# ssmtp - Cannot open 587 ( 465, 2525, 25, 993 )



## VitS (Jan 12, 2022)

Hi,

ssmtp can't work with:

SSL_connect: Connection reset by peer
ssmtp: Cannot open smtp.gmail.com:587

Maybe someone worked with it.

I am using:

```
#UseTLS=YES
UseSTARTTLS=YES
TLS_CA_FILE=/usr/local/etc/ssl/intermediate.crt
root=postmaster
mailhub=smtp.gmail.com:587
rewriteDomain=mydomain
hostname=localhost
FromLineOverride=YES
Debug=YES
AuthMethod=LOGIN
AuthUser=MyUser
AuthPass=MyPass
```

And revaliases:

```
root:User@domain.com:smtp.gmail.com:587
```

I tried all ports with changing UseTLS and UseStartTLS,

Also tried:


```
openssl s_client -tls1 -connect smtp.gmail.com:587
CONNECTED(00000003)
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 127 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1641990833
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
telnet smtp.gmail.com 587
Trying 142.251.1.109...
Connected to smtp.gmail.com.
Escape character is '^]'.
220 smtp.gmail.com ESMTP f23sm1547407ljn.0 - gsmtp
```

What could be the issue? Was installed: ssmtp-2.64_4

Thanks,


----------



## VitS (Jan 12, 2022)

Maillog:

```
Jan 12 14:52:08 *** sSMTP[19366]: Set UseSTARTTLS="True"
Jan 12 14:52:08 *** sSMTP[19366]: Set AuthUser="***"
Jan 12 14:52:08 *** sSMTP[19366]: Set AuthPass="***"
Jan 12 14:52:08 *** sSMTP[19366]: Set AuthMethod="LOGIN"
Jan 12 14:52:08 *** sSMTP[19366]: Set MailHub="smtp.gmail.com"
Jan 12 14:52:08 *** sSMTP[19366]: via SMTP Port Number="587"
Jan 12 14:52:11 *** sSMTP[19366]: Creating SSL connection to host
Jan 12 14:52:11 *** sSMTP[19366]: 220 smtp.gmail.com ESMTP n11sm1573022ljj.70 - gsmtp
Jan 12 14:52:11 *** sSMTP[19366]: EHLO localhost
Jan 12 14:52:11 *** sSMTP[19366]: 250 SMTPUTF8
Jan 12 14:52:11 *** sSMTP[19366]: STARTTLS
Jan 12 14:52:11 *** sSMTP[19366]: 220 2.0.0 Ready to start TLS
Jan 12 14:52:11 *** sSMTP[19366]: Cannot open smtp.gmail.com:587
```


----------



## SirDice (Jan 12, 2022)

The mail submit port (587) uses STARTTLS, not SSL.


----------



## VitS (Jan 12, 2022)

SirDice said:


> The mail submit port (587) uses STARTTLS, not SSL.


Hi,

Thank You for You reply and whta does it mean? I guess I use: UseSTARTTLS=YES or is there something else I needed to put in my configuration file?


----------



## sko (Jan 12, 2022)

I use ssmtp almost everywhere on my servers, altough I've never used it with gmail (which might have some weird non-standard restrictions in place...).

However, I don't think you have to (or should) define TLS_CA_FILE at all (this keyword isn't even mentioned in ssmtp.conf(5) ).

Here's one of my ssmtp.conf:

```
root=admin@mydomain.de
mailhub=mail1.mydomain.de:587
rewriteDomain=srv1.thu.de.mydomain.de
hostname=_HOSTNAME_
UseSTARTTLS=YES
AuthUser=ssmtp@srv1.thu.de.mydomain.de
AuthPass=<password>
```


Also, why are you still using/forcing TLSv1? (Or should I rather ask why on earth gmail still supports this obsolete and insecure version...)
The proper command for checking smtp with starttls should be `openssl s_client -connect smtp.gmail.com:587 -starttls smtp`:


> ```
> # openssl s_client -connect smtp.gmail.com:587 -starttls smtp
> CONNECTED(00000003)
> depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
> ...


----------



## VitS (Jan 12, 2022)

sko said:


> I use ssmtp almost everywhere on my servers, altough I've never used it with gmail (which might have some weird non-standard restrictions in place...).
> 
> However, I don't think you have to (or should) define TLS_CA_FILE at all (this keyword isn't even mentioned in ssmtp.conf(5) ).
> 
> ...




```
openssl s_client -connect smtp.gmail.com:587 -starttls smtp
CONNECTED(00000003)
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 254 bytes and written 351 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
```
Ok, got it: TLS_CA_FILE is not for me


----------



## sko (Jan 12, 2022)

VitS said:


> ```
> openssl s_client -connect smtp.gmail.com:587 -starttls smtp
> CONNECTED(00000003)
> write:errno=54
> ```



There is something foul with that... What `openssl version` are you running? `uname -v`?
Usually 'errno=54' means that the available TLS versions on the server and client don't match...


----------



## anlashok (Jan 12, 2022)

This works for me with latest ssmtp and gmail. FreeBSD 12.2, openssl from base. From memory I struggled to get port 587 to work so used 465 instead, but this was a while ago. 


```
# gmail version
Root=            # mail for root
Mailhub=smtp.gmail.com:465              # mail server to connect
RewriteDomain=         # where the mail pretends to come from
Hostname=              # hostname
AuthUser=        # SMTP Auth user (gmail login id)
AuthPass=               # SMTP Auth pass, I use a unique specific password for this connection in google settings
#UseSTARTTLS=YES                        # needed for 587 port to work
UseTLS=YES                              # needed for 465 port to work
AuthMethod=LOGIN
```

I think you also need to set the matching port in revaliases

```
# gmail port 465 # does work
root:@gmail.com:smtp.gmail.com:465
```


----------



## VitS (Jan 12, 2022)

sko said:


> There is something foul with that... What `openssl version` are you running? `uname -v`?
> Usually 'errno=54' means that the available TLS versions on the server and client don't match...


`OpenSSL 1.1.1d-freebsd  10 Sep 2019`
`uname -v
FreeBSD 12.1-RELEASE r354233 GENERIC`


----------



## VitS (Jan 12, 2022)

anlashok said:


> This works for me with latest ssmtp and gmail. FreeBSD 12.2, openssl from base. From memory I struggled to get port 587 to work so used 465 instead, but this was a while ago.
> 
> 
> ```
> ...


Hi,

I guess I already checked with 465. Let me check one more time. No, the same:

```
Jan 12 16:02:24 *** sSMTP[64128]: Creating SSL connection to host
Jan 12 16:02:24 *** sSMTP[64128]: Cannot open smtp.gmail.com:465
```

So I guess something with my openssl. Right?

Thank You,


----------



## SirDice (Jan 12, 2022)

FreeBSD 12.1 is end-of-life and not supported anymore. Upgrade to 12.3 (12.2 will be EoL at the end of March).


----------



## sko (Jan 12, 2022)

VitS said:


> `OpenSSL 1.1.1d-freebsd  10 Sep 2019`
> `uname -v
> FreeBSD 12.1-RELEASE r354233 GENERIC`



Although they 'should'™ work, both - your openssl as well as your FreeBSD version are quite outdated and EOL. Try updating to a supported release (12.2 or 12.3) first. Especially with old OpenSSL Versions and probably outdated root CAs troubleshooting TLS is rather pointless...


----------



## VitS (Jan 12, 2022)

SirDice said:


> FreeBSD 12.1 is end-of-life and not supported anymore. Upgrade to 12.3 (12.2 will be EoL at the end of March).


I knew You will tell me this, that's why I was scary when You pay attention to this thread.

But I wanted to know if my configuration file is correct and I am on the right way.

Now I can see that something with openssl.

Thanks anyway


----------

