| Author |
|
compugroup
Newbie
Joined: 29 June 2016
Location: France
Online Status: Offline
Posts: 6
|
| Posted: 29 June 2016 at 6:31am | IP Logged
|
|
|
How can we prevent from calling a second EHLO ? Is the host has to change settings ? Or we can do something by code ?
AuthMethods = AuthenticationMethods.Auto
smtpServer.SslMode = SslStartupMode.Manual; (OR UseStartTlsIfSupported)
mailManager.Connect();
mailManager.Hello(); <--- EXCEPTION !
mailManager.StartTls();
[INFO] Assembly version: 9.0.4.477.
[INFO] Will resolve host "xxxxxxxxxxxxx".
[INFO] Host "xxxxxxxxxxx" resolved to IP address(es) xx.xx.xx.xx.
[INFO] Will connect to host "xxxxxxxxxxx" on port 587.
[INFO] Socket connected to IP address xx.xx.xx.xx on port 587.
[RECV] 220 xxxxxxxxxx ESMTP xxxxxx\r\n
[INFO] Connected to mail service at host "xxxxxxxxx" on port 587 and ready.
[INFO] Will send Hello command (HELO or EHLO).
[SEND] EHLO [xx.xx.xx.xx]\r\n
[RECV] 250-xxxxxx\r\n250-PIPELINING\r\n250-SIZE 20971520\r\n250-VRFY\r\n250-ETRN\r\n250-STARTTLS\r\n250-ENHANCEDSTATUSCODES\r\n250-8BITMIME\r\n250 DSN\r\n
[INFO] SMTP Hello completed.
[INFO] Notify server that we are ready to start TLS/SSL negotiation.
[SEND] STARTTLS\r\n
[RECV] 220 2.0.0 Ready to start TLS\r\n
[INFO] Will start TLS/SSL negotiation sequence.
[INFO] TLS/SSL negotiation completed.
[INFO] Will send Hello command (HELO or EHLO).
[SEND] EHLO [10.182.1.117]\r\n
[RECV] 421 4.7.1 xxxxxxxxxxxxx Error: No client certificate presented\r\n
[INFO] Warning: EHLO command is not supported by the server. The server responded: 421 4.7.1 xxxxx Error: No client certificate presented.
[SEND] HELO [xx.xx.xx.xx]\r\n
[INFO] Error: Socket connection was aborted by remote host.
[INFO] Will disconnect from host "xxxxxxxxxxx".
[INFO] Disconnected from host "xxxxxxxxxxx".
|
| Back to Top |
|
| |
Igor
AfterLogic Support
Joined: 24 June 2008
Location: United States
Online Status: Offline
Posts: 6168
|
| Posted: 29 June 2016 at 6:47am | IP Logged
|
|
|
According to the logs, exception occurs after switching to STARTTLS, not before it, and the first EHLO is successful. SMTP server, however, explains what exactly has gone wrong:
Code:
| [RECV] 421 4.7.1 xxxxxxxxxxxxx Error: No client certificate presented\r\n |
|
|
The server supports STARTTLS but it requires client certificate. You can supply it using SmtpServer.SslCertificates property.
--
Regards,
Igor, AfterLogic Support
|
| Back to Top |
|
| |
compugroup
Newbie
Joined: 29 June 2016
Location: France
Online Status: Offline
Posts: 6
|
| Posted: 30 June 2016 at 3:36am | IP Logged
|
|
|
Hi,
Off course, We supply a client certificate before calling Hello method. Our code run with other providers but not this one !
the logs says also "EHLO command is not supported by the server". And this after TLS/SSL negotiation completed.
MailBee Hello method send 3 commands :
1. EHLO -> OK, accepted by the host
2. STARTTLS -> OK, host ready
3. EHLO -> NOT OK, refused by the host. It seems that after that the client certificate is not presented to the host
|
| Back to Top |
|
| |
Alex
AfterLogic Support
Joined: 19 November 2003
Online Status: Offline
Posts: 2207
|
| Posted: 30 June 2016 at 3:48am | IP Logged
|
|
|
Hi,
Quote:
Off course, We supply a client certificate before calling Hello method. Our code run with other providers but not this one !
|
|
|
In the code you presented there is no indication the client certificate is supplied. If you think you set up everything correctly, please prepare a simple self-contained source code and the sample certificate and send it us via http://www.afterlogic.com/helpdesk for examination. Thanks!
Regards,
Alex
|
| Back to Top |
|
| |
compugroup
Newbie
Joined: 29 June 2016
Location: France
Online Status: Offline
Posts: 6
|
| Posted: 04 July 2016 at 7:15am | IP Logged
|
|
|
Hum, the problem is the certificate is on a smartcard...
|
| Back to Top |
|
| |
Alex
AfterLogic Support
Joined: 19 November 2003
Online Status: Offline
Posts: 2207
|
| Posted: 04 July 2016 at 7:58am | IP Logged
|
|
|
You can enable System.Net tracing by adding this in <configuration> section of app.config:
Code:
<system.diagnostics>
<sources>
<source name="System.Net" tracemode="includehex" maxdatasize="1024">
<listeners>
<add name="System.Net"/>
</listeners>
</source>
<source name="System.Net.Cache">
<listeners>
<add name="System.Net"/>
</listeners>
</source>
<source name="System.Net.Http">
<listeners>
<add name="System.Net"/>
</listeners>
</source>
<source name="System.Net.Sockets">
<listeners>
<add name="System.Net"/>
</listeners>
</source>
<source name="System.Net.WebSockets">
<listeners>
<add name="System.Net"/>
</listeners>
</source>
</sources>
<switches>
<add name="System.Net" value="Verbose"/>
<add name="System.Net.Cache" value="Verbose"/>
<add name="System.Net.Http" value="Verbose"/>
<add name="System.Net.Sockets" value="Verbose"/>
<add name="System.Net.WebSockets" value="Verbose"/>
</switches>
<sharedListeners>
<add name="System.Net"
type="System.Diagnostics.TextWriterTraceListener"
initializeData="C:\Temp\network.log"
/>
</sharedListeners>
<trace autoflush="true"/>
</system.diagnostics>
|
|
|
Then you can examine network.log to check if contains something related to your certificate. I.e. it can contain something like:
Code:
System.Net Information: 0 : [3524] SecureChannel#35191196::.ctor(hostname=mail.afterlogic.com, #clientCertificates=1)
System.Net Information: 0 : [3524] Enumerating security packages:
System.Net Information: 0 : [3524] Negotiate
System.Net Information: 0 : [3524] NegoExtender
System.Net Information: 0 : [3524] Kerberos
System.Net Information: 0 : [3524] NTLM
System.Net Information: 0 : [3524] Schannel
System.Net Information: 0 : [3524] Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [3524] WDigest
System.Net Information: 0 : [3524] TSSSP
System.Net Information: 0 : [3524] pku2u
System.Net Information: 0 : [3524] CREDSSP
System.Net Information: 0 : [3524] SecureChannel#35191196 - Attempting to restart the session using the user-provided certificate: [Version]
V3
[Subject]
E=test@afterlogic.com
Simple Name: test@afterlogic.com
Email Name: test@afterlogic.com
[Issuer]
CN=COMODO RSA Client Authentication and Secure Email CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Simple Name: COMODO RSA Client Authentication and Secure Email CA
DNS Name: COMODO RSA Client Authentication and Secure Email CA
|
|
|
If it contains that, the client certificate was indeed sent over the network. If the server still rejects it, you'll need to contact the server admin to find out why.
Regards,
Alex
|
| Back to Top |
|
| |
compugroup
Newbie
Joined: 29 June 2016
Location: France
Online Status: Offline
Posts: 6
|
| Posted: 02 August 2016 at 5:45am | IP Logged
|
|
|
Hi,
After a lot of test, i come back to ou to check if all is ok from our side.
The network.log contain all the required datas (sorry in french):
System.Net Information: 0 : [2992] SecureChannel#66454027::.ctor(hostname=smtp.planet-sante.fr, #clientCertificates=1, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [2992] Énumération des packages de sécurité :
System.Net Information: 0 : [2992] Negotiate
System.Net Information: 0 : [2992] NegoExtender
System.Net Information: 0 : [2992] Kerberos
System.Net Information: 0 : [2992] NTLM
System.Net Information: 0 : [2992] Schannel
System.Net Information: 0 : [2992] Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [2992] WDigest
System.Net Information: 0 : [2992] TSSSP
System.Net Information: 0 : [2992] pku2u
System.Net Information: 0 : [2992] CREDSSP
System.Net Information: 0 : [2992] SecureChannel#66454027 - Tentative de redémarrage de la session à l'aide du certificat fourni par l'utilisateur : [Version]
V3
[Subject]
CN=899700022090 + SN=MEDECIN RPPS-ADELI + G=VIRGINIE, OU=Médecin, O=TEST, C=FR
but end with
[Signature Algorithm]
sha1RSA(1.2.840.113549.1.1.5)
[Public Key]
Algorithm: RSA
Length: 1024
Key Blob: 30 81 89 02 81 81 00 bd a7 84 57 e7 11 93 7c 75 c1 9b 51 71 82 0d a4 d7 d6 15 ee 44 f5 57 e2 0a 16 a0 fd 28 e5 02 6d bd dc 12 9d 4b a8 15 ac f0 9c a3 38 5a 90 1c 03 0c 73 ec 59 ab 55 bf 8f 65 f6 37 ed ca 22 7c 2f 51 ac bd 23 27 58 17 01 a5 00 86 6d 6a 21 ec 1c 39 f6 30 27 44 c2 4d 77 9f ab 3f 93 9d 8b 50 04 5b 88 5e 0f 86 8f b1 66 62 0e 44 aa 74 f1 8b 0c 22 1a df 6a a7 65 11 47 aa c3 eb c4 de 2b 35 b5 02 03 01 00 01
Parame....
System.Net Information: 0 : [3212] SecureChannel#37975124 - Le certificat distant comporte des erreurs :
System.Net Information: 0 : [3212] SecureChannel#37975124 - Incompatibilité du nom du certificat.
System.Net Information: 0 : [3212] SecureChannel#37975124 - La fonction de révocation n’a pas pu vérifier la révocation du certificat.
System.Net Information: 0 : [3212] SecureChannel#37975124 - Le certificat distant a été vérifié comme étant valide par l'utilisateur.
System.Net Information: 0 : [3212] ProcessAuthentication(Protocole=Tls, chiffrement=Aes256 force de bits 256, hachage=Sha1 force de bits 160, échange de clé=44550 force de bits 256).
System.Net.Sockets Verbose: 0 : [3212] DNS::Resolve(EnvDevW7x64AZ)
System.Net.Sockets Verbose: 0 : [3212] DNS::GetHostByName(EnvDevW7x64AZ)
System.Net.Sockets Verbose: 0 : [3212] Exiting DNS::GetHostByName() -> IPHostEntry#35682187
System.Net.Sockets Verbose: 0 : [3212] Exiting DNS::Resolve() -> IPHostEntry#35682187
System.Net.Sockets Verbose: 0 : [3212] Socket#66337667::Send()
System.Net.Sockets Verbose: 0 : [3212] Data from Socket#66337667::Send
System.Net.Sockets Verbose: 0 : [3212] 00000000 : 17 03 01 00 30 1F AC E0-24 53 A5 4B E4 C1 34 31 : ....0...$S.K..41
System.Net.Sockets Verbose: 0 : [3212] 00000010 : E3 7D 14 98 1B 8E 15 76-3B B6 03 93 EB 66 F8 95 : .}.....v;....f..
System.Net.Sockets Verbose: 0 : [3212] 00000020 : 9C AF FD 95 7B DF 2D 75-1F 42 50 AB 88 04 32 78 : ....{.-u.BP...2x
System.Net.Sockets Verbose: 0 : [3212] 00000030 : 33 E0 A8 56 A4 : 3..V.
System.Net.Sockets Verbose: 0 : [3212] Exiting Socket#66337667::Send() -> Int32#53
System.Net.Sockets Verbose: 0 : [3212] Socket#66337667::Receive()
System.Net.Sockets Verbose: 0 : [3212] Data from Socket#66337667::Receive
System.Net.Sockets Verbose: 0 : [3212] 00000000 : & nbsp; :
System.Net.Sockets Verbose: 0 : [3212] Exiting Socket#66337667::Receive() -> Int32#0
System.Net.Sockets Verbose: 0 : [3212] Socket#66337667::Shutdown(SocketShutdown#2)
System.Net.Sockets Verbose: 0 : [3212] Exiting Socket#66337667::Shutdown()
System.Net.Sockets Verbose: 0 : [3212] Socket#66337667::Close()
System.Net.Sockets Verbose: 0 : [3212] Socket#66337667::Dispose()
System.Net.Sockets Verbose: 0 : [3212] Exiting Socket#66337667::Close()
Remote Company return TLS library problem: error:0D0C50DC:asn1 encoding routines:ASN1_item_verify:invalid bit string bits left:a_verify.c:157 and say that our certificat is invalid.
My question is do you confirm the problem is our side or remote side ?
Thanks a lot for your help.
|
| Back to Top |
|
| |
Alex
AfterLogic Support
Joined: 19 November 2003
Online Status: Offline
Posts: 2207
|
| Posted: 02 August 2016 at 6:50am | IP Logged
|
|
|
Hi,
I'm afraid we don't speak French so I can't say what's wrong with the certificate.
Regards,
Alex
|
| Back to Top |
|
| |
compugroup
Newbie
Joined: 29 June 2016
Location: France
Online Status: Offline
Posts: 6
|
| Posted: 02 August 2016 at 7:37am | IP Logged
|
|
|
OK, In resume
System.Net Information: 0 : [3212] SecureChannel#37975124 - Remote certificat has errors. ("Remote certificat" is which one ? client or smtp server ?)
System.Net Information: 0 : [3212] SecureChannel#37975124 - Incompatibility of the certificate name.
System.Net Information: 0 : [3212] SecureChannel#37975124 - The revocation function was unable to check certificate revocation.
System.Net Information: 0 : [3212] SecureChannel#37975124 - The remote certificate has been verified as being valid by the user.
|
| Back to Top |
|
| |
Alex
AfterLogic Support
Joined: 19 November 2003
Online Status: Offline
Posts: 2207
|
| Posted: 02 August 2016 at 8:49am | IP Logged
|
|
|
Thanks. Also, does "Tentative de redémarrage de la session à l'aide du certificat fourni par l'utilisateur" mean " Attempting to restart the session using the user-provided certificate:"?
If so, maybe this certificate was not loaded correctly? With your code it's not possible to understand whether the certificate is fine or not.
I recommend you to check the following. Write a very simple .net app which loads the cert from (m-m, from your smartcard) and then authorizes on the web server (hopefully you may have a web server accepting the same kind of client certficate based authentication somewhere on your network). Once you know that you can load/pass the cert correctly, we can try the same with MailBee.
Regards,
Alex
|
| Back to Top |
|
| |
Alex
AfterLogic Support
Joined: 19 November 2003
Online Status: Offline
Posts: 2207
|
| Posted: 02 August 2016 at 8:56am | IP Logged
|
|
|
Or you can implement an app which just connects System.Net.Security.SslStream passing the same cert to your IMAP server on port 993. It would be a very short app (assuming that loading the cert from smartcard is simple), no actual sending/receiving IMAP commands needed, just connecting to the server. If you get to the point where you can use SslStream for authenticating, we'll be able to find out why MailBee cannot do the same. However, if the problem reproduces with SslStream being used standalone, the issue is not related to MailBee.
Regards,
Alex
|
| Back to Top |
|
| |
MailBee.NET Objects 
MailBee.NET Queue 
MailBee Objects 
WebMail Pro PHP 
AfterLogic Aurora 
MailSuite Pro for Linux 
Unified Messaging Solution 
Search
Register
Login
Topic: Host does not accept EHLO during TLS
Privacy policy |
Refund policy