Setting Up msmtp

Started by bkmoore, June 16, 2010, 08:18:56 am

Previous topic - Next topic

bkmoore

I have been trying to get msmtp up and running on my NeXTStation, so I can do NeXT Mail and get pine running. I followed kb7sqi's instructions under:

http://nextcomputers.org/forums/viewtopic.php?t=1154

When I run:

#openssl s_client -connect pop.gmail.com:995 -CApath ~/.certs/

I get the following output:



CONNECTED(00000003)
depth=2 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
verify error:num=7:certificate signature failure
verify return:0
---

<.......>

   Key-Arg   : None
   Start Time: 1276679102
   Timeout   : 300 (sec)
   Verify return code: 7 (certificate signature failure)
---
+OK Gpop ready for requests from 77.183.201.177 e11pf4147338fga.4
read:errno=0


It looks like the contents of the gmail.pem certificate.  I had no issues installing this certificate per kb7sqi's instructions.  Does anyone have any ideas how I can resolve this?

Thanks,

Brian Moore

Edit:  I'm not a networking expert, but I think the problem has to do with my NeXT being connected to my Mac, and my Mac sharing its internet connection with my NeXT.  So the NeXT is on a subnet and is not able to directly communicate with the router, or WLAN.

kb7sqi

Quote from: "bkmoore"I have been trying to get msmtp up and running on my NeXTStation, so I can do NeXT Mail and get pine running. I followed kb7sqi's instructions under:

http://nextcomputers.org/forums/viewtopic.php?t=1154

When I run:

#openssl s_client -connect pop.gmail.com:995 -CApath ~/.certs/


It looks like the contents of the gmail.pem certificate.  I had no issues installing this certificate per kb7sqi's instructions.  Does anyone have any ideas how I can resolve this?

Thanks,

Brian Moore


Hey Brian,
   I'm posting updated info here, just in case others ask for it.:

1. Enable POP in your Gmail account

2. mkdir ~/.certs

3. get Gmail SSL cert.

# echo bye | openssl s_client -connect pop.gmail.com:995 -showcerts |
sed -n '/BEGIN/,/END/p' > ~/.certs/gmail.pem

4. Get Equifax's cert.

#wget -O ~/certs/equifax.pem https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer

5. Get the Mozilla cacert.pem file from the curl web site, this is updated weekly:
# cd ~/.certs; wget http://curl.haxx.se/ca/cacert.pem

6. Set ownership/permissions on ~/.certs

#chmod 0700 ~/.certs
#chmod 0600 ~/.certs/*.pem

7. Rehash ~/.certs so openssl can read them
#c_rehash ~/.certs/

8. Test Certificates
#openssl s_client -connect pop.gmail.com:995 -CApath ~/.certs/
... ...
---
+OK Gpop h19pf3704794wxd ready.

9. Setup fetchmail

#vi .fetchmailrc

Insert following:

# set polling time (no less than 5 minutes as required by gmail)
set daemon 600

poll pop.gmail.com with proto POP3
user 'user@gmail.com' with password 'password' options ssl
sslcertck sslcertpath ~/.certs/ keep

Insert your username/password in the above example. :-)

10. Set permissions on .fetchmail

# chmod 0600 .fetchmailrc

11. Setup .msmtprc file

# vi .msmtprc

Insert the following:

account default
host smtp.gmail.com
from user@gmail.com
tls on
tls_starttls on
tls_certcheck on
tls_trust_file ~/.certs/cacert.pem
auth on
port 587
user user@gmail.com
password password

12. Secure .mstmprc

#chmod 0600 .msmtprc

13. Now test & make sure you've got msmtp setup correctly & working w/ google's smtp server:

# msmtp --serverinfo --host=smtp.gmail.com --tls=on --port=587 \
      --tls-trust-file=~/.certs/cacert.pem

The output should look similar:
-bash-2.05b$ msmtp --serverinfo --host=smtp.gmail.com --tls=on --port=587 \
>        --tls-trust-file=~/.certs/cacert.pem
SMTP server at smtp.gmail.com, port 587:
   mx.google.com ESMTP p15sm405901ybk.37
TLS certificate information:
   Owner:
       Common Name: smtp.gmail.com
       Organization: Google Inc
       Locality: Mountain View
       State or Province: California
       Country: US
   Issuer:
       Common Name: Google Internet Authority
       Organization: Google Inc
       Country: US
   Validity:
       Activation time: Thu Apr 22 16:02:45 2010
       Expiration time: Fri Apr 22 16:12:45 2011
   Fingerprints:
       SHA1: 1A:6F:48:8F:BE:5B:FD:92:D8:12:30:F9:22:CE:84:49:B3:43:BD:2C
       MD5:  60:39:DE:FB:0A:D9:9E:43:26:E7:75:AC:60:48:A1:B0
Capabilities:
   SIZE 35651584:
       Maximum message size is 35651584 bytes = 34.00 MiB
   STARTTLS:
       Support for TLS encryption via the STARTTLS command
   AUTH:
       Supported authentication methods:
       PLAIN LOGIN

14. Now setup up Mail.app

In the expert preferences of Mail.app change the mailer from /usr/lib/sendmail to
/usr/local/bin/msmtp

You should also add the email_address setting in NetInfo like explained in the Sendmail FAQ. That way your From Address show's properly.

Now, if you don't have sendmail setup on your system at all, you'll need procmail and the mailapp-utilities packages also.

then in your ~/.fetchmailrc you'll need to add the following

mda="/usr/local/bin/procmail -d %T"

You should now have a 100% working mail sending/receiving NeXT w/ gmail.  I tested them again to make sure they're working on a clean virtual system tonight.  Hope that helps.  Take care.

Note: I've updated the information above so it's up to date.
 
Steve

kb7sqi

Reposting info on using stunnel w/ popOver.app as well in case there's some that prefer this method.  :wink:

Ok, here's a quick setup guide for using stunnel w/ gmail. You need my stunnel package and the prngd package as well. Here's how I have my /etc/rc.local setup. You setup stunnel to startup on boot up.

if [ -f /usr/local/sbin/prngd ]; then
echo -n ' prngd' >/dev/console
/usr/local/sbin/prngd /etc/egd-pool
fi

if [ -f /usr/local/sbin/stunnel ]; then
echo -n ' stunnel' >/dev/console
/usr/local/sbin/stunnel /usr/local/etc/stunnel/stunnel.conf
fi

In your /usr/local/etc/stunnel/stunnel.conf you need the following

# GLOBAL OPTIONS
client = yes
debug = 7
output = /usr/adm/stunnel.log

[pop3s]
accept = 127.0.0.1:110
connect = pop.gmail.com:995

before starting stunnel, you need to touch /usr/adm/stunnel.log as root. That way your logging works correctly. Then once you fire up stunnel either by rebooting or just running the command above as root, you can startup PopOver.app. Simply add a new POP3 system. Put localhost as your server. Put your gmail user@gmail.com as your username & put in your gmail password as the password.

You can test to see if it works correctly by running the following:
-bash-2.05b$ stunnel -version
stunnel 4.21 on hppa-next-nextstep3 with OpenSSL 0.9.8g 19 Oct 2007
Threading:FORK SSL:ENGINE Sockets:SELECT,IPv4

Global options
debug = 5
EGD = /etc/egd-pool
pid = /usr/local/etc/stunnel/stunnel.pid
RNDbytes = 64
RNDoverwrite = yes

Service-level options
cert = /usr/local/etc/stunnel/stunnel.pem
ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH
key = /usr/local/etc/stunnel/stunnel.pem
session = 300 seconds
sslVersion = SSLv3 for client, all for server
TIMEOUTbusy = 300 seconds
TIMEOUTclose = 60 seconds
TIMEOUTconnect = 10 seconds
TIMEOUTidle = 43200 seconds
verify = none

-bash-2.05b$ telnet localhost 110
Trying 127.0.0.1... Connected to localhost.
Escape character is '^]'.
+OK Gpop ready for requests from 72.14.241.156 g34pf1208558rob
QUIT

Here's a partial /usr/adm/stunnel.log

2007.11.08 00:07:08 LOG5[23576:0]: stunnel 4.21 on hppa-next-nextstep3 with OpenSSL 0.9.8g 19 Oct 2007
2007.11.08 00:07:08 LOG5[23576:0]: Threading:FORK SSL:ENGINE Sockets:SELECT,IPv42007.11.08 00:07:08 LOG6[23576:0]: file ulimit = 256 (can be changed with 'ulimit -n')
2007.11.08 00:07:08 LOG6[23576:0]: FD_SETSIZE = 256 (some systems allow to increase this value)
2007.11.08 00:07:08 LOG5[23576:0]: 125 clients allowed
2007.11.08 00:07:08 LOG7[23576:0]: FD 4 in non-blocking mode
2007.11.08 00:07:08 LOG7[23576:0]: FD 5 in non-blocking mode
2007.11.08 00:07:08 LOG7[23576:0]: FD 6 in non-blocking mode
2007.11.08 00:07:08 LOG7[23576:0]: SO_REUSEADDR option set on accept socket
2007.11.08 00:07:08 LOG7[23576:0]: pop3s bound to 127.0.0.1:110
2007.11.08 00:07:08 LOG7[23577:0]: Created pid file /usr/local/etc/stunnel/stunnel.pid

You can check out http://www.stunnel.org/ for more information. Again you'll still need my msmtp package to send email directly to the gmail smtp server. Setup for that is the same as above.

On a side note, I have started working on trying to get Cyrus-SASL working on NEXTSTEP/OPENSTEP.  This is needed for both sendmail/postfix for SMTP AUTHENTICATION to be able to use sendmail/postfix w/ systems that require authentication like gmail.com.   This will also allow you to setup full smtp service with authentication and TLS/SSL support on your NeXT.  That part will already work fine w/ sendmail/postfix.  The SASL is the hard part. Hopefully I can get the last couple of bugs figured out this weekend.  Take care.

Steve

kb7sqi

My first post has been updated since there's been some people having issues w/ getting the one certificate & issues w/ the google smtp servers.  Take care.