc file is listed below:

defaults
tls on
tls_starttls on
tls_trust_file /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer

#this was downloaded direct from GeoTrust’s website -
#http://www.geotrust.com/resources/root-certificates/index.html

logfile /var/log/msmtp.log
account default
host smtp.mydomain.com
port 465

have also tried 587 and 25 with results varying

auth on
user support@mydomain.com
password suparsekrat
from support@mydomain.com
password suparsekrat
auto_from off
timeout 120

Thoughts? I feel like I am so close!

Stephen,

Thanks for the prompt reply and the reassurance that I’m going in the right
direction. My hosting company’s support is less than worthless and can’t
tell me what the root certificate they use for SMTP is. All that msmtp will
tell me when I input the serverinfo switch is the following:

msmtp --serverinfo --host=smtp.hostingprovider.com --tls=on
–tls-certcheck=off
SMTP server at smtp.hostingprovider.com (
xx.xx.xx.xx.static.hostingprovider.com [xx.xx.xx.xx]), port 25:
ESMTP Sun, 13 May 2012 12:03:18 -0400: UCE strictly prohibited
TLS certificate information:
Owner:
Common Name: smtp.hostingprovider.com
Organization: smtp.hostingprovider.com
Organizational unit: GT01039293
Country: US
Issuer:
Organization: Equifax
Organizational unit: Equifax Secure Certificate Authority
Country: US

I’m not entirely sure how to interpret this. I may just go ahead and start
grabbing all the certs I see and trying them out one by one…

Any more insight? Thank you for the quick replies.On Sun, May 13, 2012 at 7:22 PM, Stephen J Alexander sjalexander@mpbx.comwrote:

Actually now that I reread your email it’s evident that you can specify
the root cert in the msmtp config file. Looks like your mail server’s cert
does not have a chain back to the equifax certificate you’re using. So, get
the right certificate then specify the filename in the msmtp config. You
can verify it with openssl just as you attempted to do above.

Regards,

Stephen J Alexander
MPBX, LLC
http://mpbx.com
832-713-6729

On Sun, May 13, 2012 at 10:17 AM, Stephen J Alexander < sjalexander@mpbx.com> wrote:

Port 465 is not open, or it’s firewalled, so you can’t use it. But it
looks like 587 or 25 might work. The error messages indicate that you’re
getting a certificate from both those ports. But you don’t have their
proper root certificate for your server’s cert in your certificate store;
you will need to install it.

If this is a self-signed cert or if you explicitly trust it you can put
the server’s own certificate into your cert store. How to do this will
depend on the specific implementation of SSL for msmtp: I don’t know
anything about msmtp specifically so I don’t know whether it uses openssl
or something else; you’ll need to attend the documentation to determine
where to put the certs, how to put them there, and how to configure the
software to read and recognize them.

You’re right; you’re almost there - just need to sort out the SSL
situation.

Regards,

Stephen J Alexander
MPBX, LLC
http://mpbx.com
832-713-6729

On Sun, May 13, 2012 at 9:21 AM, Scott Sjodin scott.sjodin@gmail.comwrote:

So I’ve got my msmtp setup (almost). It’s running. I can telnet in to
smtp.mydomain.com 587 and 25 and send over the creds (but not with 465)
successfully. I can run openssl, with 465 I get the following:

openssl s_client -CApath /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer -connect smtp.mydomain.com:465

Verify return code: 20 (unable to get local issuer certificate)

When testing msmtp -a default username@domain.com I get the following
results (with port numbers corresponding to changes in the msmtprc file)

When I change up the port number to 587:

msmtp: TLS certificate verification failed: the certificate is not
trusted
When I change up the port number to 25:
msmtp: TLS certificate verification failed: the certificate is not
trusted
When I change up the port number to 465:
msmtp: network read error: Connection reset by peer.

My msmtprc file is listed below:

defaults
tls on
tls_starttls on
tls_trust_file /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer

#this was downloaded direct from GeoTrust’s website -
#http://www.geotrust.com/resources/root-certificates/index.html

logfile /var/log/msmtp.log
account default
host smtp.mydomain.com
port 465

have also tried 587 and 25 with results varying

auth on
user support@mydomain.com
password suparsekrat
from support@mydomain.com
password suparsekrat
auto_from off
timeout 120

Thoughts? I feel like I am so close!

From: Scott Sjodin scott.sjodin@gmail.com
Message-ID:
CAAfAOiWep9ZH3MCEGGtNQ0kom4fzAa+yaJ7qrkJgKyCuoLmsCg@mail.gmail.com

So I’ve got my msmtp setup (almost). It’s running. I can telnet in to
smtp.mydomain.com 587 and 25 and send over the creds (but not with 465)
successfully. I can run openssl, with 465 I get the following:

openssl s_client -CApath
/etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer -connect
smtp.mydomain.com:465

Verify return code: 20 (unable to get local issuer certificate)

When testing msmtp -a default username@domain.com I get the following
results (with port numbers corresponding to changes in the msmtprc file)

When I change up the port number to 587:

msmtp: TLS certificate verification failed: the certificate is not trusted
When I change up the port number to 25:
msmtp: TLS certificate verification failed: the certificate is not trusted
When I change up the port number to 465:
msmtp: network read error: Connection reset by peer.

My msmtprc file is listed below:

defaults
tls on
tls_starttls on
tls_trust_file /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer

#this was downloaded direct from GeoTrust’s website -
#http://www.geotrust.com/resources/root-certificates/index.html

I suspect the server does not have it’s certificate installed properly

  • specifically the intermediate or chain certificate is probably not
    installed/configured. Ideally this would be fixed on the server side
    but you can work around it by adding the correct chain certificate(s)
    to the client trusted certificate list.

As a test try going to that same port and dump the certificates it
offers up like so:

openssl s_client -connect example.com.:443

You should see a section in the output like so:
Certificate chain
0 s:/serialNumber=1234/C=US/O=example.com/OU=NoAuthFromUs/OU=See
someurl/cps (c)11/OU=Domain Control Validated -
RapidSSL(R)/CN=example.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

You should see three entries (0, 1, 2) though the names will be
different than above. If you only see two then the the chain
certificate is missing from the server.

cheers

Ok, so I found the right certificate, but when I run a test with msmtp -a
default username@domain.com…it just hangs. Tried it with all three SSL
ports (465, 587, 25) with the same result…what happens now? I can’t
troubleshoot without error messages…

Thanks for everyone’s assistance so far.On Sun, May 13, 2012 at 10:00 PM, Ram ram0502@gmail.com wrote:

From: Scott Sjodin scott.sjodin@gmail.com
Message-ID:
<
CAAfAOiWep9ZH3MCEGGtNQ0kom4fzAa+yaJ7qrkJgKyCuoLmsCg@mail.gmail.com>

So I’ve got my msmtp setup (almost). It’s running. I can telnet in to
smtp.mydomain.com 587 and 25 and send over the creds (but not with 465)
successfully. I can run openssl, with 465 I get the following:

openssl s_client -CApath
/etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer -connect
smtp.mydomain.com:465

Verify return code: 20 (unable to get local issuer certificate)

When testing msmtp -a default username@domain.com I get the following
results (with port numbers corresponding to changes in the msmtprc file)

When I change up the port number to 587:

msmtp: TLS certificate verification failed: the certificate is not
trusted
When I change up the port number to 25:
msmtp: TLS certificate verification failed: the certificate is not
trusted
When I change up the port number to 465:
msmtp: network read error: Connection reset by peer.

My msmtprc file is listed below:

defaults
tls on
tls_starttls on
tls_trust_file /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer

#this was downloaded direct from GeoTrust’s website -
#http://www.geotrust.com/resources/root-certificates/index.html

I suspect the server does not have it’s certificate installed properly

  • specifically the intermediate or chain certificate is probably not
    installed/configured. Ideally this would be fixed on the server side
    but you can work around it by adding the correct chain certificate(s)
    to the client trusted certificate list.

As a test try going to that same port and dump the certificates it
offers up like so:

openssl s_client -connect example.com.:443

You should see a section in the output like so:

Certificate chain
0 s:/serialNumber=1234/C=US/O=example.com/OU=NoAuthFromUs/OU=See
someurl/cps (c)11/OU=Domain Control Validated -
RapidSSL(R)/CN=example.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

You should see three entries (0, 1, 2) though the names will be
different than above. If you only see two then the the chain
certificate is missing from the server.

cheers

The command line you specified just establishes a connection and it’s
waiting for you to do something – I think it’s working as
designed. Typically you’d pipe something from STDIN to create a message, or
use it as a backend for another program.
http://msmtp.sourceforge.net/doc/msmtp.html good luck :slight_smile:

Regards,

Stephen J Alexander
MPBX, LLC
http://mpbx.com
832-713-6729On Mon, May 14, 2012 at 2:38 PM, Scott Sjodin scott.sjodin@gmail.comwrote:

Ok, so I found the right certificate, but when I run a test with msmtp -a
default username@domain.com…it just hangs. Tried it with all three SSL
ports (465, 587, 25) with the same result…what happens now? I can’t
troubleshoot without error messages…

Thanks for everyone’s assistance so far.

On Sun, May 13, 2012 at 10:00 PM, Ram ram0502@gmail.com wrote:

From: Scott Sjodin scott.sjodin@gmail.com
Message-ID:
<
CAAfAOiWep9ZH3MCEGGtNQ0kom4fzAa+yaJ7qrkJgKyCuoLmsCg@mail.gmail.com>

So I’ve got my msmtp setup (almost). It’s running. I can telnet in to
smtp.mydomain.com 587 and 25 and send over the creds (but not with 465)
successfully. I can run openssl, with 465 I get the following:

openssl s_client -CApath
/etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer -connect
smtp.mydomain.com:465

Verify return code: 20 (unable to get local issuer certificate)

When testing msmtp -a default username@domain.com I get the following
results (with port numbers corresponding to changes in the msmtprc file)

When I change up the port number to 587:

msmtp: TLS certificate verification failed: the certificate is not
trusted
When I change up the port number to 25:
msmtp: TLS certificate verification failed: the certificate is not
trusted
When I change up the port number to 465:
msmtp: network read error: Connection reset by peer.

My msmtprc file is listed below:

defaults
tls on
tls_starttls on
tls_trust_file /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer

#this was downloaded direct from GeoTrust’s website -
#http://www.geotrust.com/resources/root-certificates/index.html

I suspect the server does not have it’s certificate installed properly

  • specifically the intermediate or chain certificate is probably not
    installed/configured. Ideally this would be fixed on the server side
    but you can work around it by adding the correct chain certificate(s)
    to the client trusted certificate list.

As a test try going to that same port and dump the certificates it
offers up like so:

openssl s_client -connect example.com.:443

You should see a section in the output like so:

Certificate chain
0 s:/serialNumber=1234/C=US/O=example.com/OU=NoAuthFromUs/OU=See
someurl/cps http://example.com/OU=NoAuthFromUs/OU=Seesomeurl/cps(c)11/OU=Domain Control Validated -
RapidSSL(R)/CN=example.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

You should see three entries (0, 1, 2) though the names will be
different than above. If you only see two then the the chain
certificate is missing from the server.

cheers

What was the output - specifically the section I called out?On Mon, May 14, 2012 at 12:45 PM, Stephen J Alexander sjalexander@mpbx.com wrote:

The command line you specified just establishes a connection and it’s
waiting for you to do something – I think it’s working as
designed. Typically you’d pipe something from STDIN to create a message, or
use it as a backend for another
program. http://msmtp.sourceforge.net/doc/msmtp.html good luck :slight_smile:

Regards,

Stephen J Alexander
MPBX, LLC
http://mpbx.com
832-713-6729

On Mon, May 14, 2012 at 2:38 PM, Scott Sjodin scott.sjodin@gmail.com wrote:

Ok, so I found the right certificate, but when I run a test with msmtp -a
default username@domain.com…it just hangs. Tried it with all three SSL
ports (465, 587, 25) with the same result…what happens now? I can’t
troubleshoot without error messages…

Thanks for everyone’s assistance so far.

On Sun, May 13, 2012 at 10:00 PM, Ram ram0502@gmail.com wrote:

From: Scott Sjodin scott.sjodin@gmail.com
Message-ID:

CAAfAOiWep9ZH3MCEGGtNQ0kom4fzAa+yaJ7qrkJgKyCuoLmsCg@mail.gmail.com

So I’ve got my msmtp setup (almost). It’s running. I can telnet in to
smtp.mydomain.com 587 and 25 and send over the creds (but not with 465)
successfully. I can run openssl, with 465 I get the following:

openssl s_client -CApath
/etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer -connect
smtp.mydomain.com:465

Verify return code: 20 (unable to get local issuer certificate)

When testing msmtp -a default username@domain.com I get the following
results (with port numbers corresponding to changes in the msmtprc
file)

When I change up the port number to 587:

msmtp: TLS certificate verification failed: the certificate is not
trusted
When I change up the port number to 25:
msmtp: TLS certificate verification failed: the certificate is not
trusted
When I change up the port number to 465:
msmtp: network read error: Connection reset by peer.

My msmtprc file is listed below:

defaults
tls on
tls_starttls on
tls_trust_file /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer

#this was downloaded direct from GeoTrust’s website -
#http://www.geotrust.com/resources/root-certificates/index.html

I suspect the server does not have it’s certificate installed properly

  • specifically the intermediate or chain certificate is probably not
    installed/configured. Ideally this would be fixed on the server side
    but you can work around it by adding the correct chain certificate(s)
    to the client trusted certificate list.

As a test try going to that same port and dump the certificates it
offers up like so:

openssl s_client -connect example.com.:443

You should see a section in the output like so:

Certificate chain
0 s:/serialNumber=1234/C=US/O=example.com/OU=NoAuthFromUs/OU=See
someurl/cps (c)11/OU=Domain Control Validated -
RapidSSL(R)/CN=example.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

You should see three entries (0, 1, 2) though the names will be
different than above. If you only see two then the the chain
certificate is missing from the server.

cheers