Re: Connection timeout when trying to send email to gmail address

[Victor Duchovni]

On Fri, Dec 19, 2008 at 04:32:55PM -0500, Asif Iqbal wrote:

> How do I test the SSL ?
> 
> I go this with openssl
> 
> iqb...@ghar:~$ openssl s_client -connect smtp.gmail.com:587

You forgot "-starttls smtp". But gmail's SSL works, you don't really
need to test it. Just set:

        smtp_tls_security_level = encrypt

unless you want to check gmail's cert (prevent MITM), in which case
you'll to set CAfile or CApath and have the right root CA certs there...
That'll be the Thawte root CA based on the below (no the cert below is
not the root CA cert, it is Gmail's cert):

[ Sorry, smtp-finger(1) is not available to the public yet. Perhaps in 2.7 ]

smtp-finger: Connected to smtp.gmail.com[74.125.45.111]:587
smtp-finger: < 220 mx.google.com ESMTP 33sm11443776yxr.12
smtp-finger: > EHLO amnesiac.ms.com
smtp-finger: < 250-mx.google.com at your service, [192.0.2.1]
smtp-finger: < 250-SIZE 35651584
smtp-finger: < 250-8BITMIME
smtp-finger: < 250-STARTTLS
smtp-finger: < 250 ENHANCEDSTATUSCODES
smtp-finger: > STARTTLS
smtp-finger: < 220 2.0.0 Ready to start TLS
smtp-finger: smtp.gmail.com[74.125.45.111]:587 Matched CommonName smtp.gmail.com
smtp-finger: smtp.gmail.com[74.125.45.111]:587: Matched 
subject_CN=smtp.gmail.com, issuer_CN=Thawte Premium Server CA
smtp-finger: smtp.gmail.com[74.125.45.111]:587 sha1 fingerprint 
5E:F7:E8:CE:1A:BE:D8:94:F2:77:45:5D:ED:38:46:4F:5D:D1:97:61
smtp-finger: Verified TLS connection established to 
smtp.gmail.com[74.125.45.111]:587: TLSv1 with cipher RC4-MD5 (128/128 bits)
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification 
Services Division/CN=Thawte Premium Server 
CA/emailaddress=premium-ser...@thawte.com
-----BEGIN CERTIFICATE-----
MIIDYzCCAsygAwIBAgIQUR2EgGT4+hGKEhCgLMX2sjANBgkqhkiG9w0BAQUFADCB
zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ
Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE
CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh
d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl
cnZlckB0aGF3dGUuY29tMB4XDTA3MDczMDAwMDAwMFoXDTEwMDcyOTIzNTk1OVow
aDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1v
dW50YWluIFZpZXcxEzARBgNVBAoTCkdvb2dsZSBJbmMxFzAVBgNVBAMTDnNtdHAu
Z21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD+RiG+G3Mo9Q9C
tcwDjpp6dJGifjiR5M2DbEbrsIOlth80nk5A7xstKCUfKobHkf/G9Y/DO24JP5yT
s3hWep05ybyiCmOzGL5K0zy3jIq0vOWy+4pLv2GsDjYi9mQBhobAAx3z38tTrTL+
WF4p0/Kl014+wnukIpj4MdF35rIkgQIDAQABo4GmMIGjMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjBABgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vY3JsLnRo
YXd0ZS5jb20vVGhhd3RlUHJlbWl1bVNlcnZlckNBLmNybDAyBggrBgEFBQcBAQQm
MCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLnRoYXd0ZS5jb20wDAYDVR0TAQH/
BAIwADANBgkqhkiG9w0BAQUFAAOBgQBeNYOZwMVQ7bd6b4sueAkgm57Cyv2p1Xv1
52e8bLnWqd03mWgn/+TQtrwbE1E6pVuQaZJY33ILpt8IfzwVf2TGQI+M5yazZ2fC
xwArHo20iAss3MLQR8tDXWfBoH2Lk9BBsEKDRP4hp83yfpZgdY3pinHTCbqHpsiS
v97epiiFBA==
-----END CERTIFICATE-----

-- 
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.