Actually now that I reread your email it's evident that you can specify the root cert in the msmtp config file. Looks like your mail server's cert does not have a chain back to the equifax certificate you're using. So, get the right certificate then specify the filename in the msmtp config. You can verify it with openssl just as you attempted to do above.<br clear="all">
<br>Regards,<br><br>Stephen J Alexander<br>MPBX, LLC<br><a href="http://mpbx.com" target="_blank">http://mpbx.com</a><br>832-713-6729<br>
<br><br><div class="gmail_quote">On Sun, May 13, 2012 at 10:17 AM, Stephen J Alexander <span dir="ltr"><<a href="mailto:sjalexander@mpbx.com" target="_blank">sjalexander@mpbx.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Port 465 is not open, or it's firewalled, so you can't use it. But it looks like 587 or 25 might work. The error messages indicate that you're getting a certificate from both those ports. But you don't have their proper root certificate for your server's cert in your certificate store; you will need to install it.<div>
<br></div><div>If this is a self-signed cert or if you explicitly trust it you can put the server's own certificate into your cert store. How to do this will depend on the specific implementation of SSL for msmtp: I don't know anything about msmtp specifically so I don't know whether it uses openssl or something else; you'll need to attend the documentation to determine where to put the certs, how to put them there, and how to configure the software to read and recognize them.</div>
<div><br></div><div>You're right; you're almost there - just need to sort out the SSL situation.<br clear="all"><br>Regards,<br><br>Stephen J Alexander<br>MPBX, LLC<br><a href="http://mpbx.com" target="_blank">http://mpbx.com</a><br>
<a href="tel:832-713-6729" value="+18327136729" target="_blank">832-713-6729</a><div><div class="h5"><br>
<br><br><div class="gmail_quote">On Sun, May 13, 2012 at 9:21 AM, Scott Sjodin <span dir="ltr"><<a href="mailto:scott.sjodin@gmail.com" target="_blank">scott.sjodin@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<p style="margin-top:5px;margin-right:0px;margin-bottom:5px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;font-family:verdana,arial,helvetica,sans-serif"><span>So I've got my msmtp setup (almost). It's running. I can telnet in to <a href="http://smtp.mydomain.com" target="_blank">smtp.mydomain.com</a> 587 and 25 and send over the creds (but not with 465) successfully. I can run openssl, with 465 I get the following:</span></p>
<p style="margin-top:5px;margin-right:0px;margin-bottom:5px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;font-family:verdana,arial,helvetica,sans-serif"></p><pre style="margin-top:10px;margin-right:10px;margin-bottom:10px;margin-left:10px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px">
<br></pre><p></p><pre style="margin-top:10px;margin-right:10px;margin-bottom:10px;margin-left:10px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px"><code>openssl s_client -CApath /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer -connect <a href="http://smtp.mydomain.com:465" target="_blank">smtp.mydomain.com:465</a> </code></pre>
<p style="margin-top:5px;margin-right:0px;margin-bottom:5px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px"></p><pre style="margin-top:10px;margin-right:10px;margin-bottom:10px;margin-left:10px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px">
<code>
</code>Verify return code: 20 (unable to get local issuer certificate)</pre><p></p><p style="margin-top:5px;margin-right:0px;margin-bottom:5px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px">
<font face="verdana, arial, helvetica, sans-serif">When testing msmtp -a default <a href="mailto:username@domain.com" target="_blank">username@domain.com</a> I get the following results (with port numbers corresponding to changes in the msmtprc file)</font></p>
<p style="margin-top:5px;margin-right:0px;margin-bottom:5px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px"><font face="verdana, arial, helvetica, sans-serif"><br></font></p><p style="margin-top:5px;margin-right:0px;margin-bottom:5px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px">
<font face="verdana, arial, helvetica, sans-serif">When I change up the port number to 587:</font></p><p style="margin-top:5px;margin-right:0px;margin-bottom:5px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px">
<font face="verdana, arial, helvetica, sans-serif"></font></p><p style="margin-top:5px;margin-right:0px;margin-bottom:5px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px"><font face="verdana, arial, helvetica, sans-serif">msmtp: TLS certificate verification failed: the certificate is not trusted</font></p>
<div><font face="verdana, arial, helvetica, sans-serif">When I change up the port number to 25:</font></div><div><div><font face="verdana, arial, helvetica, sans-serif">msmtp: TLS certificate verification failed: the certificate is not trusted</font></div>
</div><div><font face="verdana, arial, helvetica, sans-serif">When I change up the port number to 465:</font></div><div><font face="verdana, arial, helvetica, sans-serif">msmtp: network read error: Connection reset by peer. </font></div>
<div><font face="verdana, arial, helvetica, sans-serif"><span><br></span></font></div><div><font face="verdana, arial, helvetica, sans-serif"><span>My msmtprc file is listed below:</span></font></div>
<p></p><pre style="margin-top:10px;margin-right:10px;margin-bottom:10px;margin-left:10px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px"><code>defaults
tls on
tls_starttls on
tls_trust_file /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer</code></pre><pre style="margin-top:10px;margin-right:10px;margin-bottom:10px;margin-left:10px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px">
<code>#this was downloaded direct from GeoTrust's website -
#<a href="http://www.geotrust.com/resources/root-certificates/index.html" target="_blank">http://www.geotrust.com/resources/root-certificates/index.html</a>
logfile /var/log/msmtp.log
account default
host <a href="http://smtp.mydomain.com" target="_blank">smtp.mydomain.com</a>
port 465</code></pre><pre style="margin-top:10px;margin-right:10px;margin-bottom:10px;margin-left:10px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px"><code># have also tried 587 and 25 with results varying
auth on
user <a href="mailto:support@mydomain.com" target="_blank">support@mydomain.com</a>
password suparsekrat
from <a href="mailto:support@mydomain.com" target="_blank">support@mydomain.com</a>
password suparsekrat
auto_from off
timeout 120
</code></pre><p style="margin-top:5px;margin-right:0px;margin-bottom:5px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;font-family:verdana,arial,helvetica,sans-serif"><span>Thoughts? I feel like I am so close!</span></p>
</blockquote></div><br></div></div></div>
</blockquote></div><br>