Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Ssmtp cannot send email using Gmail and ECDHE_RSA_AES_256_GC
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
AstroFloyd
n00b
n00b


Joined: 18 Oct 2011
Posts: 33

PostPosted: Wed Aug 07, 2019 2:38 pm    Post subject: Ssmtp cannot send email using Gmail and ECDHE_RSA_AES_256_GC Reply with quote

Since the beginning of June, I have not been able to send email using smtp.gmail.com:587. After a lot of digging, I found that in my mail.log, a succesful entry looks like
Code:
    Jun  5 21:02:26 think sSMTP[32336]: Creating SSL connection to host
    Jun  5 21:02:26 think sSMTP[32336]: SSL connection using ECDHE_RSA_CHACHA20_POLY1305
    Jun  5 21:02:28 think sSMTP[32336]: Sent mail for root@think (221 2.0.0 closing connection b25sm5759833ede.34 - gsmtp) uid=1000 username=af outbytes=1129
while a faillure looks like
Code:
    Jun  5 21:17:26 think sSMTP[8165]: Creating SSL connection to host
    Jun  5 21:17:27 think sSMTP[8165]: SSL connection using ECDHE_RSA_AES_256_GCM_SHA384
    Jun  5 21:17:27 think sSMTP[8165]:  (think)

The thing that strikes me most here is the encryption: it always used to be ECDHE_RSA_CHACHA20_POLY1305 and then changed to ECDHE_RSA_AES_256_GCM_SHA384. Strangely, this did not happen overnight, and after the first occurrence of SHA384 (resulting in a faillure), sometimes emails were still succesfully sent using POLY1305 (for about 17 hours). As far as I can see, all emails using SHA failed (entry ending in " (think)" (the name of my host), while all emails using POLY were sent succesfully (ending with "Sent mail for ...").

My emerge.log does not show any merged packages during those days, nor does last reboot show any reboots. An Arch Linux box I'm running is still working fine with the GMail account, and has recently changed from ECDHE-RSA-CHACHA20-POLY1305 (identical to Gentoo) to TLS_AES_256_GCM_SHA384 (similar, but not identical). There, I had to add a line like TLS_CA_File="/usr/share/ncat/ca-bundle.crt". Doing something similar on my Gentoo box doesn't help, partly because I don't seem to have a decent ca-bundle.crt (there is one from kdelibs4support, but it looks quite different), but even when I copy the file from the Arch machine, I get Unable to set TLS_CA_File=/etc/ssl/certs/ca-certificates.crt".

My /etc/ssmtp/ssmtp.conf looks like
Code:
AuthUser=myAddress@gmail.com
AuthPass=myPassword
FromLineOverride=YES
mailhub=smtp.gmail.com:587
UseSTARTTLS=YES

When trying to send an email from the command line, I get
Code:
$ echo "testX" | ssmtp -v some@email.adr
[<-] 220 smtp.gmail.com ESMTP o18sm20775012edq.18 - gsmtp
[->] EHLO think
[<-] 250 SMTPUTF8
[->] STARTTLS
[<-] 220 2.0.0 Ready to start TLS
[->] EHLO think
[<-]
ssmtp:  (think)

I'm using a stable mail-mta/ssmtp-2.64-r3 with USE flags: gnutls ipv6 mta ssl -libressl

Allow less secure apps is ON for this GMail account.

Does anyone know what the problem is?


EDIT: interestingly enough, in my Arch box, I had to set TLS_CA_File=/etc/ssl/certs/ca-certificates.crt in ssmtp.conf to get ssmtp working again, but in the Gentoo version TLS_CA_File is not recognised and is missing from the man page, even though both are v2.64.

EDIT: ah, Arch uses Fedora patches...
Back to top
View user's profile Send private message
AstroFloyd
n00b
n00b


Joined: 18 Oct 2011
Posts: 33

PostPosted: Sun Oct 20, 2019 5:24 pm    Post subject: Reply with quote

For posterity, out of my two options, using ssmtp with Fedora patches or using postfix, I ended up choosing the latter, which solved my problem.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum