On Sat 18 Mar 2017 at 16:48:27 (-0500), Charles E. Blair wrote:
> Thanks very much for your reply.
>
> I have an older machine running claws-mail 3.8.1
> and a newer machine running 3.11.1. Some but not
> all correspondents stopped being able to receive
> messages from my 3.8.1 machine, while still hearing
> from 3.11.1. I changed the 3.8.1 "sent" configuration
> (which had previously used a different server), to
> be the same as the 3.11.1 settings, including the
> use of the 587 port and TLS. These in turn were based
> on documentation provided by the server.
>
> You talk about "running encrypted" vs unencrypted.
> Is this something I can control using the "preferences
> for current account"?
If you mean "Can I tell claws to use an encrypted connection?"
I don't know as I don't use claws.
I think you have to start the connection in the "modern" way,
ie encrypted from the very start:
$ openssl s_client -starttls smtp -crlf -connect smtp.illinois.edu:587
connects for me, and I get (after the certificate stuff):
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID:
E03400003695C6119FF38C21EDA71FC390543AEF8A4C0709A080536A0269072E
Session-ID-ctx:
Master-Key:
CEAAA20DCF811A292E5280ED709A250931C11C1DA68606192FA429E16DB12A2816A286DE7AE8573DC250F4CF59E043A1
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1490060955
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
250 CHUNKING
ehlo hostname ←←←←←that's me typing.
250-smtp.illinois.edu Hello [192.17.23.217]
250-SIZE 104857600
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH GSSAPI NTLM LOGIN
250-8BITMIME
250-BINARYMIME
250 CHUNKING
^C ←←←←←that's me typing.
I think some of these systems will happily say they support
STARTTLS if you connect unencrypted, but then throw you off
when you try to start TLS at that late stage.
I agree with someone in the other thread: use exim as an MTA
(I suppose that strictly it's an MSA, Mail Submission Agent)
as it knows how to do this stuff. All my email goes out
through wheezy's exim unless I'm on the road. Then it's jessie.
Just bear in mind that using exim means that emails are queued
for delivery, so "mail sent" does not mean the email has left
your machine already. tail -F /var/log/exim/mainlog will
show you what's going out (if you are in the "adm" group).
> I had one specific worry. The failure to send on
> 3.8.1 was accompanied by the message
>
> > Warning SSL connection failed (A TLS packet with
> > unexpected length was received)
>
> In my ignorance, I thought this might mean malware
> was adding something to my messages.
I can only guess that this might be the late start-TLS failing.
Cheers,
David.
