From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id E574F15838C for ; Sun, 21 Jan 2024 19:28:13 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1619EE29CE; Sun, 21 Jan 2024 19:28:08 +0000 (UTC) Received: from olivedrab.birch.relay.mailchannels.net (olivedrab.birch.relay.mailchannels.net [23.83.209.135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 7C8D5E29C8 for ; Sun, 21 Jan 2024 19:28:07 +0000 (UTC) X-Sender-Id: thundermail|x-authsender|confabulate@kintzios.com Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 422C25428B5 for ; Sun, 21 Jan 2024 19:28:06 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1705865285; a=rsa-sha256; cv=none; b=Bkhdk3AD5b2IYRY21pcaZJONdf67T+R5haeLgsT9YpS8c0sEZCoDoeV8GE4gPcl/R6h2Wn C1ZKVw7AsNlmFhqGVgUvXRkj74OfPoEL9YxU8Qv7/CTFlTw3nZ9HK/QQbRpyHAPfXcKcT8 k644LcaW64TqERuWBaR3GTicc/5gdFMQP7WYxX1Fzb0cMQmIG+qK2JE9VKC9NuM7lwZ1rL jUciq0mu2c2f3E5FkvJTZZxH36jfbdIMg88aep9yNQYXzEzePNgjgSLqsBIJ8EmTN7vXDy MhWvNnVekK+GWSEGbxbzFLm2Q1ZEQtwZFGuPfctdmvuVx7xRyNFEsBrEMoMT/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1705865285; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:dkim-signature; bh=tXC1X36N2+lrn5CqP/KZqR++9TluRRw/LfcN/I2gGOk=; b=GdoI4hnGAXbc5z4BOk5mlRwZ3wYnyp+RWuUIZJ/wu7SsRJeOWsI4QTEvLkonW+1Wtdbmfn pUwCH0IMJVwYUSPz7owOAY21wCZilTBUXpajwgXSE80wMvNTEgG9SU01u+ORL9vkwevQtL SpCzpVgJnP5aXFZRR40YSVAgfgkJY6TO6HqIUYgurdYDPRuv2cd2y97GF7KcQOEtgMZCTc WIMXM2cHRquFtMk5uwQNb9tvD6hW7sn9p7eg4T24MlTinZLzRdymE3N+6l2tbr3TyJCCUw NyNApPuHGddkMkWc5BPhS2h342of2YV8WpvuqYtwsStMFGhtPeFbL9lyIvPRMA== ARC-Authentication-Results: i=1; rspamd-88587c4b9-hczst; auth=pass smtp.auth=thundermail smtp.mailfrom=confabulate@kintzios.com X-Sender-Id: thundermail|x-authsender|confabulate@kintzios.com X-MC-Relay: Neutral X-MailChannels-SenderId: thundermail|x-authsender|confabulate@kintzios.com X-MailChannels-Auth-Id: thundermail X-Rock-Drop: 04bcb63a54d4de2e_1705865285711_3241310690 X-MC-Loop-Signature: 1705865285711:4273242501 X-MC-Ingress-Time: 1705865285711 Received: from mailclean11.thundermail.uk (mailclean11.thundermail.uk [149.255.60.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.105.150.238 (trex/6.9.2); Sun, 21 Jan 2024 19:28:05 +0000 Received: from cloud220.unlimitedwebhosting.co.uk (cloud220.unlimitedwebhosting.co.uk [149.255.60.183]) by mailclean11.thundermail.uk (Postfix) with ESMTPS id 65A624018E for ; Sun, 21 Jan 2024 19:28:00 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kintzios.com; s=default; t=1705865281; bh=tXC1X36N2+lrn5CqP/KZqR++9TluRRw/LfcN/I2gGOk=; h=From:To:Subject; b=i/hMAfZlIw4a5kLdyQYaLjjcbsRhkDTG29bTSDrTJetfMo5TljY12OYxFu0EOwsU3 QhxUO2rULL50YvYzaBel7RIYzI2bQ7rcj8efIUwzEUUa8ezYfNlEk8RAfNGXIqjwwp gLWnQEQ/88ksbaoK3aw8s6eNvj908E7tT7sM+0a0= From: Michael To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] [OT] Anyone running mutt outboung smtp on port 587? Date: Sun, 21 Jan 2024 19:27:49 +0000 Message-ID: <1958514.PYKUYFuaPT@rogueboard> In-Reply-To: References: <4324200.ejJDZkT8p0@rogueboard> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart22160818.EfDdHjke4D"; micalg="pgp-sha256"; protocol="application/pgp-signature" X-PPP-Message-ID: <170586528123.3207499.11764524736291394360@cloud220.unlimitedwebhosting.co.uk> X-PPP-Vhost: kintzios.com X-Rspamd-Queue-Id: 65A624018E X-Rspamd-Server: mailclean11 X-Spamd-Result: default: False [-0.61 / 999.00]; SIGNED_PGP(-2.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; MID_RHS_NOT_FQDN(0.50)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; ONCE_RECEIVED(0.10)[]; MX_GOOD(-0.01)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DMARC_POLICY_ALLOW(0.00)[kintzios.com,none]; FROM_HAS_DN(0.00)[]; R_DKIM_ALLOW(0.00)[kintzios.com:s=default]; ARC_NA(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; FUZZY_BLOCKED(0.00)[rspamd.com]; DKIM_TRACE(0.00)[kintzios.com:+]; RCVD_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+,1:+,2:~]; TO_DN_NONE(0.00)[]; REPLYTO_ADDR_EQ_FROM(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MISSING_XM_UA(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[gentoo-user@lists.gentoo.org]; R_SPF_ALLOW(0.00)[+mx]; NEURAL_HAM(-0.00)[-1.000]; ASN(0.00)[asn:34931, ipnet:149.255.60.0/22, country:GB]; RCVD_VIA_SMTP_AUTH(0.00)[]; HAS_REPLYTO(0.00)[confabulate@kintzios.com] X-Rspamd-Action: no action X-Archives-Salt: 2fa4d82e-387e-4f3e-a58f-2e11f3a61d77 X-Archives-Hash: 3ab4882f29f75c383382f0822277a7b7 --nextPart22160818.EfDdHjke4D Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="UTF-8"; protected-headers="v1" From: Michael To: gentoo-user@lists.gentoo.org Reply-To: confabulate@kintzios.com Date: Sun, 21 Jan 2024 19:27:49 +0000 Message-ID: <1958514.PYKUYFuaPT@rogueboard> In-Reply-To: MIME-Version: 1.0 On Sunday, 21 January 2024 16:09:47 GMT Walter Dnes wrote: > On Sun, Jan 21, 2024 at 12:05:45PM +0000, Michael wrote > > > Anyway, to take you forward you can: [snip ...] > Nothing above works, and I wonder if it's something at my end. I keep > getting the same message... > > > gnutls_handshake: A packet with illegal or unsupported version was > > received. > The current net-libs/gnutls-3.8.0 ebuild (and 3.8.1 and 3.8.2) has > sslv2 and sslv3 enabled in IUSE ...but... "emerge -pv gnutls" shows > them hard-masked. Is my system forcing sslv1 and the server rejecting me??? > > [ebuild R ] net-libs/gnutls-3.8.0:0/30.30::gentoo USE="cxx idn nls > openssl seccomp tls-heartbeat tools zlib -brotli -dane -doc -examples > -pkcs11 (-sslv2) (-sslv3) -static-libs -test (-test-full) -verify-sig > -zstd" 0 KiB > > Do you get the same? Do I have to set something in... > > make menuconfig > -*- Cryptographic API ---> > > "emerge -pv mutt" > > [ebuild R ] mail-client/mutt-2.2.12::gentoo USE="debug gnutls gpgme > hcache imap lmdb mbox nls pop sasl smtp ssl -autocrypt -berkdb -doc -gdbm > -gsasl -idn -kerberos -pgp-classic (-prefix) -qdbm (-selinux) -slang > -smime-classic -tokyocabinet -vanilla" 0 KiB > > I copied certificates from x.txt to .mutt/certificates (see > attachment). Is this correct? And how do I securely pass credentials? Starting from the end; to securely pass credentials you need an encrypted connection to the server. For SMTP server authentication this normally takes place using STARTTLS on port 587, or explicit TLS typically on port 465 or port 25 depending on your mail provider. Your locally stored certificate chain should be in multiple .pem files, one for each certificate. Normally only the Root CA is needed since this was used to sign all its children certificates in the chain. In the first instance just store in your ~/.mutt/certificates/ directory the Root CA certificate, to see if mutt accepts it without gnutls complaining. In your attachment you have 4 certificates: 1. The certificate used by the SMTP server (a wildcard ebox.ca domain certificate): Subject: CN = *.ebox.ca which is issued by "CN = Go Daddy Secure Certificate Authority - G2". 2. The "Go Daddy Secure Certificate Authority - G2" was in turn issued by "CN = Go Daddy Root Certificate Authority - G2". 3. The "CN = Go Daddy Root Certificate Authority - G2" was issued by "OU = Go Daddy Class 2 Certification Authority". 4. Finally, the last certificate "OU = Go Daddy Class 2 Certification Authority" is the self-signed Root CA. This is the certificate you could copy into your ~/.mutt/certificates/. A copy of this certificate should be available in your /etc/ssl/certs/, so you could copy it and also hash it: cp /etc/ssl/certs/Go_Daddy_Class_2_CA.pem ~/.mutt/certificates/ cd ~/.mutt/certificates/ ln -s Go_Daddy_Class_2_CA.pem `openssl x509 -hash -noout -in Go_Daddy_Class_2_CA.pem`.0 Please note the backticks in the above. If this still won't work, have you considered ditching gnutls on mutt and trying with vanilla openssl? $ emerge -pv mutt These are the packages that would be merged, in order: Calculating dependencies... done! Dependency resolution took 23.29 s (backtrack: 0/20). [ebuild N ] mail-client/mutt-2.2.12::gentoo USE="gdbm hcache imap lmdb nls sasl smtp ssl -autocrypt -berkdb -debug -doc -gnutls -gpgme -gsasl -idn - kerberos -mbox -pgp-classic -pop (-prefix) -qdbm (-selinux) -slang -smime- classic -tokyocabinet -vanilla" 5432 KiB $ emerge -pv gnutls These are the packages that would be merged, in order: Calculating dependencies... done! Dependency resolution took 1.45 s (backtrack: 0/20). [ebuild R ] net-libs/gnutls-3.8.0:0/30.30::gentoo USE="cxx idn nls openssl seccomp tls-heartbeat zlib -brotli -dane -doc -examples -pkcs11 (- sslv2) (-sslv3) -static-libs -test (-test-full) -tools -verify-sig -zstd" ABI_X86="(64) -32 (-x32)" 0 KiB It may be the openssl is more accommodating for Root CAs using SHA1 and will allow the connection to complete. --nextPart22160818.EfDdHjke4D Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEXqhvaVh2ERicA8Ceseqq9sKVZxkFAmWtcDUACgkQseqq9sKV ZxnSVA/+OEfuB1Ng8Qo2MrkcMXQoXZVuP9RUoTPlh7II6qqjemPHUeWcMP1F/k2F UBjv5uutDNunEiiocmlznnd9A496aDyqbevHthffEDS2TlUIKj7tSTxFkK7a2yS/ iTqM3ay2noOO2sDiELIrSyFSO4u/45lOdmy9rtDfXUBB9TG137YtCDn+qmiEh5/I xLFFT3HlSxQNS/6XfMXUmNzZm5dyoE/O0ad3Efw7UUMyCHGs09Df5jy3oxQEFO67 jhZBPPCy2a7lrrLpuOBGSNGtUGe++QO0N9PBoiSQjbLRnzTfXZiRb4T8/KObRMMJ wsH9RXMUe+MluFHGXGpKhd4DnQrElchMIrTE6JJL+qkanuS48NLZ3aRZ52iV/tFL r49Kn5ZiXKabSOsZekhg49OITjn8ebRS6GQq0LIP/J3B/zasugnO2j6DAJyMx8go rxoT8Zany0tHLAbUr/ufCzc4UlraVx1sa5h1Gg4FI3nxbHPGmYbgVZ19yf6aAe8f IbxAfpatmDfRlHJci3Axmh/7VvdcuNS+ZWy09siMip2T5gUJH9cQgrDVH78Bryzs T+o4UGyew2mBc/zYtfx3L/c/OGVsnSLc3784FY03omj0XruFB3bof0aksk4wvAr5 dYffyZ/SlPZa40ts+sEvpmW+bmyZET9/k4vNXDkneFY5Hs1Xlwk= =BgEa -----END PGP SIGNATURE----- --nextPart22160818.EfDdHjke4D--