From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id AC07115838C for ; Tue, 23 Jan 2024 16:12:41 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 71504E2AC2; Tue, 23 Jan 2024 16:12:23 +0000 (UTC) Received: from snail.cherry.relay.mailchannels.net (snail.cherry.relay.mailchannels.net [23.83.223.170]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C5097E2ABD for ; Tue, 23 Jan 2024 16:12:22 +0000 (UTC) X-Sender-Id: thundermail|x-authsender|confabulate@kintzios.com Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id A872AC1FF4 for ; Tue, 23 Jan 2024 16:12:21 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1706026341; a=rsa-sha256; cv=none; b=o85qTIGfgs30enve7539OeTnxVLjNN9r8Ok3C/dnMfcqo1QdFdU/bENqOUuWn5881hkzlL CuXa2XGR+y8DvQHqm/J4qCMUzpx89gzdqrVfWf2A4sTg98HFrX+Uxi0yd7U5uCAacQP0i5 3x+XVxqWPd5bok2t8FXKHHeAz83HxhafD1j+3ERfsyJ8kWz4fjAJPAbtnhVkavJc+dYvHv HfMarBm/GpQ/mHhxd00/ba4hhEd2xvoUQ6UOn3Och+9S5InadZpJvgchdQTPVcYqpnHc8s uuhul6nU/31hoDUNJ9s7xziodlKhUD90tAhTEtIKYh15Qq7JEqa+FWLQo69hxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1706026341; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:dkim-signature; bh=j/ckJ36eETKpSYIYTaW7ry/CwqETqbq1AJUB+Kn6cQI=; b=xkVboRqwFf1tN41bY2NA+7C/WVufAdl3rd7tRSVg6q4H4dlJkttwqhMRY+nahiJnkVKeoO 1kdfKsjWUgvQbihrdzsSFUwbvR7dIa7DBv5gYOeenSrjYEUp4dbAspQRsq7yWbqGvZuvDR rsJ4etC78G+aqrqEjw6T2y3u7/dwGoBoL1gKNLglYCZemXkVXy7pKxjCOcpfb0/jUJUNrk e5uK8bH4mx4blwIDUmqLRrYm+EUERvWfP4wB+ZM2tu2P4A6O4/8MyDSFHOh9ptecc4+bAq 1Rdiht6cq7Mr4acAdIZe2snF2X7WiE/+CzxbUe1qyR7nOTKgLgDkvz+JhXQBZQ== ARC-Authentication-Results: i=1; rspamd-5bfccdc57d-268g4; auth=pass smtp.auth=thundermail smtp.mailfrom=confabulate@kintzios.com X-Sender-Id: thundermail|x-authsender|confabulate@kintzios.com X-MC-Relay: Neutral X-MailChannels-SenderId: thundermail|x-authsender|confabulate@kintzios.com X-MailChannels-Auth-Id: thundermail X-Shrill-Thread: 4beead615913df28_1706026341497_2580247857 X-MC-Loop-Signature: 1706026341497:139842170 X-MC-Ingress-Time: 1706026341497 Received: from mailclean11.thundermail.uk (mailclean11.thundermail.uk [149.255.60.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.116.174.33 (trex/6.9.2); Tue, 23 Jan 2024 16:12:21 +0000 Received: from cloud220.unlimitedwebhosting.co.uk (cloud220.unlimitedwebhosting.co.uk [149.255.60.183]) by mailclean11.thundermail.uk (Postfix) with ESMTPS id 35A074049B for ; Tue, 23 Jan 2024 16:12:15 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kintzios.com; s=default; t=1706026336; bh=j/ckJ36eETKpSYIYTaW7ry/CwqETqbq1AJUB+Kn6cQI=; h=From:To:Subject; b=eEAaFIDq3k6kbPcllo7hnYqFJR34vmX7Mji0qgbDlGO8nBAX67NZjAAsRPA39OKpi mO0OPAX0ITl361FhVoxQ+lgKKdLJDGU4dOVVH7+qH9t2MxZxu/v4NnU83IvDNfLoCF koiAP3enwpXTN4/IjXPMyibK6KzOW+d3Nm3MRu4c= From: Michael To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] [SOLVED] [OT] Anyone running mutt outbound smtp on port 587? Date: Tue, 23 Jan 2024 16:12:05 +0000 Message-ID: <1793754.VLH7GnMWUR@rogueboard> In-Reply-To: References: <2594403.Lt9SDvczpP@rogueboard> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart8377665.NyiUUSuA9g"; micalg="pgp-sha256"; protocol="application/pgp-signature" X-PPP-Message-ID: <170602633662.220124.16709945433894169909@cloud220.unlimitedwebhosting.co.uk> X-PPP-Vhost: kintzios.com X-Rspamd-Queue-Id: 35A074049B X-Rspamd-Server: mailclean11 X-Spamd-Result: default: False [-0.61 / 999.00]; SIGNED_PGP(-2.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; MID_RHS_NOT_FQDN(0.50)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; ONCE_RECEIVED(0.10)[]; MX_GOOD(-0.01)[]; DMARC_POLICY_ALLOW(0.00)[kintzios.com,none]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_DKIM_ALLOW(0.00)[kintzios.com:s=default]; FROM_HAS_DN(0.00)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; DKIM_TRACE(0.00)[kintzios.com:+]; MISSING_XM_UA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; TO_DN_NONE(0.00)[]; REPLYTO_ADDR_EQ_FROM(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_SPF_ALLOW(0.00)[+mx]; PREVIOUSLY_DELIVERED(0.00)[gentoo-user@lists.gentoo.org]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM(-0.00)[-1.000]; RCVD_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:34931, ipnet:149.255.60.0/22, country:GB]; HAS_REPLYTO(0.00)[confabulate@kintzios.com] X-Rspamd-Action: no action X-Archives-Salt: f03c96f4-6904-4332-aa26-ccf9a8c1322e X-Archives-Hash: a8cf202356816fcaaf3d39b757628589 --nextPart8377665.NyiUUSuA9g Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="UTF-8"; protected-headers="v1" From: Michael To: gentoo-user@lists.gentoo.org Reply-To: confabulate@kintzios.com Date: Tue, 23 Jan 2024 16:12:05 +0000 Message-ID: <1793754.VLH7GnMWUR@rogueboard> In-Reply-To: MIME-Version: 1.0 On Tuesday, 23 January 2024 15:47:28 GMT Walter Dnes wrote: > On Tue, Jan 23, 2024 at 09:36:13AM +0000, Michael wrote > > > Since gnutls is playing up with mutt, you can try setting USE="-gnutls" > > and re-emerge mutt to see if it succeeds establishing a connection. > > If I emerge mutt with USE="-gnutls" and comment out > "set ssl_starttls=no", email fails... > > [2024-01-23 09:38:07] Looking up smtp.ebox.ca... > [2024-01-23 09:38:07] Connecting to smtp.ebox.ca... > [2024-01-23 09:38:07] Connected to smtp.ebox.ca:587 on fd=4 > [2024-01-23 09:38:07] 4< 220 smtp.ebox.ca ESMTP Postfix (Debian/GNU) > [2024-01-23 09:38:07] 4> EHLO waltdnes.org > [2024-01-23 09:38:07] 4< 250-smtp.ebox.ca > [2024-01-23 09:38:07] 4< 250-PIPELINING > [2024-01-23 09:38:07] 4< 250-SIZE 20000000 > [2024-01-23 09:38:07] 4< 250-VRFY > [2024-01-23 09:38:07] 4< 250-ETRN > [2024-01-23 09:38:07] 4< 250-STARTTLS > [2024-01-23 09:38:07] 4< 250-ENHANCEDSTATUSCODES > [2024-01-23 09:38:07] 4< 250-8BITMIME > [2024-01-23 09:38:07] 4< 250 DSN > [2024-01-23 09:38:07] 4> STARTTLS > [2024-01-23 09:38:07] 4< 220 2.0.0 Ready to start TLS > [2024-01-23 09:38:07] ssl_load_certificates: loading trusted certificates > [2024-01-23 09:38:07] mutt_ssl_starttls: Error loading trusted certificates > [2024-01-23 09:38:07] SSL failed: error:0A000102:SSL routines::unsupported > protocol [2024-01-23 09:38:08] Could not negotiate TLS connection OpenSSL bails out just as gnutls did. I was hoping it could have been more forgiving. :-( > ssl_starttls (and ssl_force_tls) default to "yes" in muttrc. If > ssl_starttls and ssl_force_tls are not explicitly set to "no", mutt > *WILL* attempt a TLS connection if advertised. Whem mutt is built with > USE="-gnutls" and attempts a TLS connection, let's just say "it does not > end well". Both OpenSSL and GnuTLS fail to negotiate an encrypted connection with the server. From the logs you have shared we can safely guess this is because the Root CA used by the server is still using a SHA1 hash. > tldr; > > It's easier for me to build in gnutls support and then (un)comment one > or two lines in ~/.mutt/muttrc as needed rather than... > > * pop up an xterm > * su - (and enter password to root) > * emerge mutt with appropriate flag(s) > * exit to regular user You can revert/keep mutt compiled with USE="gnutls". It makes no difference in this case. You can also try to set deprecated TLS protocols in ~/.muttrc to see if this will allow for a successful connection: http://mutt.org/doc/manual/#ssl-use-tlsv1 You had a good crack at this, but TBH it would be easier and safer to find an email hosting company who use up to date TLS certificates. ;-) --nextPart8377665.NyiUUSuA9g Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEXqhvaVh2ERicA8Ceseqq9sKVZxkFAmWv5VUACgkQseqq9sKV Zxmi1xAAvNLQgy8Em30y8LE4Ob193yoNvkyTS+fdUhsDR+th1eVcdYZWge3NY4cM yohoD2Mq+y2oHFtquRVQMeBKi6gRABp5slsFgtwzwcMQXgRaaFTTslxyLtrbl/T5 O/bB0BXdF9SdxXswW/jiFAz10QPln0HdBG+hDORpT92t+ILsHM5Bo2XMATKwNbs0 kTQFwE5Qt4S8FZJZVnz5PHCM5hOjYjPrI88hQS5ZfhCwsFTJnnyyAFsY4YISHuuk HciSlchWzkTjmfjrFI0uxrsEoKA/iYZKHSFBdchpYeK+zEA+jOHFeqwSEuxMKIla asTw7/YaBKwjlWEFuCsk2Ess1ZM+brAxJbNRTKLaGI9DMWzEKzzlNipDPndse+sE eCTZ9Tn0n4Ov7S09yBs0/meUJSvUHimtXwy5VERXdX8FIVX5xCDSIMR5xtYcj+Bn EKLbhRVuBZsr//E34VuX9rW3fLpwKhNAsb06roBMVeU4ziKwnWbMAW3MsHgOoO6V 42BUoHaaX507obxKCTQ1H7uu/Gi7Sjjohurg/GGWFwgD/Ecq4oEyEu1eme9w0ZEz 2Jv219dZFSCe31Jusjyjzu02Uvh12rwEpJ34x6mR09ZKkWFjNcxkM/AI7ZyCYPQb 5Sd9RNr53KXpgETA2kr0eW4dUpgdDAm9+6hd8z5G+XrzVGXppAE= =SVXD -----END PGP SIGNATURE----- --nextPart8377665.NyiUUSuA9g--