1

I'm trying to use SMTP to send mail to my account on some server (say, on Gmail).

So far I've tried:

220 mx.google.com ESMTP y14sm3079810ibf.45
HELO
250 mx.google.com at your service
STARTTLS
220 2.0.0 Ready to start TLS
AUTH LOGIN
Connection closed by foreign host.

What am I doing wrong, and how can I fix it so I send an email as though I were my own server?

Skyhawk
  • 14,200
  • 4
  • 53
  • 95
user541686
  • 437
  • 1
  • 6
  • 14
  • This is a SMTP protocol question. Read the RFCs. If you still have trouble look for a pre-made library? Oh, and you can't send AUTH LOGIN right after STARTTLS - http://en.wikipedia.org/wiki/STARTTLS . Also, if you're trying to send mail directly to Google-hosted account using that SMTP server then TLS is not required. Try without then sort out the TLS handshaking. –  Aug 14 '11 at 06:21
  • @Adams: Thanks for the info. So you're saying I don't need TLS? If so, how would I go about sending unsecure mail? – user541686 Aug 14 '11 at 06:27
  • If you're string to send mail to your Gmail account then you don't need TLS if you're talking to the mx.google.com. The RFC is quite clear about it. If you are trying to use google as a relay to deliver to other addresses then you'll need TLS. –  Aug 14 '11 at 09:12
  • @Adam: Right, but how do I actually *do* this? Gmail seems to refuse *any* connection unless I use TLS... – user541686 Aug 14 '11 at 11:42

3 Answers3

4

Just submitting the STARTTLS command doesn't put the connection into TLS mode. You have to negotiate and implement it properly.

Community
  • 1
Ignacio Vazquez-Abrams
  • 45,939
  • 6
  • 79
  • 84
  • +1 yeah I was a little suspicious of that. But does that mean I *have* to have a secure connection to send mail to Gmail? – user541686 Aug 14 '11 at 06:21
  • Well, yes, since that's what TLS is. You can only use plaintext up until the point where you use `STARTTLS`. – Ignacio Vazquez-Abrams Aug 14 '11 at 06:24
  • 1
    Actually, he does not *have to* have a secure connection. Except in special circumstances (e.g. between domains that have mutual TLS enabled), TLS is not required to send mail that is addressed to a user that has a mailbox at the answering SMTP server. Taking a look at the Gmail example, Google requires TLS to *send* (relay) mail on a Gmail user's behalf, but it does *not* require TLS to *receive* mail *for* a Gmail user. The fact that mail servers do not ordinarily require TLS is one of the main reasons why e-mail is considered to be fundamentally insecure. – Skyhawk Oct 02 '11 at 00:13
2

Gmail requires TLS to relay mail on your behalf. This type of connection is necessary when your desktop or mobile e-mail client is sending mail from your Gmail account.

However, any normal mail server will still accept a message to a recipient on that server without using TLS or any kind of authentication. For example, you can connect to gmail-smtp-in.l.google.com on port 25 and conduct an unencrypted SMTP session.

Assuming that you are me@mydomain.com, you are logged into your mail server mail.mydomain.com, and you are sending a message to you@yourdomain.com, it looks like this:

  1. dig yourdomain.com mx and note the results (let's say it's mail001.yourdomain.com)
  2. telnet mail001.yourdomain.com 25
  3. Deliver a message:
HELO mail.mydomain.com
MAIL FROM: me@mydomain.com
RCPT TO: you@yourdomain.com
RCPT TO: yourmom@yourdomain.com
DATA

From: "Mehrdad" <me@mydomain.com>
To: "Enrique Peñalosa" <you@yourdomain.com>
Cc: "Gabriela Peñalosa" <yourmom@yourcomain.com>
Date: Fri, 30 Sep 2011 11:21:19 -0700
Subject: Thanks for all the fish!

It was a wonderful picnic. I really enjoyed the salmon burgers.

See you next week,

Mehrdad

.

Caveats:

  1. Backspace does not work in an SMTP session! You are supposed to be a server, and servers don't make typos. If you are experimenting by hand, it is much better to compose your inputs in advance so you can copy and paste each line from a text editor.
  2. Because your messages won't necessarily look like they are coming from a genuine mail server -- for example, the receiving server may check things like your reverse DNS and SPF records -- you may inadvertently run afoul of spam protection on the receiving end. In the case of a destination like Gmail, your message is almost guaranteed to be detected as a forgery and sent directly to the spam folder.

To learn more, see the Wikipedia article.

Skyhawk
  • 14,200
  • 4
  • 53
  • 95
1

You issued the HELO command to your SMTP server. This tells it that you want to use the original SMTP commands. STARTTLS is not one of these commands, thus you should not be able to use STARTTLS.

The first step in resolving this is to switch from the HELO command to the EHLO command. When you do, you will see that the SMTP server responds with the set of SMTP extensions that it supports. Hopefully, STARTTLS will be listed.

Here's a conversation with GMail's SMTP server:

CLIENT: EHLO me.example.com
SERVER: 250-mx.google.com at your service
SERVER: 250-SIZE 35882577
SERVER: 250-8BITMIME
SERVER: 250-STARTTLS
SERVER: 250 ENHANCEDSTATUSCODES
CLIENT: STARTTLS
SERVER: 220 2.0.0 Ready to start TLS
<negotiation begins here...>
james.garriss
  • 360
  • 6
  • 17