HOW2 hook-in STARTTLS to SMTP:gmail ?

Discussion in 'Linux Networking' started by Unknown, Feb 16, 2013.

  1. Unknown

    Unknown Guest

    Here's the expect script:-
    spawn telnet smtp.gmail.com 587
    expect 220

    send "ehlo\r"
    expect 250

    send "STARTTLS\r"
    expect 220

    send "quit\r"
    expect OK

    exit 0
    =======
    And here's the corresponding expect's output log:----
    spawn telnet smtp.gmail.com 587
    Trying 173.194.65.108...
    Connected to smtp.gmail.com.
    Escape character is '^]'.
    220 mx.google.com ESMTP l8sm53322532een.10 - gsmtp
    ehlo
    250-mx.google.com at your service, [41.174.4.202]
    250-SIZE 35882577
    250-8BITMIME
    250-STARTTLS
    250 ENHANCEDSTATUSCODES
    STARTTLS
    220 2.0.0 Ready to start TLS
    quit
    =============================================
    Q1. HOW2 test, as far as possible `STARTTLS` off-line, and or without
    smtp telnet-connection running?

    Q2. HOW2 test `STARTTLS` hooked into smtp telnet-connection not running?

    Q0. HOW2 setup STARTTLS.


    == TIA
     
    Unknown, Feb 16, 2013
    #1
    1. Advertisements

  2. Unknown

    Sam Guest

    Once the response to STARTTLS is received, all further communication is
    encrypted (starting with TLS negotiation). Sending something in plaintext,
    at this point, like "QUIT", will not accomplish anything usefull.
    This makes no sense to me. What exactly are you trying to accomplish?
    None of that makes sense either. Perhaps you can explain what problem you
    are trying to solve.


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.13 (GNU/Linux)

    iEYEABECAAYFAlEfuzQACgkQx9p3GYHlUOKbzQCfSmFgpCimFu4Fg0WiZ2B23lU2
    m98An22aBChQtKhJ0O1ROjh7yUh+g94h
    =C294
    -----END PGP SIGNATURE-----
     
    Sam, Feb 16, 2013
    #2
    1. Advertisements

  3. Unknown

    Chris Davies Guest

    openssl s_client -connect remotehost:smtp -starttls smtp -quiet

    You can man s_client for further details.
    Chris
     
    Chris Davies, Feb 17, 2013
    #3
  4. Unknown

    Unknown Guest

    Ok, the `quit` was just left over from the tested non-TLS version, but
    if the dialog after `STARTTLS` is all 'in the dark' there can be no
    decisions made to guide/branch it, and the C-S pair must have a fixed
    sequence.
    So, does it 'come out of the dark' to handle the further input of:
    To, From....etc.?

    From docos re. stunnel, gnutls-cli, openssl it's not clear to me if these
    are used from the start of the session, or can I start: telnet
    Some other readers seem to understand.

    == TIA.
     
    Unknown, Feb 18, 2013
    #4
  5. Unknown

    Unknown Guest

    Thanks, I fetch all of those.
    ----T
    hat lead to 4616 - 928 ~ 3K-lines of perl code!
    --------
    This is a perfect opportunity to show ONE good reason why I don't
    use the normal crap full-featured graphic browsers, where the textual
    contents is floating around between moving butterflies, and can't be
    sensibly extracted, to eg. post on USEnet nor email.

    Here's my
    Comment #1 from fmat gives a specific example of using SWAKS in TLS mode.
    of
    <http://doc.coker.com.au/internet/how-to-debug-smtp-with-tlsssl-and-
    auth/>
    ----------------
    2 comments to How to Debug SMTP with TLS(SSL) and AUTH

    * fmat
    [29]May 11, 2009 at 8:45 pm
    There are another commandline tool to check smtp connections:
    swaks[1]
    The commandline-ehlo
    swaks -s SMTPSERVERNAME -p ESMTPS -ehlo MYFQDN -au USERNAME -ap
    USERPASSWD -t TOADDR -f FROMADDR
    will send a testmail via TLS to TOADDR via sm,tp server
    SMTPSERVERNAME.
    [1] [30]http://packages.debian.org/lenny/swaks
    You dont need to fiddle around with en- and decoding scripts to
    get the rigth strings.
    swaks has also options to add header lines and send own
    mailbodies.
    Just my 2 ct.
    * Jr. TLS admin
    [31]January 16, 2011 at 4:04 am
    This artical saved my but! Thanks you guys... Go linux!
    ...
    ---------------- and here's the corresponding link.
    29. http://doc.coker.com.au/internet/how-to-debug-smtp-with-tlsssl-and-
    auth/\
    comment-page-1/#comment-580

    which should contain the extracts [including the typo "get the rigth
    strings"]
    And it does NOT. Some thing is fishy. I can't trust what's happening.
    Computing is an exact science -- not like football.
    ===============
    Here are some logs, of attempts based on extracts of the confusing docos:-
    -> stunnel -n smtp -c -r smtp.gmail.com:587
    ==
    2013.02.18 13:48:09 LOG3[4904:3084187328]: -n: No such file or dir
    ectory (2)
    ------
    Syntax:
    stunnel [<filename>] ] -fd <n> | -help | -version | -sockets
    <filename> - use specified config file instead of /etc/stunne
    l/stunnel.conf
    -fd <n> - read the config file from a file descriptor
    -help - get config file help
    -version - display version and defaults
    -sockets - display default socket options
    +++++++++++++++++++++++++++++++++++++++++++++++++++++
    gnutls-cli -s gmail.com -p 25
    Resolving 'gmail.com'...
    Connecting to '173.194.41.118:25'...
    ehlo
    starttls <-- no further output
    ++++++++++++++++++++++++++

    This is a disaster!
     
    Unknown, Feb 18, 2013
    #5
  6. Unknown

    Unknown Guest

    And this is a test-driver which uses SWAKS ?!
    OK, I've now tried to analyse this.
    I've had a sleep, to let my subconscious workout this
    can-o-worms problem. As I see it:
    if TLS is 'in-the-dark' then it must be atomic/one-piece,
    with no contect with 'the outside world' to query and get
    input. So the <user> & <psword> [possibly based64-ed]
    is all wired in.

    And because of this essential atomic structure, you CAN'T
    do telnet incremental testing.
    It's not like walking, one-step-at-a-time.
    It's like shooting a canon.
    No intervention is possible after the shot is fired, until
    after it strikes or misses the target.

    Now to see if/how the <fmat message extract> corresponds to
    the '> 3K-line-perl', I'll see if the perl has some unusual string
    from his 7-argument commandline.
    Let's try "au" OMG! "au" appears a zillion times!
    So does "ap"; but this line suggest that the 7-argument
    command-line belongs to the perl-script:
    { opts => ['ap', 'auth-password'],

    He writes [copy-pasted from links-fetch]:---
    The commandline-ehlo
    swaks -s SMTPSERVERNAME -p ESMTPS -ehlo MYFQDN -au USERNAME -ap
    USERPASSWD -t TOADDR -f FROMADDR
    will send a testmail via TLS to TOADDR via sm,tp server
    SMTPSERVERNAME.
    ---
    which has got all the arguments to load-the-cannon
    before firing, except the <testmail>.
    So perhaps the <testmail> is a short text in the perl-script?
    But that means that the perl-script is NOT a general purpose
    mailer. Which indeed is not claimed. It's just
    "another commandline tool to check smtp connections".
    It's a perl-script which call `swaks`.

    Jees! a > 3K-line perl-script just to CALL the TLS utility:swak!!
    And below the perl-script is a big set of example calls.

    OK thanks; I need another rest.
     
    Unknown, Feb 19, 2013
    #6
  7. Unknown

    Unknown Guest

    --> stunnel -version ==
    stunnel 4.17 on i686-pc-linux-gnu with OpenSSL 0.9.8k 25 Mar 2009
    --> man stunnel | grep '-n' == failed

    --> man stunnel | grep proto ==
    protocol = proto
    application protocol to negotiate SSL
    credentials for protocol negotiations
    destination address for protocol negotiations
    select version of SSL protocol
    FTP protocol which utilizes multiple ports for data transfers.
    --> stunnel -version ==
    stunnel 4.17 on i686-pc-linux-gnu with OpenSSL 0.9.8k 25 Mar 2009
    Yes I followed that, but it needs fetching `swaks`, and I need to have
    EACH preceeding stage to pass, and the failure of `stunnel` caused me to
    abort - even if swaks doesn't call stunnel.

    The notion of 'confirmation at every stage' has become very BIG for me,
    and is essential to the power of the piping/concatenative style used so
    much in *nix.

    BTW I've got negative ideas on the obsession to update [promoted by M$].
    Currently I use slak13 ca. 2009; and `chroot <DebLenny> which stunnel`
    is empty.

    Thanks,

    == Chris Glur.
     
    Unknown, Feb 19, 2013
    #7
  8. Unknown

    Unknown Guest

    As usual, it's a socio/political problem, rather than a technical one.
    slak14 is crap, which is proved by the fact that if you have acup-of-
    coffee and wait a while, when slak15 comes out, you will [by your
    definition] KNOW that slak14 is crap.
    I can't, I'm located in a 'failed state' and not California.
    What does this indicate ?
    ./swaks -s smtp.gmail.com -p 587 -ehlo gmail.com -au <gmaiLogiName> -
    ap <fromPswrd> -t -f <fromAdr>
    ------- start log ----
    === Trying smtp.gmail.com:587...
    === Connected to smtp.gmail.com.
    <- 220 mx.google.com ESMTP 3sm107278158eej.6 - gsmtp
    -> EHLO gmail.com
    <- 250-mx.google.com at your service, [41.174.23.162]
    <- 250-SIZE 35882577
    <- 250-8BITMIME
    <- 250-STARTTLS
    <- 250 ENHANCEDSTATUSCODES
    *** Host did not advertise authentication
    -> QUIT
    <- 221 2.0.0 closing connection 3sm107278158eej.6 - gsmtp
    === Connection closed with remote host.
    ------- end log ----

    == TIA

    PS. I'll be off-line & away for 4 days <in deep meditation of if/how to
    change
    my 'religion' to join those who believe we-must-chase-the-update-fad>.
    But I suspect I'm too old.

    When I joined gmail, some years ago, as a spare-wheel/planB, which has
    proven
    my [inconvenient] life-boat now, was gmail THEN only able to do http?

    If gmail was able to do smtp:TLS 3,4,5 years ago, with the clients of
    THEN,
    did gmail notify all their zillion clients like in the 90's I got:
    "your current settings for winsok Win 3.1 will not be valid after <date>,
    please update to Windows 95, per <URL>" ?
     
    Unknown, Feb 20, 2013
    #8
  9. Unknown

    Keith Keller Guest

    ["Followup-To:" header set to comp.os.linux.networking.]

    I think you have a PEBKAC.

    --keith
     
    Keith Keller, Feb 20, 2013
    #9
  10. Unknown

    Jorgen Grahn Guest

    I don't use Slackware myself, but are you sure they don't have
    security support for Slackware 13? The Wikipedia article says
    security support for Slackware 12 ended as late as in August last
    year.

    /Jorgen
     
    Jorgen Grahn, Feb 20, 2013
    #10
  11. Unknown

    Nomen Nescio Guest

    Save yourself some time and effort and install SWAKS for doing testing. SWAKS looks useful, but it seems to require a test message to be
    sent.

    Before sending an email, I generally want to know:

    1) will the other server talk to me?
    (Many poorly configured servers block using a DNSBL)

    2) does the other server have TLS?

    3) are there any trust issues with the keys?

    I know I can find all that out by looking up the MX server and
    telnetting in. But ideally there would be a tool that does this work,
    and either dumps easily-parsible results or maintains its own
    database.
     
    Nomen Nescio, Feb 22, 2013
    #11
  12. Unknown

    Kari Hurtta Guest

    TLS was not negotiated.

    submission 587/tcp # Submission [RFC4409]


    mx.google.com provided STARTTLS, but client did not
    issued STARTTLS (and after that used TLS).

    Authentication is probably provided only after STARTTLS is used.

    / Kari Hurtta
     
    Kari Hurtta, Feb 22, 2013
    #12
  13. Unknown

    Unknown Guest

    These are some of Chris Glur's experiences causing me to resist the
    <teen-age-girly-like need to get-the-latest>.

    It seems that I failed to explain the BIGGER view:
    that gmail must have been accessable by non-http means at the date of
    Slak13's birth.
    Yes of course: Micro$loth and similar will always tell you, you must
    get [pay me] the latest updates/security-patches now, now, now.

    While I had no inet access I needed to access an <InetCafee> to
    fetch my gmail. Of course it's Micro$loth based. Did I miss something,
    that I couldn't find how to save the mails to my USBstik, so I'd
    have to sit there [and pay parking fees] to read/memorise the mails?
    IIRC it was using <firefox>.

    And here's something Micro$lothish that really pisses me off:
    I read this legal journalist's blog, and want to contact her to
    pay her to do some legal writing for me; but I can't read the
    one-or-two comments to her article [or ANY of her articles]:
    http://carmelrickard.posterous.com/no-room-in-sa-law-for-dont-ask-dont-
    tell-judg

    I use `links` [lynx wants <certificate confirmationS> for gmail]
    for http-fetches. But I accepted that I'd need to use `opera` for
    the above URL; but I still can't read the <comment/s> to the blog.
    Nor with <mozilla>. The <comments wants to save a file, of about 5K,
    which
    in multiple attempts, was a single line ascii, with no apparent
    intelligence.

    No doubt this woman is using the LATEST version, which I can't read,
    unless I BUY something else/more. Screw Micro$loth!

    == Chris Glur.
     
    Unknown, Feb 27, 2013
    #13
  14. This reminds me of that episode of The Big Bang Theory where
    Leonard and Sheldon are arguing about the roommate agreement:

    Leonard: Oh, screw the roommate agreement!

    Sheldon: No! You don't screw the roommate agreement.
    The roommate agreement screws _you_!
     
    Charlie Gibbs, Feb 28, 2013
    #14
  15. Unknown

    Unknown Guest

    Did you, are you capable of reading the WHOLE deductive chain?
     
    Unknown, Mar 1, 2013
    #15
  16. Unknown

    Unknown Guest

    Hi,
    I don't WANT to know what security support is.
    I'm located in a failed-state: South Africa.
    Years ago I abandoned stuff like credit-cards here.
    IMO the 'security industry' is a scam.
    OTOH slak is a 'proper' distribution.
    Surely fetching gmail isn't 'rocket science'.
    Currently I use `links` to fetch it by http, and can see the traces for
    SSL. Previously before the 2 local ISPs shat-out, I could fetch
    individual, mails with 1-klik each, and delete them independantly.
    Now with http, you can fetch ONE only per expensive dial-up
    session. How is it possible that technology is going BACKWARDS!?
     
    Unknown, Mar 1, 2013
    #16
  17. Unknown

    Whiskers Guest

    You don't use Links to post usenet posts via Google Groups, so why can't
    you use a normal email program to access your Google Mail account? Google
    Mail supports IMAP POP and SMTP (with TLS/SSL), and if your Linux distro
    includes Pan for usenet it probably includes Evolution or Balsa or
    Thunderbird for email, any of which should be able to handle Google's
    implementation of the normal email protocols - and use far less on-line
    time and bandwidth than using the webmail interface in any browser.

    Webmail has never been a sensible idea for dial-up users, and it still
    isn't. Unless you enjoy the struggle, just go with the flow and use a
    normal email client!
     
    Whiskers, Mar 2, 2013
    #17
  18. Unknown

    Unknown Guest

    -------------
    ../swaks -s smtp.gmail.com -p 587 -tls -ehlo gmail.com -au USER
    -ap PSWRD -t TO.ADR -f FROM.ADR
    *** TLS not available: requires Net::SSLeay. Exiting

    And it pauses with the 'To:' prompt, which is a good indicator, for:
    ./swaks -s smtp.gmail.com -p 587 -tls -ehlo gmail.com

    locate SSLeay == <several man>

    which SSLeay ==
    which: no SSLeay in (/ ...

    So it's looking like you said it WANTS NEW SOFTWARE.

    But my point remains: I've had gmail [as my spare wheel] before 2009.
    How would I have used non-http then ?

    == TIA.
     
    Unknown, Mar 2, 2013
    #18
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.