Open bs066 opened 2 years ago
My guess is that the old Cygwin version is built against an old openssl, and that is what limits what it can do with TLS connections.
From https://cygwin.com/cgi-bin2/package-cat.cgi?file=x86_64%2Femail%2Femail-3.2.3-git-2 the build date is in 2015.
To avoid those kind of problems I would built it myself with the current openssl (developer package installed). If I remember correctly, it build out of the box, with no problems.
I will try that, thanks for the quick response.
I'm probably wrong, if the library is loaded dynamically then it is already using the latest version. That means something else has to be changed.
You could check that with 'ldd $(which email)'
I'm trying a new build - I get to this line :
gcc -g -O2 -Wall -W -DUSE_GNU_STRFTIME -I/cygdrive/d/cygwin/home/bills/email/eMail-master -I/cygdrive/d/cygwin/home/bills/email/eMail-master/src -I/cygdrive/d/cygwin/home/bills/email/eMail-master/include -I../include -I/cygdrive/d/cygwin/home/bills/email/eMail-master/dlib/include -I../dlib/include -DEMAIL_VERSION='"3.2.3-git"' -DEMAIL_DIR='"/usr/local/etc/email"' -DHAVE_CONFIG_H -o email email.o addr_parse.o addy_book.o conf.o error.o execgpg.o file_io.o message.o mimeutils.o processmail.o progress_bar.o remotesmtp.o sig_file.o smtpcommands.o utils.o ../dlib/libdlib.a
and get a bunch of "multiple definitions first defined here errors for the three globals in email.h (table, conf_file, Mopts), for each of the object files:
/usr/lib/gcc/x86_64-pc-cygwin/11/../../../../x86_64-pc-cygwin/bin/ld: addr_parse.o:/cygdrive/d/cygwin/home/bills/email/eMail-master/include/email.h:81: multiple definition of
Mopts'; email.o:/cygdrive/d/cygwin/home/bills/email/eMail-master/include/email.h:81: first defined here
/usr/lib/gcc/x86_64-pc-cygwin/11/../../../../x86_64-pc-cygwin/bin/ld: addr_parse.o:/cygdrive/d/cygwin/home/bills/email/eMail-master/include/email.h:65: multiple definition of conf_file'; email.o:/cygdrive/d/cygwin/home/bills/email/eMail-master/include/email.h:65: first defined here /usr/lib/gcc/x86_64-pc-cygwin/11/../../../../x86_64-pc-cygwin/bin/ld: addr_parse.o:/cygdrive/d/cygwin/home/bills/email/eMail-master/include/email.h:64: multiple definition of
table'; email.o:/cygdrive/d/cygwin/home/bills/email/eMail-master/include/email.h:64: first defined here
/usr/lib/gcc/x86_64-pc-cygwin/11/../../../../x86_64-pc-cygwin/bin/ld: addy_book.o:/cygdrive/d/cygwin/home/bills/email/eMail-master/include/email.h:81: multiple definition of Mopts'; email.o:/cygdrive/d/cygwin/home/bills/email/eMail-master/include/email.h:81: first defined here /usr/lib/gcc/x86_64-pc-cygwin/11/../../../../x86_64-pc-cygwin/bin/ld: addy_book.o:/cygdrive/d/cygwin/home/bills/email/eMail-master/include/email.h:65: multiple definition of
conf_file'; email.o:/cygdrive/d/cygwin/home/bills/email/eMail-master/include/email.h:65: first defined here
/usr/lib/gcc/x86_64-pc-cygwin/11/../../../../x86_64-pc-cygwin/bin/ld: addy_book.o:/cygdrive/d/cygwin/home/bills/email/eMail-master/include/email.h:64: multiple definition of table'; email.o:/cygdrive/d/cygwin/home/bills/email/eMail-master/include/email.h:64: first defined here
and so on.
I know it's probably something basic - but it's been years since I've done C work, and I was never THAT proficient. Is there an easy fix to the errors?
Yep, that's a new error seen when using gcc 10 or newer, which is the case now with Cygwin.
Let me go over the steps:
So far it works now.
After install you'll have 2 versions, the new one in /usr/local/bin and the original in /bin (and /usr/bin).
I haven't installed it and the library is indeed loaded dynamically:
$ ldd ./src/email.exe ntdll.dll => /cygdrive/c/WINDOWS/SYSTEM32/ntdll.dll (0x7ffec03c0000) KERNEL32.DLL => /cygdrive/c/WINDOWS/System32/KERNEL32.DLL (0x7ffebf820000) KERNELBASE.dll => /cygdrive/c/WINDOWS/System32/KERNELBASE.dll (0x7ffebdca0000) cygwin1.dll => /usr/bin/cygwin1.dll (0x180040000) cygssl-1.1.dll => /usr/bin/cygssl-1.1.dll (0x3f8cb0000) cygcrypto-1.1.dll => /usr/bin/cygcrypto-1.1.dll (0x3f2b40000) cygz.dll => /usr/bin/cygz.dll (0x3f8410000)
So I don't think anything will change, but its worth a try.
You're right, no change (but at least it compiled! Thanks for that! So you think it's an issue with the ssl versions that cygwin is working with? I just updated today, I would have thought they'd be current,
Not a Cygwin problem, they are current. In fact they carry 2 versions to keep compatibility with older programs, but email is using the latest.
I don't know the detail but there must be some simple change in eMail to allow openssl to use TLS 1.2, could be an API change or a simple parameter that has to be set (i.e. which version(s) to accept/use).
ok, thanks for the help. I'll keep looking...
Found it.
In dlib/src/dnet.c:175:
sd->ctx = SSL_CTX_new(TLSv1_client_method());
That limits the TLS version to TLS v1.0. If the parameter is changed to TLS_method() then it would use the highest version both client and server support.
I made that change and recompiled - but still no luck, From what I think I see, it's not even making it to any TLS logic,
In src/processmail.c:150, I get the "Connecting to server" message, then it calls dnetConnect.
In dlib/src/dnet.c:465, I see what looks like a socket connection, which sounds right given what I see in wireshark. No writes to that socket happen in the code, that I can see,
Back in processmail.c, sd !- NULL, since I don't get an error. Then it goes to smtpInit.
In src/smtpcommands.c:887, I get the "Init connection", but not the "Greeting..." It passes to init between the two (line 187).
init passes to readResponse at line 88.
In readResponse, I get the Timeout at line 887, which makes it a condition of the FD_SET/FD_ISSET calls - and at this point we're well outside my C comfort zone... TLS stuff seems to happen after this point.
The context here looks like it's waiting for a 220 response from the mail server which my mail server does NOT send,
I'm looking for a way to bypass the 220 check, but haven't found anything that doesn't lose the connection. I think there may be inconsistencies between what the mail server is expecting and what email is sending...
Just to get things clear, the test is using the "-tls" option to email?
Actually I would also use "-V" to see the traffic on the terminal.
yeah, I'm using both those
It works for me.
I went ahead and installed it on /usr/local. Additional steps taken: Edited /usr/local/etc/email/email.conf (filled just about everything, specifically to use TLS, port 587, and AUTH as plain LOGIN).
The "-V" option doesn't seem to work as before, I don't get the traffic, only a progress bar. And "-verbose" is even worse, seems to show only the version and exit (yep I tried --verbose, doesn't work either).
But checking at my (local) server's log it does show it used TLS 1.2 :
Nov 14 15:26:49 DiskStation postfix/smtpd[3061]: Anonymous TLS connection established from unknown[192.168.10.5]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Wondering about those ports... 587 is used for STARTTLS, 465 for SSL/TLS, does that make a difference?
Other than the obvious, the former is plain text communication, the later is encrypted.
Not sure about the ports. My Thunderbird connection is all over 465. I never see a STARTTLS in that traffic, just a client hello:
Like I said, I think my mail server (comcast) is expecting other than email is sending. I'll keep looking, but I'm losing interest. Thanks a ton for your help!
Got it! I was using port 465 because that's what my other client had configured, and that's the port I was seeing traffic on. I found another example using 587 (as you showed) which included the STARTTLS call, which we mentioned, and I remembered seeing in the code. I changed the port on the command to 587, and it works great. So chalk it up to my unfamiliarity with the protocols in play...
Thanks again for your help.
I think you found that using SSL (encrypted) from the start doesn't work, no matter what protocol is used next.
So we solved half the problem :)
Now STARTTLS (with any TLS version supported by openssl) works, but only if asked after a plain connection. The SSL connection still doesn't work.
Using 3.2.3 (on Cygwin) I can successfully connect to my mail server, but then it times out: $ echo hello | email -V -f -n "name" -s "subject" -r smtp.xx.net -p 465 -tls -m LOGIN -u -i
Connecting to server smtp.xx.net on port 465
Init connection...
email: FATAL: Smtp error: Timeout(10) while trying to read from SMTP server
Watching wireshark, I see the connection is being made. With my gui client (Thunderbird), in wireshark I see the connection being made, then a TLS 1.2 Client Hello. email doesn't send the Client Hello.
I see the issue saying email only supports TLS 1.0 - is that still the case?