Connecting to mail server, then no traffic?

[bs066]

Using 3.2.3 (on Cygwin) I can successfully connect to my mail server, but then it times out: $ echo hello | email -V -f -n "name" -s "subject" -r smtp.xx.net -p 465 -tls -m LOGIN -u -i Connecting to server smtp.xx.net on port 465 Init connection... email: FATAL: Smtp error: Timeout(10) while trying to read from SMTP server

Watching wireshark, I see the connection is being made. With my gui client (Thunderbird), in wireshark I see the connection being made, then a TLS 1.2 Client Hello. email doesn't send the Client Hello.

I see the issue saying email only supports TLS 1.0 - is that still the case?

[rb07]

My guess is that the old Cygwin version is built against an old openssl, and that is what limits what it can do with TLS connections.

From https://cygwin.com/cgi-bin2/package-cat.cgi?file=x86_64%2Femail%2Femail-3.2.3-git-2 the build date is in 2015.

To avoid those kind of problems I would built it myself with the current openssl (developer package installed). If I remember correctly, it build out of the box, with no problems.

[bs066]

I will try that, thanks for the quick response.

[rb07]

I'm probably wrong, if the library is loaded dynamically then it is already using the latest version. That means something else has to be changed.

You could check that with 'ldd $(which email)'

[bs066]

I'm trying a new build - I get to this line : gcc -g -O2 -Wall -W -DUSE_GNU_STRFTIME -I/cygdrive/d/cygwin/home/bills/email/eMail-master -I/cygdrive/d/cygwin/home/bills/email/eMail-master/src -I/cygdrive/d/cygwin/home/bills/email/eMail-master/include -I../include -I/cygdrive/d/cygwin/home/bills/email/eMail-master/dlib/include -I../dlib/include -DEMAIL_VERSION='"3.2.3-git"' -DEMAIL_DIR='"/usr/local/etc/email"' -DHAVE_CONFIG_H -o email email.o addr_parse.o addy_book.o conf.o error.o execgpg.o file_io.o message.o mimeutils.o processmail.o progress_bar.o remotesmtp.o sig_file.o smtpcommands.o utils.o ../dlib/libdlib.a and get a bunch of "multiple definitions first defined here errors for the three globals in email.h (table, conf_file, Mopts), for each of the object files: /usr/lib/gcc/x86_64-pc-cygwin/11/../../../../x86_64-pc-cygwin/bin/ld: addr_parse.o:/cygdrive/d/cygwin/home/bills/email/eMail-master/include/email.h:81: multiple definition ofMopts'; email.o:/cygdrive/d/cygwin/home/bills/email/eMail-master/include/email.h:81: first defined here /usr/lib/gcc/x86_64-pc-cygwin/11/../../../../x86_64-pc-cygwin/bin/ld: addr_parse.o:/cygdrive/d/cygwin/home/bills/email/eMail-master/include/email.h:65: multiple definition of conf_file'; email.o:/cygdrive/d/cygwin/home/bills/email/eMail-master/include/email.h:65: first defined here /usr/lib/gcc/x86_64-pc-cygwin/11/../../../../x86_64-pc-cygwin/bin/ld: addr_parse.o:/cygdrive/d/cygwin/home/bills/email/eMail-master/include/email.h:64: multiple definition oftable'; email.o:/cygdrive/d/cygwin/home/bills/email/eMail-master/include/email.h:64: first defined here /usr/lib/gcc/x86_64-pc-cygwin/11/../../../../x86_64-pc-cygwin/bin/ld: addy_book.o:/cygdrive/d/cygwin/home/bills/email/eMail-master/include/email.h:81: multiple definition of Mopts'; email.o:/cygdrive/d/cygwin/home/bills/email/eMail-master/include/email.h:81: first defined here /usr/lib/gcc/x86_64-pc-cygwin/11/../../../../x86_64-pc-cygwin/bin/ld: addy_book.o:/cygdrive/d/cygwin/home/bills/email/eMail-master/include/email.h:65: multiple definition ofconf_file'; email.o:/cygdrive/d/cygwin/home/bills/email/eMail-master/include/email.h:65: first defined here /usr/lib/gcc/x86_64-pc-cygwin/11/../../../../x86_64-pc-cygwin/bin/ld: addy_book.o:/cygdrive/d/cygwin/home/bills/email/eMail-master/include/email.h:64: multiple definition of table'; email.o:/cygdrive/d/cygwin/home/bills/email/eMail-master/include/email.h:64: first defined here and so on.

I know it's probably something basic - but it's been years since I've done C work, and I was never THAT proficient. Is there an easy fix to the errors?

[rb07]

Yep, that's a new error seen when using gcc 10 or newer, which is the case now with Cygwin.

Let me go over the steps:

0. Open a Cygwin mintty window with a shell running.
1. git clone --recursive https://github.com/deanproxy/eMail.git
2. cd eMail
3. ./configure CFLAGS=-fcommon <------- NOTE I edited this line, had it wrong originally
4. make ...

So far it works now.

After install you'll have 2 versions, the new one in /usr/local/bin and the original in /bin (and /usr/bin).

I haven't installed it and the library is indeed loaded dynamically:

$ ldd ./src/email.exe ntdll.dll => /cygdrive/c/WINDOWS/SYSTEM32/ntdll.dll (0x7ffec03c0000) KERNEL32.DLL => /cygdrive/c/WINDOWS/System32/KERNEL32.DLL (0x7ffebf820000) KERNELBASE.dll => /cygdrive/c/WINDOWS/System32/KERNELBASE.dll (0x7ffebdca0000) cygwin1.dll => /usr/bin/cygwin1.dll (0x180040000) cygssl-1.1.dll => /usr/bin/cygssl-1.1.dll (0x3f8cb0000) cygcrypto-1.1.dll => /usr/bin/cygcrypto-1.1.dll (0x3f2b40000) cygz.dll => /usr/bin/cygz.dll (0x3f8410000)

So I don't think anything will change, but its worth a try.

[bs066]

You're right, no change (but at least it compiled! Thanks for that! So you think it's an issue with the ssl versions that cygwin is working with? I just updated today, I would have thought they'd be current,

[rb07]

Not a Cygwin problem, they are current. In fact they carry 2 versions to keep compatibility with older programs, but email is using the latest.

I don't know the detail but there must be some simple change in eMail to allow openssl to use TLS 1.2, could be an API change or a simple parameter that has to be set (i.e. which version(s) to accept/use).

[bs066]

ok, thanks for the help. I'll keep looking...

[rb07]

Found it.

In dlib/src/dnet.c:175:

sd->ctx = SSL_CTX_new(TLSv1_client_method());

That limits the TLS version to TLS v1.0. If the parameter is changed to TLS_method() then it would use the highest version both client and server support.

[bs066]

I made that change and recompiled - but still no luck, From what I think I see, it's not even making it to any TLS logic,
In src/processmail.c:150, I get the "Connecting to server" message, then it calls dnetConnect. In dlib/src/dnet.c:465, I see what looks like a socket connection, which sounds right given what I see in wireshark. No writes to that socket happen in the code, that I can see, Back in processmail.c, sd !- NULL, since I don't get an error. Then it goes to smtpInit. In src/smtpcommands.c:887, I get the "Init connection", but not the "Greeting..." It passes to init between the two (line 187). init passes to readResponse at line 88. In readResponse, I get the Timeout at line 887, which makes it a condition of the FD_SET/FD_ISSET calls - and at this point we're well outside my C comfort zone... TLS stuff seems to happen after this point. The context here looks like it's waiting for a 220 response from the mail server which my mail server does NOT send, I'm looking for a way to bypass the 220 check, but haven't found anything that doesn't lose the connection. I think there may be inconsistencies between what the mail server is expecting and what email is sending...

[rb07]

Just to get things clear, the test is using the "-tls" option to email?

[rb07]

Actually I would also use "-V" to see the traffic on the terminal.

[bs066]

yeah, I'm using both those

[rb07]

It works for me.

I went ahead and installed it on /usr/local. Additional steps taken: Edited /usr/local/etc/email/email.conf (filled just about everything, specifically to use TLS, port 587, and AUTH as plain LOGIN).

The "-V" option doesn't seem to work as before, I don't get the traffic, only a progress bar. And "-verbose" is even worse, seems to show only the version and exit (yep I tried --verbose, doesn't work either).

But checking at my (local) server's log it does show it used TLS 1.2 :

Nov 14 15:26:49 DiskStation postfix/smtpd[3061]: Anonymous TLS connection established from unknown[192.168.10.5]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

[rb07]

Wondering about those ports... 587 is used for STARTTLS, 465 for SSL/TLS, does that make a difference?

Other than the obvious, the former is plain text communication, the later is encrypted.

[bs066]

Not sure about the ports. My Thunderbird connection is all over 465. I never see a STARTTLS in that traffic, just a client hello:

Like I said, I think my mail server (comcast) is expecting other than email is sending. I'll keep looking, but I'm losing interest. Thanks a ton for your help!

[bs066]

Got it! I was using port 465 because that's what my other client had configured, and that's the port I was seeing traffic on. I found another example using 587 (as you showed) which included the STARTTLS call, which we mentioned, and I remembered seeing in the code. I changed the port on the command to 587, and it works great. So chalk it up to my unfamiliarity with the protocols in play...

Thanks again for your help.

[rb07]

I think you found that using SSL (encrypted) from the start doesn't work, no matter what protocol is used next.

So we solved half the problem :)

Now STARTTLS (with any TLS version supported by openssl) works, but only if asked after a plain connection. The SSL connection still doesn't work.