GMAIL smtp and certificates

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
gamartin
New user
New user
Posts: 2
Joined: 2017-11-01 15:38

GMAIL smtp and certificates

Post by gamartin » 2017-11-01 17:39

We ran into an issue yesterday of getting "TCPConnection - TLS/SSL handshake failed. Session Id: 151, Remote IP: 209.85.147.109, Error code: 336134278, Message: certificate verify failed" when using the stmp.gmail.com and stmp-relay.gmail.com on ports 465 and 587. We contacted our G Suite provider and they where told by Google that they updated their certificates. I have imported all the certificates from https://pki.goog/ webpage into our Windows 2012 server and switched back on the email. It seems that so far it is working.

Below is a part of our log from yesterday. If you would like more, please let me know.

"SMTPC" 6324 11 "2017-10-31 16:13:31.393" "74.125.129.108" "RECEIVED: 220 smtp.gmail.com ESMTP 31sm1036928ioq.10 - gsmtp"
"SMTPC" 6324 11 "2017-10-31 16:13:31.408" "74.125.129.108" "SENT: EHLO kisql001.keywell.net"
"SMTPC" 3940 11 "2017-10-31 16:13:31.439" "74.125.129.108" "RECEIVED: 250-smtp.gmail.com at your service, [96.92.53.17][nl]250-SIZE 35882577[nl]250-8BITMIME[nl]250-STARTTLS[nl]250-ENHANCEDSTATUSCODES[nl]250-PIPELINING[nl]250-CHUNKING[nl]250 SMTPUTF8"
"SMTPC" 3940 11 "2017-10-31 16:13:31.455" "74.125.129.108" "SENT: STARTTLS"
"SMTPC" 6324 11 "2017-10-31 16:13:31.486" "74.125.129.108" "RECEIVED: 220 2.0.0 Ready to start TLS"
"TCPIP" 3940 "2017-10-31 16:13:31.643" "TCPConnection - TLS/SSL handshake failed. Session Id: 11, Remote IP: 74.125.129.108, Error code: 336134278, Message: certificate verify failed"
"TCPIP" 6860 "2017-10-31 16:13:31.643" "Connecting to 74.125.129.109:587..."
"SMTPC" 3940 12 "2017-10-31 16:13:31.705" "74.125.129.109" "RECEIVED: 220 smtp.gmail.com ESMTP z133sm1276010itb.10 - gsmtp"
"SMTPC" 3940 12 "2017-10-31 16:13:31.721" "74.125.129.109" "SENT: EHLO kisql001.keywell.net"
"SMTPC" 5628 12 "2017-10-31 16:13:31.752" "74.125.129.109" "RECEIVED: 250-smtp.gmail.com at your service, [96.92.53.17][nl]250-SIZE 35882577[nl]250-8BITMIME[nl]250-STARTTLS[nl]250-ENHANCEDSTATUSCODES[nl]250-PIPELINING[nl]250-CHUNKING[nl]250 SMTPUTF8"
"SMTPC" 5628 12 "2017-10-31 16:13:31.768" "74.125.129.109" "SENT: STARTTLS"
"SMTPC" 5628 12 "2017-10-31 16:13:31.799" "74.125.129.109" "RECEIVED: 220 2.0.0 Ready to start TLS"
"TCPIP" 3940 "2017-10-31 16:13:31.846" "TCPConnection - TLS/SSL handshake failed. Session Id: 12, Remote IP: 74.125.129.109, Error code: 336134278, Message: certificate verify failed"
"TCPIP" 6860 "2017-10-31 16:13:31.846" "Connecting to 2607:f8b0:4001:c20::6c:587..."
"SMTPC" 3940 13 "2017-10-31 16:13:31.955" "2607:f8b0:4001:c20::6c" "RECEIVED: 220 smtp.gmail.com ESMTP 77sm1037684ioh.5 - gsmtp"
"SMTPC" 3940 13 "2017-10-31 16:13:31.955" "2607:f8b0:4001:c20::6c" "SENT: EHLO kisql001.keywell.net"
"SMTPC" 6540 13 "2017-10-31 16:13:32.846" "2607:f8b0:4001:c20::6c" "RECEIVED: 250-smtp.gmail.com at your service, [2603:3015:2a03:7e00::1][nl]250-SIZE 35882577[nl]250-8BITMIME[nl]250-STARTTLS[nl]250-ENHANCEDSTATUSCODES[nl]250-PIPELINING[nl]250-CHUNKING[nl]250 SMTPUTF8"
"SMTPC" 6540 13 "2017-10-31 16:13:32.861" "2607:f8b0:4001:c20::6c" "SENT: STARTTLS"
"SMTPC" 6540 13 "2017-10-31 16:13:32.893" "2607:f8b0:4001:c20::6c" "RECEIVED: 220 2.0.0 Ready to start TLS"
"TCPIP" 5628 "2017-10-31 16:13:32.940" "TCPConnection - TLS/SSL handshake failed. Session Id: 13, Remote IP: 2607:f8b0:4001:c20::6c, Error code: 336134278, Message: certificate verify failed"

Here is part of the log from today where it is working.
"TCPIP" 7492 "2017-11-01 11:21:01.545" "Connecting to 173.194.194.108:587..."
"SMTPC" 7980 5 "2017-11-01 11:21:01.608" "173.194.194.108" "RECEIVED: 220 smtp.gmail.com ESMTP s81sm509362ita.19 - gsmtp"
"SMTPC" 7980 5 "2017-11-01 11:21:01.608" "173.194.194.108" "SENT: EHLO kisql001.keywell.net"
"SMTPC" 6824 5 "2017-11-01 11:21:01.654" "173.194.194.108" "RECEIVED: 250-smtp.gmail.com at your service, [96.92.53.17][nl]250-SIZE 35882577[nl]250-8BITMIME[nl]250-STARTTLS[nl]250-ENHANCEDSTATUSCODES[nl]250-PIPELINING[nl]250-CHUNKING[nl]250 SMTPUTF8"
"SMTPC" 6824 5 "2017-11-01 11:21:01.686" "173.194.194.108" "SENT: STARTTLS"
"SMTPC" 4316 5 "2017-11-01 11:21:01.717" "173.194.194.108" "RECEIVED: 220 2.0.0 Ready to start TLS"
"TCPIP" 4316 "2017-11-01 11:21:02.076" "TCPConnection - TLS/SSL handshake completed. Session Id: 5, Remote IP: 173.194.194.108, Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256, Bits: 128"
"SMTPC" 4316 5 "2017-11-01 11:21:02.076" "173.194.194.108" "SENT: EHLO kisql001.keywell.net"
"SMTPC" 7980 5 "2017-11-01 11:21:02.123" "173.194.194.108" "RECEIVED: 250-smtp.gmail.com at your service, [96.92.53.17][nl]250-SIZE 35882577[nl]250-8BITMIME[nl]250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH[nl]250-ENHANCEDSTATUSCODES[nl]250-PIPELINING[nl]250-CHUNKING[nl]250 SMTPUTF8"
"SMTPC" 7980 5 "2017-11-01 11:21:02.123" "173.194.194.108" "SENT: AUTH LOGIN"
"SMTPC" 9124 5 "2017-11-01 11:21:02.170" "173.194.194.108" "RECEIVED: 334 VXNlcm5hbWU6"
"SMTPC" 9124 5 "2017-11-01 11:21:02.170" "173.194.194.108" "SENT: U3lzdGVtLlJlcG9ydHNAa2V5d2VsbC5jb20="
"SMTPC" 6824 5 "2017-11-01 11:21:02.217" "173.194.194.108" "RECEIVED: 334 UGFzc3dvcmQ6"
"SMTPC" 6824 5 "2017-11-01 11:21:02.217" "173.194.194.108" "SENT: ***"
"SMTPC" 9124 5 "2017-11-01 11:21:02.521" "173.194.194.108" "RECEIVED: 235 2.7.0 Accepted"
"SMTPC" 9124 5 "2017-11-01 11:21:02.521" "173.194.194.108" "SENT: ***"
"SMTPC" 6824 5 "2017-11-01 11:21:02.568" "173.194.194.108" "RECEIVED: 250 2.1.0 OK s81sm509362ita.19 - gsmtp"
"SMTPC" 6824 5 "2017-11-01 11:21:02.568" "173.194.194.108" "SENT: RCPT TO:<gamartin@keywell.com>"
"SMTPC" 7980 5 "2017-11-01 11:21:02.615" "173.194.194.108" "RECEIVED: 250 2.1.5 OK s81sm509362ita.19 - gsmtp"
"SMTPC" 7980 5 "2017-11-01 11:21:02.615" "173.194.194.108" "SENT: DATA"
"SMTPC" 9124 5 "2017-11-01 11:21:03.958" "173.194.194.108" "RECEIVED: 354 Go ahead s81sm509362ita.19 - gsmtp"
"SMTPC" 6824 5 "2017-11-01 11:21:04.100" "173.194.194.108" "SENT: [nl]."
"SMTPC" 6824 5 "2017-11-01 11:21:06.136" "173.194.194.108" "RECEIVED: 250 2.0.0 OK 1509549665 s81sm509362ita.19 - gsmtp"
"SMTPC" 6824 5 "2017-11-01 11:21:06.151" "173.194.194.108" "SENT: QUIT"
"SMTPC" 7980 5 "2017-11-01 11:21:06.182" "173.194.194.108" "RECEIVED: 221 2.0.0 closing connection s81sm509362ita.19 - gsmtp"

Not sure what the root issue is and if it is fixed or not.

Looking for advice from hmailserver support / development.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8070
Joined: 2011-09-08 17:48

Re: GMAIL smtp and certificates

Post by jimimaseye » 2017-11-01 18:10

My bet is you have 'Verify Certificates' ticked (in SSL Certificates). Consequently, as their certificates were invalid (at the time) HMs would have aborted. This is very common and many servers fail to verify correctly.

Your solution is correct. Either import the latest certificates (assuming all has been updated and is possible) or simply disable 'verify certificates'.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

gamartin
New user
New user
Posts: 2
Joined: 2017-11-01 15:38

Re: GMAIL smtp and certificates

Post by gamartin » 2017-11-01 18:13

Thanks for the reply. I looked at the verify certificates yesterday, but was afraid to turn off.

User avatar
mattg
Moderator
Moderator
Posts: 19994
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: GMAIL smtp and certificates

Post by mattg » 2017-11-02 00:59

verify certificates should ONLY matter if you are SMTP relaying via gMail or if you have gMail set as a route.

That pki.goog looks to me like they are self signed certificates from Google, which is why you would need to load their root CA etc into Windows certificate trust store
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
mattg
Moderator
Moderator
Posts: 19994
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: GMAIL smtp and certificates

Post by mattg » 2017-11-22 02:54

Looking into this a bit, gmail suggest that this is caused by the underlying tools not searching for a root CA each use, but caching the root CA. They site a potential issue with the root CA being compromised (interesting thought that). I am unsure how OpenSSL handles the verification, but this issue looks similar to what Google describe as an outcome when the verification uses hard coded Root CAs.

I note too that OpenSSL has done a recent upgrade, but I didn't see that this issue was specifically addressed.
Martin has built a new beta based on the new OpenSSL build

I'd try the latest Beta build to see if that fixes this issue - it may. (or may not)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

programer
Normal user
Normal user
Posts: 36
Joined: 2015-02-27 18:51

Re: GMAIL smtp and certificates

Post by programer » 2017-11-22 14:56

Hi matt,

I fixed problem with your comments. Thanks.

I need to ask you too: If I blocked port 25, why I cannot received email anymore? I dont need 25 port because I have ssl for sending email. So why 25 port is important for received email?
I mean I have use 110 and accept all, but when I want to received email from another email provider, like yaho not get any message. If I open port 25 I received email.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8070
Joined: 2011-09-08 17:48

Re: GMAIL smtp and certificates

Post by jimimaseye » 2017-11-22 15:26

ALL email from the outside world comes IN on port 25. No exceptions. Blocked inbound port 25 = no inbound email fro the world.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

Post Reply