Operation timed out with smtp.gmail.com - please help

Matthew Seaman matthew at FreeBSD.org
Sat Mar 30 10:49:57 UTC 2013 

On 30/03/2013 10:14, Anton Shterenlikht wrote:
> The university IT support page:
> http://www.bristol.ac.uk/it-services/applications/email/gmail/manual-config-gmail.html
> 
> actually says that port 465 SSL should be used,
> so I also tried:
> 
> $ openssl s_client -connect smtp.gmail.com:465 -starttls smtp
> CONNECTED(00000003)
> ^C
> $ 
> 
> Not sure what to make of this.
> 
> Is the port set by sendmail config files?
> 
> Many thanks for your help
> 

Port 465 wouldn't use STARTTLS -- it requires SSL straight away.  Try:

% openssl s_client -connect  smtp.gmail.com:465

If it works you should see output to do with setting up session keys etc.

However, SMTP on port 465 seems to be mostly a windows thing, and
generally discouraged -- use of STARTTLS or equivalent to allow both SSL
and plaintext without having to allocate a separate port for SSL is
preferred.   I'm pretty sure that gmail does support STARTTLS...

> $ openssl s_client -connect smtp.gmail.com:587 -starttls smtp
> CONNECTED(00000003)
> depth=1 C = US, O = Google Inc, CN = Google Internet Authority
> verify error:num=20:unable to get local issuer certificate
> verify return:0
> ---
> Certificate chain
>  0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
>    i:/C=US/O=Google Inc/CN=Google Internet Authority
>  1 s:/C=US/O=Google Inc/CN=Google Internet Authority
>    i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
> ---

Given you're seeing that CONNECTED message there, it certainly does.
The problem with that openssl command seems to be the 'unable to get
local issuer certificate' part.  That's possibly openssl being pickier
about verifying certs than sendmail would be, but that certificate
verification step is probably where you're coming adrift.  You need to
have the intermediate certs used by Google in your cacert.pem file, so
sendmail will trust the smtp.gmail.com cert.  Check the 'confCACERT'
setting in your sendmail.mc.  I have a block of code like this:

define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl

which allows me to put all the keys and certs in /etc/mail/certs/

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 268 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20130330/e09faea3/attachment.sig>

More information about the freebsd-questions mailing list