Search The ForumSearch   RegisterRegister  LoginLogin

MailBee.NET SMTP

 AfterLogic Forum : MailBee.NET SMTP
Subject Topic: Host does not accept EHLO during TLS Post ReplyPost New Topic
Author
Message << Prev Topic | Next Topic >>
compugroup
Newbie
Newbie


Joined: 29 June 2016
Location: France
Online Status: Offline
Posts: 6
Posted: 29 June 2016 at 6:31am | IP Logged Quote compugroup

How can we prevent from calling a second EHLO ? Is the host has to change settings ? Or we can do something by code ?

AuthMethods = AuthenticationMethods.Auto
smtpServer.SslMode = SslStartupMode.Manual; (OR UseStartTlsIfSupported)
mailManager.Connect();
mailManager.Hello(); <--- EXCEPTION !
mailManager.StartTls();

[INFO] Assembly version: 9.0.4.477.
[INFO] Will resolve host "xxxxxxxxxxxxx".
[INFO] Host "xxxxxxxxxxx" resolved to IP address(es) xx.xx.xx.xx.
[INFO] Will connect to host "xxxxxxxxxxx" on port 587.
[INFO] Socket connected to IP address xx.xx.xx.xx on port 587.
[RECV] 220 xxxxxxxxxx ESMTP xxxxxx\r\n
[INFO] Connected to mail service at host "xxxxxxxxx" on port 587 and ready.
[INFO] Will send Hello command (HELO or EHLO).
[SEND] EHLO [xx.xx.xx.xx]\r\n
[RECV] 250-xxxxxx\r\n250-PIPELINING\r\n250-SIZE 20971520\r\n250-VRFY\r\n250-ETRN\r\n250-STARTTLS\r\n250-ENHANCEDSTATUSCODES\r\n250-8BITMIME\r\n250 DSN\r\n
[INFO] SMTP Hello completed.
[INFO] Notify server that we are ready to start TLS/SSL negotiation.
[SEND] STARTTLS\r\n
[RECV] 220 2.0.0 Ready to start TLS\r\n
[INFO] Will start TLS/SSL negotiation sequence.
[INFO] TLS/SSL negotiation completed.
[INFO] Will send Hello command (HELO or EHLO).
[SEND] EHLO [10.182.1.117]\r\n
[RECV] 421 4.7.1 xxxxxxxxxxxxx Error: No client certificate presented\r\n
[INFO] Warning: EHLO command is not supported by the server. The server responded: 421 4.7.1 xxxxx Error: No client certificate presented.
[SEND] HELO [xx.xx.xx.xx]\r\n
[INFO] Error: Socket connection was aborted by remote host.
[INFO] Will disconnect from host "xxxxxxxxxxx".
[INFO] Disconnected from host "xxxxxxxxxxx".

Back to Top View compugroup's Profile Search for other posts by compugroup
 
Igor
AfterLogic Support
AfterLogic Support


Joined: 24 June 2008
Location: United States
Online Status: Offline
Posts: 6104
Posted: 29 June 2016 at 6:47am | IP Logged Quote Igor

According to the logs, exception occurs after switching to STARTTLS, not before it, and the first EHLO is successful. SMTP server, however, explains what exactly has gone wrong:

Code:
[RECV] 421 4.7.1 xxxxxxxxxxxxx Error: No client certificate presented\r\n


The server supports STARTTLS but it requires client certificate. You can supply it using SmtpServer.SslCertificates property.

--
Regards,
Igor, AfterLogic Support
Back to Top View Igor's Profile Search for other posts by Igor
 
compugroup
Newbie
Newbie


Joined: 29 June 2016
Location: France
Online Status: Offline
Posts: 6
Posted: 30 June 2016 at 3:36am | IP Logged Quote compugroup

Hi,

Off course, We supply a client certificate before calling Hello method. Our code run with other providers but not this one !

the logs says also "EHLO command is not supported by the server". And this after TLS/SSL negotiation completed.

MailBee Hello method send 3 commands :
1. EHLO -> OK, accepted by the host
2. STARTTLS -> OK, host ready
3. EHLO -> NOT OK, refused by the host. It seems that after that the client certificate is not presented to the host

Back to Top View compugroup's Profile Search for other posts by compugroup
 
Alex
AfterLogic Support
AfterLogic Support
Avatar

Joined: 19 November 2003
Online Status: Offline
Posts: 2206
Posted: 30 June 2016 at 3:48am | IP Logged Quote Alex

Hi,

Quote:

Off course, We supply a client certificate before calling Hello method. Our code run with other providers but not this one !


In the code you presented there is no indication the client certificate is supplied. If you think you set up everything correctly, please prepare a simple self-contained source code and the sample certificate and send it us via http://www.afterlogic.com/helpdesk for examination. Thanks!

Regards,
Alex
Back to Top View Alex's Profile Search for other posts by Alex
 
compugroup
Newbie
Newbie


Joined: 29 June 2016
Location: France
Online Status: Offline
Posts: 6
Posted: 04 July 2016 at 7:15am | IP Logged Quote compugroup

Hum, the problem is the certificate is on a smartcard...
Back to Top View compugroup's Profile Search for other posts by compugroup
 
Alex
AfterLogic Support
AfterLogic Support
Avatar

Joined: 19 November 2003
Online Status: Offline
Posts: 2206
Posted: 04 July 2016 at 7:58am | IP Logged Quote Alex

You can enable System.Net tracing by adding this in <configuration> section of app.config:

Code:

  <system.diagnostics>
    <sources>
      <source name="System.Net" tracemode="includehex" maxdatasize="1024">
        <listeners>
          <add name="System.Net"/>
        </listeners>
      </source>
      <source name="System.Net.Cache">
        <listeners>
          <add name="System.Net"/>
        </listeners>
      </source>
      <source name="System.Net.Http">
        <listeners>
          <add name="System.Net"/>
        </listeners>
      </source>
      <source name="System.Net.Sockets">
        <listeners>
          <add name="System.Net"/>
        </listeners>
      </source>
      <source name="System.Net.WebSockets">
        <listeners>
          <add name="System.Net"/>
        </listeners>
      </source>
    </sources>
    <switches>
      <add name="System.Net" value="Verbose"/>
      <add name="System.Net.Cache" value="Verbose"/>
      <add name="System.Net.Http" value="Verbose"/>
      <add name="System.Net.Sockets" value="Verbose"/>
      <add name="System.Net.WebSockets" value="Verbose"/>
    </switches>
    <sharedListeners>
      <add name="System.Net"
        type="System.Diagnostics.TextWriterTraceListener"
        initializeData="C:\Temp\network.log"
      />
    </sharedListeners>
    <trace autoflush="true"/>
  </system.diagnostics>


Then you can examine network.log to check if contains something related to your certificate. I.e. it can contain something like:

Code:

System.Net Information: 0 : [3524] SecureChannel#35191196::.ctor(hostname=mail.afterlogic.com, #clientCertificates=1)
System.Net Information: 0 : [3524] Enumerating security packages:
System.Net Information: 0 : [3524]     Negotiate
System.Net Information: 0 : [3524]     NegoExtender
System.Net Information: 0 : [3524]     Kerberos
System.Net Information: 0 : [3524]     NTLM
System.Net Information: 0 : [3524]     Schannel
System.Net Information: 0 : [3524]     Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [3524]     WDigest
System.Net Information: 0 : [3524]     TSSSP
System.Net Information: 0 : [3524]     pku2u
System.Net Information: 0 : [3524]     CREDSSP
System.Net Information: 0 : [3524] SecureChannel#35191196 - Attempting to restart the session using the user-provided certificate: [Version]
  V3

[Subject]
  E=test@afterlogic.com
  Simple Name: test@afterlogic.com
  Email Name: test@afterlogic.com

[Issuer]
  CN=COMODO RSA Client Authentication and Secure Email CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
  Simple Name: COMODO RSA Client Authentication and Secure Email CA
  DNS Name: COMODO RSA Client Authentication and Secure Email CA


If it contains that, the client certificate was indeed sent over the network. If the server still rejects it, you'll need to contact the server admin to find out why.

Regards,
Alex
Back to Top View Alex's Profile Search for other posts by Alex
 
compugroup
Newbie
Newbie


Joined: 29 June 2016
Location: France
Online Status: Offline
Posts: 6
Posted: 02 August 2016 at 5:45am | IP Logged Quote compugroup

Hi,

After a lot of test, i come back to ou to check if all is ok from our side.

The network.log contain all the required datas (sorry in french):

System.Net Information: 0 : [2992] SecureChannel#66454027::.ctor(hostname=smtp.planet-sante.fr, #clientCertificates=1, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [2992] Énumération des packages de sécurité :
System.Net Information: 0 : [2992]     Negotiate
System.Net Information: 0 : [2992]     NegoExtender
System.Net Information: 0 : [2992]     Kerberos
System.Net Information: 0 : [2992]     NTLM
System.Net Information: 0 : [2992]     Schannel
System.Net Information: 0 : [2992]     Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [2992]     WDigest
System.Net Information: 0 : [2992]     TSSSP
System.Net Information: 0 : [2992]     pku2u
System.Net Information: 0 : [2992]     CREDSSP
System.Net Information: 0 : [2992] SecureChannel#66454027 - Tentative de redémarrage de la session à l'aide du certificat fourni par l'utilisateur : [Version]
V3

[Subject]
CN=899700022090 + SN=MEDECIN RPPS-ADELI + G=VIRGINIE, OU=Médecin, O=TEST, C=FR

but end with


[Signature Algorithm]
sha1RSA(1.2.840.113549.1.1.5)

[Public Key]
Algorithm: RSA
Length: 1024
Key Blob: 30 81 89 02 81 81 00 bd a7 84 57 e7 11 93 7c 75 c1 9b 51 71 82 0d a4 d7 d6 15 ee 44 f5 57 e2 0a 16 a0 fd 28 e5 02 6d bd dc 12 9d 4b a8 15 ac f0 9c a3 38 5a 90 1c 03 0c 73 ec 59 ab 55 bf 8f 65 f6 37 ed ca 22 7c 2f 51 ac bd 23 27 58 17 01 a5 00 86 6d 6a 21 ec 1c 39 f6 30 27 44 c2 4d 77 9f ab 3f 93 9d 8b 50 04 5b 88 5e 0f 86 8f b1 66 62 0e 44 aa 74 f1 8b 0c 22 1a df 6a a7 65 11 47 aa c3 eb c4 de 2b 35 b5 02 03 01 00 01
Parame....

System.Net Information: 0 : [3212] SecureChannel#37975124 - Le certificat distant comporte des erreurs :
System.Net Information: 0 : [3212] SecureChannel#37975124 -      Incompatibilité du nom du certificat.
System.Net Information: 0 : [3212] SecureChannel#37975124 -      La fonction de révocation n’a pas pu vérifier la révocation du certificat.
System.Net Information: 0 : [3212] SecureChannel#37975124 - Le certificat distant a été vérifié comme étant valide par l'utilisateur.

System.Net Information: 0 : [3212] ProcessAuthentication(Protocole=Tls, chiffrement=Aes256 force de bits 256, hachage=Sha1 force de bits 160, échange de clé=44550 force de bits 256).
System.Net.Sockets Verbose: 0 : [3212] DNS::Resolve(EnvDevW7x64AZ)
System.Net.Sockets Verbose: 0 : [3212] DNS::GetHostByName(EnvDevW7x64AZ)
System.Net.Sockets Verbose: 0 : [3212] Exiting DNS::GetHostByName()      -> IPHostEntry#35682187
System.Net.Sockets Verbose: 0 : [3212] Exiting DNS::Resolve()      -> IPHostEntry#35682187
System.Net.Sockets Verbose: 0 : [3212] Socket#66337667::Send()
System.Net.Sockets Verbose: 0 : [3212] Data from Socket#66337667::Send
System.Net.Sockets Verbose: 0 : [3212] 00000000 : 17 03 01 00 30 1F AC E0-24 53 A5 4B E4 C1 34 31 : ....0...$S.K..41
System.Net.Sockets Verbose: 0 : [3212] 00000010 : E3 7D 14 98 1B 8E 15 76-3B B6 03 93 EB 66 F8 95 : .}.....v;....f..
System.Net.Sockets Verbose: 0 : [3212] 00000020 : 9C AF FD 95 7B DF 2D 75-1F 42 50 AB 88 04 32 78 : ....{.-u.BP...2x
System.Net.Sockets Verbose: 0 : [3212] 00000030 : 33 E0 A8 56 A4                                   : 3..V.
System.Net.Sockets Verbose: 0 : [3212] Exiting Socket#66337667::Send()      -> Int32#53
System.Net.Sockets Verbose: 0 : [3212] Socket#66337667::Receive()
System.Net.Sockets Verbose: 0 : [3212] Data from Socket#66337667::Receive
System.Net.Sockets Verbose: 0 : [3212] 00000000 :                                 & nbsp;               :
System.Net.Sockets Verbose: 0 : [3212] Exiting Socket#66337667::Receive()      -> Int32#0
System.Net.Sockets Verbose: 0 : [3212] Socket#66337667::Shutdown(SocketShutdown#2)
System.Net.Sockets Verbose: 0 : [3212] Exiting Socket#66337667::Shutdown()
System.Net.Sockets Verbose: 0 : [3212] Socket#66337667::Close()
System.Net.Sockets Verbose: 0 : [3212] Socket#66337667::Dispose()
System.Net.Sockets Verbose: 0 : [3212] Exiting Socket#66337667::Close()

Remote Company return TLS library problem: error:0D0C50DC:asn1 encoding routines:ASN1_item_verify:invalid bit string bits left:a_verify.c:157 and say that our certificat is invalid.

My question is do you confirm the problem is our side or remote side ?

Thanks a lot for your help.
Back to Top View compugroup's Profile Search for other posts by compugroup
 
Alex
AfterLogic Support
AfterLogic Support
Avatar

Joined: 19 November 2003
Online Status: Offline
Posts: 2206
Posted: 02 August 2016 at 6:50am | IP Logged Quote Alex

Hi,

I'm afraid we don't speak French so I can't say what's wrong with the certificate.

Regards,
Alex
Back to Top View Alex's Profile Search for other posts by Alex
 
compugroup
Newbie
Newbie


Joined: 29 June 2016
Location: France
Online Status: Offline
Posts: 6
Posted: 02 August 2016 at 7:37am | IP Logged Quote compugroup

OK, In resume

System.Net Information: 0 : [3212] SecureChannel#37975124 - Remote certificat has errors. ("Remote certificat" is which one ? client or smtp server ?)
System.Net Information: 0 : [3212] SecureChannel#37975124 - Incompatibility of the certificate name.
System.Net Information: 0 : [3212] SecureChannel#37975124 - The revocation function was unable to check certificate revocation.
System.Net Information: 0 : [3212] SecureChannel#37975124 - The remote certificate has been verified as being valid by the user.
Back to Top View compugroup's Profile Search for other posts by compugroup
 
Alex
AfterLogic Support
AfterLogic Support
Avatar

Joined: 19 November 2003
Online Status: Offline
Posts: 2206
Posted: 02 August 2016 at 8:49am | IP Logged Quote Alex

Thanks. Also, does "Tentative de redémarrage de la session à l'aide du certificat fourni par l'utilisateur" mean " Attempting to restart the session using the user-provided certificate:"?

If so, maybe this certificate was not loaded correctly? With your code it's not possible to understand whether the certificate is fine or not.

I recommend you to check the following. Write a very simple .net app which loads the cert from (m-m, from your smartcard) and then authorizes on the web server (hopefully you may have a web server accepting the same kind of client certficate based authentication somewhere on your network). Once you know that you can load/pass the cert correctly, we can try the same with MailBee.

Regards,
Alex
Back to Top View Alex's Profile Search for other posts by Alex
 
Alex
AfterLogic Support
AfterLogic Support
Avatar

Joined: 19 November 2003
Online Status: Offline
Posts: 2206
Posted: 02 August 2016 at 8:56am | IP Logged Quote Alex

Or you can implement an app which just connects System.Net.Security.SslStream passing the same cert to your IMAP server on port 993. It would be a very short app (assuming that loading the cert from smartcard is simple), no actual sending/receiving IMAP commands needed, just connecting to the server. If you get to the point where you can use SslStream for authenticating, we'll be able to find out why MailBee cannot do the same. However, if the problem reproduces with SslStream being used standalone, the issue is not related to MailBee.

Regards,
Alex
Back to Top View Alex's Profile Search for other posts by Alex
 

If you wish to post a reply to this topic you must first login
If you are not already registered you must first register

  Post ReplyPost New Topic
Printable version Printable version

Forum Jump

Powered by Web Wiz Forums version 7.9
Copyright ©2001-2004 Web Wiz Guide