[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [msmtp-users] Exit status EX_OK but still mail not delivered?

On Thu, 01. Sep 2005, 11:57:12 -0700, Chad Armstrong wrote:
> /usr/local/ssl/misc/demoCA $ openssl verify -CAfile cacert.pem FOO-cert.pem
> /usr/local/ssl/misc/demoCA $ FOO-cert.pem: OK

> /usr/local/ssl/misc/demoCA $ openssl verify FOO-cert.pem
> /usr/local/ssl/misc/demoCA $ FOO-cert.pem:
>              /C=US/ST=CA/O=self/CN=miniserver.miniserver.com/
>              emailAddress=chad.armstrong@...20...
>              error 20 at 0 depth lookup:unable to get local issuer certificate

Did you create FOO-cert.pem and cacert.pem yourself? 
You do not need to do that if you just want a trusted TLS connection
with smtp.gmail.com. The certificates were probably intended to be used
as postfix certificates when postfix acts as an SMTP server, but msmtp
is only an SMTP client.

If you just would like to verify the certificate that smtp.gmail.com
presents to you, so that the connection is fully trusted, use the
following:
---
tls on
tls_trust_file cacert.pem
---
Here cacert.pem is expected to contain the certificate of the issuer of
the smtp.gmail.com certificate. You must trust this issuer, or else you
cannot trust the smtp.gmail.com certificate.
http://msmtp.sourceforge.net/tips.html describes how to get the issuer
certificate for smtp.gmail.com if you don't have it yet (since the
issuer is well known, this certificate is bundled with packages like
Mozilla, and it is probably already included somwhere in a MacOSX
installation).

The two commands tls_key_file and tls_cert_file are completely unrelated
to the commands above: They are only used if you want to send a
certificate of yourself to the server. This is still very uncommon; most
servers do not request or accept client certificates.

The following gmail settings work for me:

--- .msmtprc
defaults
auth on
tls on
# This file comes with Debian and contains the certificates of many
# well known issuers. Maybe something similar is in MacOSX:
tls_trust_file /etc/ssl/certs/ca-certificates.crt

account gmail
host smtp.gmail.com
port 587
from mlambers@...20...
user mlambers@...20...
password *
---

> $ touch hi
> $ echo "hi" > hi
> $ msmtp --debug chad.armstrong@...20... < hi
> [...]
> --> DATA
> <-- 354 Go ahead
> -->  hi
> --> .
> <-- 250 2.0.0 OK 1125600831 12sm1556269wrl

This answer from mx.gmail.com (response code 250) means that it has
taken responsibility to send your mail (this is defined in the RFCs), so
msmtp rightfully exits with EX_OK. Perhaps there are temporary
performance problems at Gmail?
Another problem might be that "hi" is not a valid mail. A valid mail must
have valid header lines, a blank line separating header and body and a
(possibly empty) body. Thus, "hi" is interpreted as a header line, but
it is invalid since it misses a colon.
This problem can be observed with GMX SMTP servers at least. You might
want to try the following:
$ echo -e "Subject: Test\n\nhi" > hi
$ cat hi
Subject: Test

hi
$ msmtp chad.armstrong@...20... < hi

Regards,
Martin