HOW2 hook-in STARTTLS to SMTP:gmail ?

Discussion in 'Linux Networking' started by Unknown, Feb 16, 2013.

  1. Unknown

    Unknown Guest

    Here's the expect script:-
    spawn telnet 587
    expect 220

    send "ehlo\r"
    expect 250

    send "STARTTLS\r"
    expect 220

    send "quit\r"
    expect OK

    exit 0
    And here's the corresponding expect's output log:----
    spawn telnet 587
    Connected to
    Escape character is '^]'.
    220 ESMTP l8sm53322532een.10 - gsmtp
    ehlo at your service, []
    250-SIZE 35882577
    220 2.0.0 Ready to start TLS
    Q1. HOW2 test, as far as possible `STARTTLS` off-line, and or without
    smtp telnet-connection running?

    Q2. HOW2 test `STARTTLS` hooked into smtp telnet-connection not running?

    Q0. HOW2 setup STARTTLS.

    == TIA
    Unknown, Feb 16, 2013
    1. Advertisements

  2. Unknown

    Sam Guest

    Once the response to STARTTLS is received, all further communication is
    encrypted (starting with TLS negotiation). Sending something in plaintext,
    at this point, like "QUIT", will not accomplish anything usefull.
    This makes no sense to me. What exactly are you trying to accomplish?
    None of that makes sense either. Perhaps you can explain what problem you
    are trying to solve.

    Version: GnuPG v1.4.13 (GNU/Linux)

    -----END PGP SIGNATURE-----
    Sam, Feb 16, 2013
    1. Advertisements

  3. Unknown

    Chris Davies Guest

    openssl s_client -connect remotehost:smtp -starttls smtp -quiet

    You can man s_client for further details.
    Chris Davies, Feb 17, 2013
  4. Unknown

    Unknown Guest

    Ok, the `quit` was just left over from the tested non-TLS version, but
    if the dialog after `STARTTLS` is all 'in the dark' there can be no
    decisions made to guide/branch it, and the C-S pair must have a fixed
    So, does it 'come out of the dark' to handle the further input of:
    To, From....etc.?

    From docos re. stunnel, gnutls-cli, openssl it's not clear to me if these
    are used from the start of the session, or can I start: telnet
    Some other readers seem to understand.

    == TIA.
    Unknown, Feb 18, 2013
  5. Unknown

    Unknown Guest

    Thanks, I fetch all of those.
    hat lead to 4616 - 928 ~ 3K-lines of perl code!
    This is a perfect opportunity to show ONE good reason why I don't
    use the normal crap full-featured graphic browsers, where the textual
    contents is floating around between moving butterflies, and can't be
    sensibly extracted, to eg. post on USEnet nor email.

    Here's my
    Comment #1 from fmat gives a specific example of using SWAKS in TLS mode.
    2 comments to How to Debug SMTP with TLS(SSL) and AUTH

    * fmat
    [29]May 11, 2009 at 8:45 pm
    There are another commandline tool to check smtp connections:
    The commandline-ehlo
    will send a testmail via TLS to TOADDR via sm,tp server
    [1] [30]
    You dont need to fiddle around with en- and decoding scripts to
    get the rigth strings.
    swaks has also options to add header lines and send own
    Just my 2 ct.
    * Jr. TLS admin
    [31]January 16, 2011 at 4:04 am
    This artical saved my but! Thanks you guys... Go linux!
    ---------------- and here's the corresponding link.

    which should contain the extracts [including the typo "get the rigth
    And it does NOT. Some thing is fishy. I can't trust what's happening.
    Computing is an exact science -- not like football.
    Here are some logs, of attempts based on extracts of the confusing docos:-
    -> stunnel -n smtp -c -r
    2013.02.18 13:48:09 LOG3[4904:3084187328]: -n: No such file or dir
    ectory (2)
    stunnel [<filename>] ] -fd <n> | -help | -version | -sockets
    <filename> - use specified config file instead of /etc/stunne
    -fd <n> - read the config file from a file descriptor
    -help - get config file help
    -version - display version and defaults
    -sockets - display default socket options
    gnutls-cli -s -p 25
    Resolving ''...
    Connecting to ''...
    starttls <-- no further output

    This is a disaster!
    Unknown, Feb 18, 2013
  6. Unknown

    Unknown Guest

    And this is a test-driver which uses SWAKS ?!
    OK, I've now tried to analyse this.
    I've had a sleep, to let my subconscious workout this
    can-o-worms problem. As I see it:
    if TLS is 'in-the-dark' then it must be atomic/one-piece,
    with no contect with 'the outside world' to query and get
    input. So the <user> & <psword> [possibly based64-ed]
    is all wired in.

    And because of this essential atomic structure, you CAN'T
    do telnet incremental testing.
    It's not like walking, one-step-at-a-time.
    It's like shooting a canon.
    No intervention is possible after the shot is fired, until
    after it strikes or misses the target.

    Now to see if/how the <fmat message extract> corresponds to
    the '> 3K-line-perl', I'll see if the perl has some unusual string
    from his 7-argument commandline.
    Let's try "au" OMG! "au" appears a zillion times!
    So does "ap"; but this line suggest that the 7-argument
    command-line belongs to the perl-script:
    { opts => ['ap', 'auth-password'],

    He writes [copy-pasted from links-fetch]:---
    The commandline-ehlo
    will send a testmail via TLS to TOADDR via sm,tp server
    which has got all the arguments to load-the-cannon
    before firing, except the <testmail>.
    So perhaps the <testmail> is a short text in the perl-script?
    But that means that the perl-script is NOT a general purpose
    mailer. Which indeed is not claimed. It's just
    "another commandline tool to check smtp connections".
    It's a perl-script which call `swaks`.

    Jees! a > 3K-line perl-script just to CALL the TLS utility:swak!!
    And below the perl-script is a big set of example calls.

    OK thanks; I need another rest.
    Unknown, Feb 19, 2013
  7. Unknown

    Unknown Guest

    --> stunnel -version ==
    stunnel 4.17 on i686-pc-linux-gnu with OpenSSL 0.9.8k 25 Mar 2009
    --> man stunnel | grep '-n' == failed

    --> man stunnel | grep proto ==
    protocol = proto
    application protocol to negotiate SSL
    credentials for protocol negotiations
    destination address for protocol negotiations
    select version of SSL protocol
    FTP protocol which utilizes multiple ports for data transfers.
    --> stunnel -version ==
    stunnel 4.17 on i686-pc-linux-gnu with OpenSSL 0.9.8k 25 Mar 2009
    Yes I followed that, but it needs fetching `swaks`, and I need to have
    EACH preceeding stage to pass, and the failure of `stunnel` caused me to
    abort - even if swaks doesn't call stunnel.

    The notion of 'confirmation at every stage' has become very BIG for me,
    and is essential to the power of the piping/concatenative style used so
    much in *nix.

    BTW I've got negative ideas on the obsession to update [promoted by M$].
    Currently I use slak13 ca. 2009; and `chroot <DebLenny> which stunnel`
    is empty.


    == Chris Glur.
    Unknown, Feb 19, 2013
  8. Unknown

    Unknown Guest

    As usual, it's a socio/political problem, rather than a technical one.
    slak14 is crap, which is proved by the fact that if you have acup-of-
    coffee and wait a while, when slak15 comes out, you will [by your
    definition] KNOW that slak14 is crap.
    I can't, I'm located in a 'failed state' and not California.
    What does this indicate ?
    ./swaks -s -p 587 -ehlo -au <gmaiLogiName> -
    ap <fromPswrd> -t -f <fromAdr>
    ------- start log ----
    === Trying
    === Connected to
    <- 220 ESMTP 3sm107278158eej.6 - gsmtp
    -> EHLO
    <- at your service, []
    <- 250-SIZE 35882577
    <- 250-8BITMIME
    <- 250-STARTTLS
    *** Host did not advertise authentication
    -> QUIT
    <- 221 2.0.0 closing connection 3sm107278158eej.6 - gsmtp
    === Connection closed with remote host.
    ------- end log ----

    == TIA

    PS. I'll be off-line & away for 4 days <in deep meditation of if/how to
    my 'religion' to join those who believe we-must-chase-the-update-fad>.
    But I suspect I'm too old.

    When I joined gmail, some years ago, as a spare-wheel/planB, which has
    my [inconvenient] life-boat now, was gmail THEN only able to do http?

    If gmail was able to do smtp:TLS 3,4,5 years ago, with the clients of
    did gmail notify all their zillion clients like in the 90's I got:
    "your current settings for winsok Win 3.1 will not be valid after <date>,
    please update to Windows 95, per <URL>" ?
    Unknown, Feb 20, 2013
  9. Unknown

    Keith Keller Guest

    ["Followup-To:" header set to comp.os.linux.networking.]

    I think you have a PEBKAC.

    Keith Keller, Feb 20, 2013
  10. Unknown

    Jorgen Grahn Guest

    I don't use Slackware myself, but are you sure they don't have
    security support for Slackware 13? The Wikipedia article says
    security support for Slackware 12 ended as late as in August last

    Jorgen Grahn, Feb 20, 2013
  11. Unknown

    Nomen Nescio Guest

    Save yourself some time and effort and install SWAKS for doing testing. SWAKS looks useful, but it seems to require a test message to be

    Before sending an email, I generally want to know:

    1) will the other server talk to me?
    (Many poorly configured servers block using a DNSBL)

    2) does the other server have TLS?

    3) are there any trust issues with the keys?

    I know I can find all that out by looking up the MX server and
    telnetting in. But ideally there would be a tool that does this work,
    and either dumps easily-parsible results or maintains its own
    Nomen Nescio, Feb 22, 2013
  12. Unknown

    Kari Hurtta Guest

    TLS was not negotiated.

    submission 587/tcp # Submission [RFC4409] provided STARTTLS, but client did not
    issued STARTTLS (and after that used TLS).

    Authentication is probably provided only after STARTTLS is used.

    / Kari Hurtta
    Kari Hurtta, Feb 22, 2013
  13. Unknown

    Unknown Guest

    These are some of Chris Glur's experiences causing me to resist the
    <teen-age-girly-like need to get-the-latest>.

    It seems that I failed to explain the BIGGER view:
    that gmail must have been accessable by non-http means at the date of
    Slak13's birth.
    Yes of course: Micro$loth and similar will always tell you, you must
    get [pay me] the latest updates/security-patches now, now, now.

    While I had no inet access I needed to access an <InetCafee> to
    fetch my gmail. Of course it's Micro$loth based. Did I miss something,
    that I couldn't find how to save the mails to my USBstik, so I'd
    have to sit there [and pay parking fees] to read/memorise the mails?
    IIRC it was using <firefox>.

    And here's something Micro$lothish that really pisses me off:
    I read this legal journalist's blog, and want to contact her to
    pay her to do some legal writing for me; but I can't read the
    one-or-two comments to her article [or ANY of her articles]:

    I use `links` [lynx wants <certificate confirmationS> for gmail]
    for http-fetches. But I accepted that I'd need to use `opera` for
    the above URL; but I still can't read the <comment/s> to the blog.
    Nor with <mozilla>. The <comments wants to save a file, of about 5K,
    in multiple attempts, was a single line ascii, with no apparent

    No doubt this woman is using the LATEST version, which I can't read,
    unless I BUY something else/more. Screw Micro$loth!

    == Chris Glur.
    Unknown, Feb 27, 2013
  14. This reminds me of that episode of The Big Bang Theory where
    Leonard and Sheldon are arguing about the roommate agreement:

    Leonard: Oh, screw the roommate agreement!

    Sheldon: No! You don't screw the roommate agreement.
    The roommate agreement screws _you_!
    Charlie Gibbs, Feb 28, 2013
  15. Unknown

    Unknown Guest

    Did you, are you capable of reading the WHOLE deductive chain?
    Unknown, Mar 1, 2013
  16. Unknown

    Unknown Guest

    I don't WANT to know what security support is.
    I'm located in a failed-state: South Africa.
    Years ago I abandoned stuff like credit-cards here.
    IMO the 'security industry' is a scam.
    OTOH slak is a 'proper' distribution.
    Surely fetching gmail isn't 'rocket science'.
    Currently I use `links` to fetch it by http, and can see the traces for
    SSL. Previously before the 2 local ISPs shat-out, I could fetch
    individual, mails with 1-klik each, and delete them independantly.
    Now with http, you can fetch ONE only per expensive dial-up
    session. How is it possible that technology is going BACKWARDS!?
    Unknown, Mar 1, 2013
  17. Unknown

    Whiskers Guest

    You don't use Links to post usenet posts via Google Groups, so why can't
    you use a normal email program to access your Google Mail account? Google
    Mail supports IMAP POP and SMTP (with TLS/SSL), and if your Linux distro
    includes Pan for usenet it probably includes Evolution or Balsa or
    Thunderbird for email, any of which should be able to handle Google's
    implementation of the normal email protocols - and use far less on-line
    time and bandwidth than using the webmail interface in any browser.

    Webmail has never been a sensible idea for dial-up users, and it still
    isn't. Unless you enjoy the struggle, just go with the flow and use a
    normal email client!
    Whiskers, Mar 2, 2013
  18. Unknown

    Unknown Guest

    ../swaks -s -p 587 -tls -ehlo -au USER
    -ap PSWRD -t TO.ADR -f FROM.ADR
    *** TLS not available: requires Net::SSLeay. Exiting

    And it pauses with the 'To:' prompt, which is a good indicator, for:
    ./swaks -s -p 587 -tls -ehlo

    locate SSLeay == <several man>

    which SSLeay ==
    which: no SSLeay in (/ ...

    So it's looking like you said it WANTS NEW SOFTWARE.

    But my point remains: I've had gmail [as my spare wheel] before 2009.
    How would I have used non-http then ?

    == TIA.
    Unknown, Mar 2, 2013
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.