Hide Forgot
Description of problem: When I try to connect to my SMTP server to transmit messages I get a cannot connect error. Version-Release number of selected component (if applicable): 2.64-9.fc19 How reproducible: Always Steps to Reproduce: 1. Send message 2. Watch for error 3. Fail Actual results: System fails to connect to SMTP server. Expected results: System connects and transmits messages. Additional info: It appears that SSMTP isn't able to verify the certificate. Here is information from /var/log/maillog: sSMTP[26902]: Set AuthUser="USERNAME" sSMTP[26902]: Set AuthPass="PASSWORD" sSMTP[26902]: Creating SSL connection to host sSMTP[26902]: SSL not working: certificate verify failed (20) sSMTP[26902]: Cannot open box389.bluehost.com:465 and sSMTP[27323]: Set AuthUser="USERNAME" sSMTP[27323]: Set AuthPass="PASSWORD" sSMTP[27323]: Creating SSL connection to host sSMTP[27323]: SSL not working: unknown protocol (0) sSMTP[27323]: Cannot open box389.bluehost.com:25 I did not have this problem under Fedora 18. In Fedora 19 I'm seeing this problem (after upgrade and with a fresh install).
Are there SeLinux failures? Does switching off selinux solve the problem? Are you able to provide complete instructions for reproducing the issue? Or are you able provide access (perhaps by emailing me with credentials) to a system where this issue is present.
I'm not getting any SELinux failures and disabling SELinux does *not* fix the problem. I can set you up an account and let you experiment.
Created attachment 794826 [details] ssmtp configuration file
Created attachment 794827 [details] strace log of ssmtp
ssmtp doesn't load the system's default set of trusted CAs automatically. It was necessary to add TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt to the ssmtp.conf file. tmraz, do you know if openssl had loaded the CA bundle automatically on F18? If yes, this is a regression, and ssmtp should be changed to load that bundle automatically, if no TLS_CA_* option is given.
It does not load CAs automatically unless you call the appropriate function from the OpenSSL API to load the default CA bundle.
(In reply to Kai Engert (:kaie) from comment #5) > tmraz, do you know if openssl had loaded the CA bundle automatically on F18? > If yes, this is a regression, and ssmtp should be changed to load that > bundle automatically, if no TLS_CA_* option is given. ssmtp did not verify the certificate at all until recently (except if a client certifcate is used). But it still does not verify the hostname of certificates, see bug 864894.
Eric, can you confirm that adding TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt to the config file solves your problem ? I could add that to the default config, if it gets confirmed as being a proper workaround
(In reply to manuel wolfshant from comment #8) > Eric, can you confirm that adding > TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt > to the config file solves your problem ? > > I could add that to the default config, if it gets confirmed as being a > proper workaround Yes, this fixes the problem. I'll need to do some additional tests on postfix as I was also seeing the problem there.
I can confirm that adding: TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt to my ssmtp.conf resolves the error: SSL not working: certificate verify failed (20)
ssmtp-2.64-10.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/ssmtp-2.64-10.fc19
ssmtp-2.64-10.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/ssmtp-2.64-10.fc18
ssmtp-2.64-10.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/ssmtp-2.64-10.fc20
Package ssmtp-2.64-10.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing ssmtp-2.64-10.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-17802/ssmtp-2.64-10.fc18 then log in and leave karma (feedback).
Same issue in Fedora 20 beta, ssmtp-2.64-10.fc20.x86_64: Sending mail works fine if not using SSL/TLS, fails when enabled: Console: [<-] 220 smtp50.i.mail.ru ESMTP ready [->] EHLO roxy [<-] 250 STARTTLS [->] STARTTLS [<-] 220 2.0.0 Start TLS ssmtp: Cannot open smtp.mail.ru:587 /var/log/maillog Nov 19 13:38:52 fiona sSMTP[4725]: Creating SSL connection to host Nov 19 13:38:52 fiona sSMTP[4725]: SSL not working: certificate verify failed (20) Nov 19 13:38:52 fiona sSMTP[4725]: Cannot open smtp.mail.ru:587 Adding TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt to /etc/ssmtp/ssmtp.conf fixes the issue, making SSL /TLS work again, but shouldn't this work "out of the box"?
(In reply to Kostya Vasilyev from comment #15) > Same issue in Fedora 20 beta, ssmtp-2.64-10.fc20.x86_64: > > Sending mail works fine if not using SSL/TLS, fails when enabled: > > Console: [...] > Adding TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt to /etc/ssmtp/ssmtp.conf > fixes the issue, making SSL /TLS work again, but shouldn't this work "out of > the box"? The current config file includes the following fragment: #UseTLS=YES #IMPORTANT: Uncomment the following line if you use TLS authentication #TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt Do you suggest to uncomment those by default ?
Thank you Manuel for pointing out the obvious, I must copied my ssmtp config files from Ubuntu (where it worked with TLS/SSL without that line)... Any reason not to load the root certificates by default, even without this setting? Does the upstream not load, unless the explicit option is given? If that's the case, maybe the best thing to do is treat my comment as "user error".
I have just done a quick check and the debian version of the config file is much simpler than the one installed by our package: ---------- start debian version --------- # # Config file for sSMTP sendmail # # The person who gets all mail for userids < 1000 # Make this empty to disable rewriting. root= # The place where the mail goes. The actual machine name is required no # MX records are consulted. Commonly mailhosts are named mail.domain.com mailhub=mail # Where will the mail seem to come from? #rewriteDomain= # The full hostname hostname=$ACTUALHOSTNAME # Are users allowed to set their own From: address? # YES - Allow the user to specify their own From: address # NO - Use the system generated From: address #FromLineOverride=YES ----------- end debian version ----------- I guess we could load the certificates by default but I am a bit reluctant because I do not know the code so well. Not to mention that activating SSL MUST be made by modifying the config file ( i.e. removing the "#" in front of UseTLS) so I'd say it's not a real effort to do the same edit again two lines below.
ssmtp-2.64-10.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
ssmtp-2.64-10.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
ssmtp-2.64-10.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
With the latest version of ssmtp it is not possible any more to use ssl/tls, but without verifying the certificate -- this breaks various systems using self signed certs for encryption.
(In reply to Thomas Schweikle from comment #22) > With the latest version of ssmtp it is not possible any more to use ssl/tls, > but without verifying the certificate -- this breaks various systems using > self signed certs for encryption. You can download the self signed certs and specify them with the TLS_CA_File directive. Self-signed does not mean you cannot verify.
I gave up. config: root=postmaster mailhub=mail.juszkiewicz.com.pl AuthUser=proper-existing-user AuthPass=proper-password UseSTARTTLS=yes UseTLS=YES TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt TLSCert=/etc/ssl/private/ssl-mail.key Debug=YES where /etc/ssl/private/ssl-mail.key is the same key as postfix is using on mail.juszkiewicz.com.pl 'echo "test" | ssmtp existing-user.pl -v -d9' ends with: sie 17 01:24:59 puchatek sSMTP[9726]: Set Root="postmaster" sie 17 01:24:59 puchatek sSMTP[9726]: Set MailHub="mail.juszkiewicz.com.pl" sie 17 01:24:59 puchatek sSMTP[9726]: Set RemotePort="25" sie 17 01:24:59 puchatek sSMTP[9726]: Set AuthUser="test" sie 17 01:24:59 puchatek sSMTP[9726]: Set AuthPass="jakieshaslo" sie 17 01:24:59 puchatek sSMTP[9726]: Set UseSTARTTLS="True" sie 17 01:24:59 puchatek sSMTP[9726]: Set UseTLS="True" sie 17 01:24:59 puchatek sSMTP[9726]: Set TLS_CA_File="/etc/pki/tls/certs/ca-bundle.crt" sie 17 01:24:59 puchatek sSMTP[9726]: Set TLSCert="/etc/ssl/private/ssl-mail.key" sie 17 01:25:00 puchatek sSMTP[9726]: Creating SSL connection to host sie 17 01:25:00 puchatek sSMTP[9726]: 220 malenstwo.juszkiewicz.com.pl ESMTP Postfix (Ubuntu) sie 17 01:25:00 puchatek sSMTP[9726]: EHLO puchatek sie 17 01:25:00 puchatek sSMTP[9726]: 250 DSN sie 17 01:25:00 puchatek sSMTP[9726]: STARTTLS sie 17 01:25:00 puchatek sSMTP[9726]: 220 2.0.0 Ready to start TLS sie 17 01:25:00 puchatek sSMTP[9726]: SSL not working: certificate verify failed (18) sie 17 01:25:00 puchatek sSMTP[9726]: Cannot open mail.juszkiewicz.com.pl:25 01:32 root@puchatek:private# ll -Z razem 12 -rw-rw-r--. 1 root root system_u:object_r:cert_t:s0 1704 08-17 01:07 malenstwo-mail.pem -rw-r--r--. 1 root root system_u:object_r:cert_t:s0 887 08-17 01:10 ssl-mail.key -rw-r--r--. 1 root root system_u:object_r:cert_t:s0 652 08-17 01:17 ssl-mail.pem what is wrong then?
@Marcin: try adding the certificate in /usr/share/pki/ca-trust-source/anchors/ followed by "update-ca-trust", that should solve it.