openssl client SMTP with gmail port 587, no response (250 OK) from after <crlf>.<crlf> - smtp

I've been trying to use openssl to establish a connection with smtp.gmail.com port 587 or 465 with:
openssl s_client -host smtp.gmail.com -port 587 -starttls smtp
and the authentication, mail from, rcpt to, and data were all successful. but my problem is, after i write . in a new line, no 250 OK response from the server.
here is the process:
CONNECTED(00000003)
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
i:/C=US/O=Google Inc/CN=Google Internet Authority
1 s:/C=US/O=Google Inc/CN=Google Internet Authority
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
(certification)
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 1910 bytes and written 338 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 28E597C0025A93C82AD4A7C517F699B37D106D760597467B522C1041F1BC17C8
Session-ID-ctx:
Master-Key: 1CC83A8A4B7864DF9BBD9E9742B4E5A5937941EB2A28B88A1D4214920B77AC976D3ADC2DA7B60CF8BD6BC2B0712A42A2
Key-Arg : None
Start Time: 1296911515
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
250 ENHANCEDSTATUSCODES
ehlo
250-mx.google.com at your service, [121.94.150.147]
250-SIZE 35651584
250-8BITMIME
250-AUTH LOGIN PLAIN XOAUTH
250 ENHANCEDSTATUSCODES
auth login
334 VXNlcm5hbWU6
<my email>
334 UGFzc3dvcmQ6
<my password>
235 2.7.0 Accepted
mail from:<email>
250 2.1.0 OK t14sm1471936icd.10
rcpt to:<email>
250 2.1.5 OK t14sm1471936icd.10
data
from: someone <email>
354 Go ahead t14sm1471936icd.10
to : someone <email>
subject: test
test
test2
.
451 4.4.2 Timeout - closing connection. t14sm1471936icd.10
read:errno=0
I am using cygwin in win7 32.
I've been searching for all of the possible keywords on google but no solution comes out.
PLEASE HELP!


Maybe add the '-crlf' option to the comand line :
openssl s_client -host smtp.gmail.com -port 587 -starttls smtp -crlf

Related

how openshift ldap auth provider trust self-signed certificate without a rootca signed

I'm trying to config openshift with my internal ldaps server as an IDP.
But the thing is my internal ldaps is self-signed without any root ca signed.
In master-config.yaml, I tried to config the self-signed certificate as ca attribute, but it always complain:
login.go:162] Error authenticating "xifeng" with provider "customer_own_ldap": LDAP Result Code 200 "": x509: certificate signed by unknown authority.
I understand the ca attribute in master-config.yaml might expect a ca-bundle certificate. but my case here its a self-signed cert.
Please advise how I can solve this issue ?

curl -cacert works fine, find below:
curl -v --cacert xf_ldaps_ca.crt ldaps://bogon:1636
About to connect() to bogon port 1636 (#0)
Trying 172.16.50.169...
Connected to bogon (172.16.50.169) port 1636 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: xf_ldaps_ca.crt
CApath: none
NSS: client certificate not found (nickname not specified)
SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Server certificate:
subject: CN=bogon,O=OpenDJ RSA Self-Signed Certificate
start date: Dec 23 12:11:19 2016 GMT
expire date: Dec 18 12:11:19 2036 GMT
common name: bogon
issuer: CN=bogon,O=OpenDJ RSA Self-Signed Certificate
LDAP local: ldaps://bogon:1636/
DN:
objectClass: top
objectClass: ds-root-dse
Connection #0 to host bogon left intact
openssl x509 -in xf_ldaps_ca.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1440710020 (0x55df7d84)
Signature Algorithm: sha1WithRSAEncryption
Issuer: O=OpenDJ RSA Self-Signed Certificate, CN=bogon
Validity
Not Before: Dec 23 12:11:19 2016 GMT
Not After : Dec 18 12:11:19 2036 GMT
Subject: O=OpenDJ RSA Self-Signed Certificate, CN=bogon
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9e:a4:46:41:d2:9d:32:ae:e3:60:f9:13:ac:40:
--------------
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
8c:c4:34:2b:af:dd:ec:bc:f0:68:6a:95:53:02:74:d9:9f:5e:
----------------
E1223 20:58:37.810976 12227 login.go:162] Error authenticating "xftest" with provider "xf_ldaps_test": LDAP Result Code 200 "": x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "bogon")

Can I use openssl s_client to retrieve the CA certificate for MySQL?

Can I use openssl s_client to retrieve the CA certificate for MySQL?
I have access to the remote database server using the following
mysql -u theuser -h thehost --ssl --ssl-cipher=DHE-RSA-AES256-SHA -p thedatabase
Now I want to do to connect to it using JDBC.
I realize that I need to insert the public certificate into my Java key store. However, I cannot figure out how to retrieve the public certificate. I realize it sits on the remote server in /etc/mysql/ca.pem or a similar place. But, I don't have permission to read that file or even ssh into the machine.
I've tried
openssl s_client -cipher DHE-RSA-AES256-SHA -connect thehost:3306
and some variations. I always get errors. For example
CONNECTED(00000003)
30495:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/BuildRoot/
Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_clnt.c:618:

Can I use openssl s_client to retrieve the CA certificate for MySQL?
You probably can't.
A well configured server will send the server certificate and all intermediate certificates required to build a path to the root CA. You have to have the root CA certificate already.
For example:
$ openssl s_client -connect www.cryptopp.com:443 -tls1 -servername www.cryptopp.com
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=COMODO SSL Unified Communications
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
...
The server sent the server's certificate. Its shown above as 0 s:/OU=Domain Control Validated/OU=COMODO SSL Unified Communications. S means its the Subject, while I means its the issuer.
The server sent two intermediate certificates at 1 and 2. However, we need to have the Issuer of certificate 2 locally to build the path for validation. The Issuer of certificate 2 goes by the Common Name "AddTrust External CA Root".
"AddTrust External CA Root" can be downloaded from Comodo's site at [Root] AddTrust External CA Root
It the server sent the root CA, then a bad guy could tamper with the chain and a client would be no wiser. They could swap-in their own CA and use an evil chain.
We can clear the verify error:num=20:unable to get local issuer certificate by fetching the root CA, and then using -CAfile:
$ openssl s_client -connect www.cryptopp.com:443 -tls1 -servername www.cryptopp.com \
-CAfile addtrustexternalcaroot.pem
It will result in a Verify Ok (0).

Yes, OpenSSL version 1.1.1 (released on 11 Sep 2018) now supports fetching the server certificate from a MySQL server.
openssl s_client -starttls mysql -connect thehost:3306
Source: answer by Paul Tobias

Strange behaviour with new sendmail.cf

I am trying to change my sendmail configuration to deliver all "user unknown" emails to a specific account (baduser).
I added the DL definition to sendmail.mc and generated test.cf.
Then I tested this new config using:
echo who | sendmail -v -Ctest.cf noone
and the email was correctly delivered to the defined account.
I then renamed test.cf to sendmail.cf (in /etc/mail) and retested with:
echo what | sendmail -Csendmail.cf noone
and again the email was delivered to the baduser account.
Happy with this, I then restarted sendmail (via systemctl) and sent yet another email to an invalid account.
Instead of the email being delivered to baduser, I received a 550 5.1.1 user unknown reject email.
What have I missed here.
(Fedora 22 & sendmail 8.14.7/8.13.3)
Here are the log entries for a reject.
Nov 27 09:59:19 server sendmail[46243]: tAQNTJQH046243: from=scldad, size=4, class=0, nrcpts=1, msgid=<201511262329.tAQNTJQH046243#server.benparts.com.au>, relay=scldad#localhost
Nov 27 09:59:19 server sendmail[46243]: tAQNTJQH046243: to=noone, ctladdr=scldad (1000/1000), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30004, relay=[127.0.0.1] [127.0.0.1], dsn=5.1.1, stat=User unknown
-v -i log:
No domain:
[scldad#server ~]$ (echo subject: test; echo) | /usr/sbin/sendmail -v -i noone
noone... Connecting to [127.0.0.1] via relay...
220 server.benparts.com.au ESMTP Sendmail 8.14.7/8.13.3; Sat, 28 Nov 2015 13:29:02 +1030
>>> EHLO server.benparts.com.au
250-server.benparts.com.au Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
>>> VERB
250 2.0.0 Verbose mode
>>> MAIL From:<scldad#server.benparts.com.au> SIZE=15
250 2.1.0 <scldad#server.benparts.com.au>... Sender ok
>>> RCPT To:<noone#server.benparts.com.au>
>>> DATA
550 5.1.1 <noone#server.benparts.com.au>... User unknown
503 5.0.0 Need RCPT (recipient)
>>> RSET
250 2.0.0 Reset state
/home/scldad/dead.letter... Saved message in /home/scldad/dead.letter
Closing connection to [127.0.0.1]
>>> QUIT
221 2.0.0 server.benparts.com.au closing connection
With domain:
[scldad#server ~]$ (echo subject: test; echo) | /usr/sbin/sendmail -v -i noone#benparts.com.au
noone#benparts.com.au... Connecting to [127.0.0.1] via relay...
220 server.benparts.com.au ESMTP Sendmail 8.14.7/8.13.3; Sat, 28 Nov 2015 13:27:38 +1030
>>> EHLO server.benparts.com.au
250-server.benparts.com.au Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
>>> VERB
250 2.0.0 Verbose mode
>>> MAIL From:<scldad#server.benparts.com.au> SIZE=15
250 2.1.0 <scldad#server.benparts.com.au>... Sender ok
>>> RCPT To:<noone#benparts.com.au>
>>> DATA
550 5.1.1 <noone#benparts.com.au>... User unknown
503 5.0.0 Need RCPT (recipient)
>>> RSET
250 2.0.0 Reset state
/home/scldad/dead.letter... Saved message in /home/scldad/dead.letter
Closing connection to [127.0.0.1]
>>> QUIT
221 2.0.0 server.benparts.com.au closing connection
As root:
[root#server ~]# (echo subject: test; echo) | /usr/sbin/sendmail -v -i noone
noone... Connecting to [127.0.0.1] via relay...
220 server.benparts.com.au ESMTP Sendmail 8.14.7/8.13.3; Sat, 28 Nov 2015 13:30:00 +1030
>>> EHLO server.benparts.com.au
250-server.benparts.com.au Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
>>> VERB
250 2.0.0 Verbose mode
>>> MAIL From:<scldad#server.benparts.com.au> SIZE=15
250 2.1.0 <scldad#server.benparts.com.au>... Sender ok
>>> RCPT To:<noone#server.benparts.com.au>
>>> DATA
550 5.1.1 <noone#server.benparts.com.au>... User unknown
503 5.0.0 Need RCPT (recipient)
>>> RSET
250 2.0.0 Reset state
>>> RSET
250 2.0.0 Reset state
scldad... Using cached ESMTP connection to [127.0.0.1] via relay...
>>> MAIL From:<> SIZE=1039
250 2.1.0 <>... Sender ok
>>> RCPT To:<scldad#server.benparts.com.au>
>>> DATA
250 2.1.5 <scldad#server.benparts.com.au>... Recipient ok
354 Enter mail, end with "." on a line by itself
>>> .
050 <scldad#server.benparts.com.au>... Connecting to local...
050 <scldad#server.benparts.com.au>... Sent
250 2.0.0 tAS300jh034101 Message accepted for delivery
scldad... Sent (tAS300jh034101 Message accepted for delivery)
Closing connection to [127.0.0.1]
>>> QUIT
221 2.0.0 server.benparts.com.au closing connection

How to connect dovecot on 993 port using squirrelmail

I am trying to connect dovecot on 993 port but dovecot shows below error;
dovecot: imap-login: Disconnected (no auth attempts in 60 secs): user=<>, rip=192.***.***.***, lip=192.***.***.***, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<3k6jgTwVLwDAqL+E>
squirrelmail config;
$imap_auth_mech = 'login';
$use_imap_tls = 1;
$imapServerAddress = 'dovecot.server';
$imapPort = 993;
When I try to telnet and openssl on squirrelmail server;
[root#aa ~]# telnet dovecot.server 993
Trying 192.***.***.***...
Connected to dovecot.server.
Escape character is '^]'.
[root#aa ~]# openssl s_client -connect dovecot.server:993
...
...
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
Note: 143 port works fine by the way.

Check your PHP error log for things like this:
PHP Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ..
PHP Warning: fsockopen(): Failed to enable crypto ..
PHP Warning: fsockopen(): unable to connect to tls://dovecot.server:993 (Unknown error) ..
If that's the case, the openssl library isn't able to verify your server's cert. It's easily fixed by adding the certificate for the connection to your local cert stash. You can find out where that is with <PRE><?php var_dump(openssl_get_cert_locations()); ?> </pre> and looking at the ini_cafile setting.
You can get your server's cert with this command:
openssl x509 -in <(openssl s_client -connect dovecot.server:993 -prexit 2>/dev/null) > /tmp/cacert.pem
Add it to the cert file, and you should be going.
One caveat: the certificate CN MUST match the hostname that you're using to connect to the server! If it's self-signed, make sure it's using dovecot.server as the CN.

SMTP STARTTLS certificate negotitiation via telnet

I am trying to start tls in sendmail, but I do not know how to use certificate. Please suggest me way
> telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 <machinename> ESMTP Sendmail <version>; <date>;localhost(OK)-localhost [127.0.0.1]
EHLO localhost
250-<mahinename> Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
STARTTLS
220 2.0.0 Ready to start TLS
When and How should I use/provide the certificate?

You can't, because as soon as you start using TLS, the conversation becomes encrypted, and you probably don't speak that language ;)
Here is what you can do instead:
openssl s_client -debug -starttls smtp -crlf -connect localhost:25
OpenSSL will do the STARTTLS handshake for you and you will be able to pick up the conversation from there (decrypted automatically on the fly).