Issues Sending to Gmail.com

Areeb · January 15, 2025, 12:52am

REMOVED PRIVATE INFO

Areeb · January 15, 2025, 12:56am

When using tls_prefer_openssl = true it attempts to connect to Gmail with an IPv6 address even though I don’t have one configured.

tom · January 15, 2025, 1:01am

Yes. You probably want to skip IPv6 hosts

Areeb · January 15, 2025, 1:02am

Yep, I am trying that out right now

Areeb · January 15, 2025, 1:03am

No good

Areeb · January 15, 2025, 1:03am

kumo.on('get_egress_path_config', function(domain, source_name, site_name)
  return kumo.make_egress_path {
    enable_tls = 'OpportunisticInsecure',
    tls_prefer_openssl = true,
    skip_hosts = { '::/0' },
  }
end)

Areeb · January 15, 2025, 1:05am

Removed private info

Areeb · January 15, 2025, 1:10am

Okay, yeah.. We still see the OpenSSL issue, but with IPv4 addresses this time.

Areeb · January 15, 2025, 1:10am

Let me try some other stuff

Areeb · January 15, 2025, 1:17am

Okay, this is weird

Areeb · January 15, 2025, 1:18am

With OpenSSL, there are no issues with TLS v1.2, but Gmail is using TLS v1.3 and is having trouble with it. I even tried using a very, very relaxed cipher set.

kumo.on('get_egress_path_config', function(domain, source_name, site_name)
  return kumo.make_egress_path {
    enable_tls = 'OpportunisticInsecure',
    tls_prefer_openssl = true,
    openssl_options = "ALL",
    openssl_cipher_list = "ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!RC4:!MD5:!PSK:!SRP:@SECLEVEL=1",
    openssl_cipher_suites = "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256",
    skip_hosts = { '::/0' },
  }
end)

Areeb · January 15, 2025, 1:18am

Let me check my OpenSSL version

Areeb · January 15, 2025, 1:18am

OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

Areeb · January 15, 2025, 1:21am

I just used this to connect to Gmail with no issues.

Areeb · January 15, 2025, 1:21am

subject=CN = mx.google.com
issuer=C = US, O = Google Trust Services, CN = WR2
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5027 bytes and written 378 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

tom · January 15, 2025, 1:31am

You may need to specify the file location for your cert.
from the November release notes:
The SMTP client will now look for the system CA-certificate bundle when making connections. If no CA-certificate bundle is present, it will have no available trust store and will not be able to successfully establish TLS sessions. Previously, we used a bundled hard-coded, non-extensible, copy of the Mozilla CA certificate store. You must therefore ensure that you install the ca-certificates package for your system, or otherwise contrive to populate the system certificate store.

Areeb · January 15, 2025, 1:31am

Let me check

Areeb · January 15, 2025, 1:31am

ca-certificates are already installed

Areeb · January 15, 2025, 1:33am

ca-certificates is already the newest version (20240203~22.04.1).

tom · January 15, 2025, 1:35am

Weird. It does seem like the cert is either invalid or not accessible. Maybe check your permissions? It’s hard to tell without seeing your full configs