Community discussions

MikroTik App
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 206
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

TLS handshake failed when relaying via smtp.gmail.com

Sat Sep 12, 2020 11:20 am

I can't send email via smtp.gmail.com.

18:15:18 e-mail,error Error sending e-mail <email Test Email>: TLS handshake failed

Config:
[admin@MikroTik] > /tool/e-mail/print
       address: smtp.gmail.com
          port: 587
           tls: yes
          from: xxxxxxx@gmail.com
          user: xxxxxxx@gmail.com
      password: xxxxxxx
   last-status: failed
  last-address: 74.125.24.108

GMail is set up correctly, 2FA enabled and Application Specific password generated. I use the same setup for other devices to relay email via smtp.gmail.com

Is the TLS handshake failing due to root CA certs? Time is correct on the device, set via NTP servers.
Last edited by ilium007 on Sat Sep 12, 2020 4:24 pm, edited 1 time in total.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: TLS handshake failed when relaying via smtp.gmail.com

Sat Sep 12, 2020 1:20 pm

There are no certificates present by default in Mikrotik routers so you have to install them to use TLS.

https://support.google.com/a/answer/6180220?hl=en
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 206
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Re: TLS handshake failed when relaying via smtp.gmail.com

Sat Sep 12, 2020 1:22 pm

There are no certificates present by default in Mikrotik routers so you have to install them to use TLS.

https://support.google.com/a/answer/6180220?hl=en

I had already imported CA root certs from here: https://mkcert.org/generate/
[admin@chateau] /certificate> print
Flags: L - CRL; T - TRUSTED
Columns: NAME, COMMON-NAME, SUBJECT-ALT-NAME, FINGERPRINT
# NAME COMMON-NAME SUBJECT-ALT-NAME FINGERPRINT
0 T certs.pem_0 GlobalSign Root CA ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99
1 LT certs.pem_1 GlobalSign ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e
2 T certs.pem_2 Entrust.net Certification Authority (2048) 6dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb177
3 T certs.pem_3 Baltimore CyberTrust Root 16af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb
4 T certs.pem_4 Entrust Root Certification Authority 73c176434f1bc6d5adf45b0e76e727287c8de57616c1e6e6141a2b2cbc7d8e4c
5 T certs.pem_5 GeoTrust Global CA ff856a2d251dcd88d36656f450126798cfabaade40799c722de4d2b5db36a73a
6 T certs.pem_6 GeoTrust Universal CA a0459b9f63b22559f5fa5d4c6db3f9f72ff19342033578f073bf1d1b46cbb912
7 T certs.pem_7 GeoTrust Universal CA 2 a0234f3bc8527ca5628eec81ad5d69895da5680dc91d1cb8477f33f878b95b0b
8 LT certs.pem_8 AAA Certificate Services d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef4
9 T certs.pem_9 QuoVadis Root Certification Authority a45ede3bbbf09c8ae15c72efc07268d693a21c996fd51e67ca079460fd6d8873
10 T certs.pem_10 QuoVadis Root CA 2 85a0dd7dd720adb7ff05f83d542b209dc7ff4528f7d677b18389fea5e5c49e86
11 T certs.pem_11 QuoVadis Root CA 3 18f1fc7f205df8adddeb7fe007dd57e3af375a9c4d8d73546bf4f1fed1e18d35
12 T certs.pem_12 e75e72ed9f560eec6eb4800073a43fc3ad19195a392282017895974a99026b6c
13 T certs.pem_13 Sonera Class2 CA 7908b40314c138100b518d0735807ffbfcf8518a0095337105ba386b153dd927
14 LT certs.pem_14 XRamp Global Certification Authority cecddc905099d8dadfc5b1d209b737cbe2c18cfb2c10c0ff0bcf0d3286fc1aa2
15 T certs.pem_15 c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4
16 T certs.pem_16 1465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658
17 T certs.pem_17 7600295eefe85b9e1fd624db76062aaaae59818a54d2774cd4c0b2c01131e1b3
18 T certs.pem_18 DigiCert Assured ID Root CA 3e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c
19 T certs.pem_19 DigiCert Global Root CA 4348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c70161
20 T certs.pem_20 DigiCert High Assurance EV Root CA 7431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf
21 T certs.pem_21 DST Root CA X3 0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739
22 T certs.pem_22 SwissSign Gold CA - G2 62dd0be9b9f50a163ea0f8e75c053b1eca57ea55c8688f647c6881f2c8357b95
23 T certs.pem_23 SwissSign Silver CA - G2 be6c4da2bbb9ba59b6f3939768374246c3c005993fa98f020d1dedbed48a81d5
24 T certs.pem_24 GeoTrust Primary Certification Authority 37d51006c512eaab626421f1ec8c92013fc5f82ae98ee533eb4619b8deb4d06c
25 T certs.pem_25 thawte Primary Root CA 8d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f
26 T certs.pem_26 VeriSign Class 3 Public Primary Certification Authority - G5 9acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df
27 LT certs.pem_27 SecureTrust CA f1c1b50ae5a20dd8030ec9f6bc24823dd367b5255759b4e71b61fce9f7375d73
28 LT certs.pem_28 Secure Global CA 4200f5043ac8590ebb527d209ed1503029fbcbd41ca1b506ec27f15ade7dac69
29 LT certs.pem_29 COMODO Certification Authority 0c2cd63df7806fa399ede809116b575bf87989f06518f9808c860503178baf66
30 LT certs.pem_30 Network Solutions Certificate Authority 15f0ba00a3ac7af3ac884c072b1011a077bd77c097f40164b2f8598abd83860c
31 T certs.pem_31 COMODO ECC Certification Authority 1793927a0614549789adce2f8f34f7f0b66d0f3ae3a3b84d21ec15dbba4fadc7
32 T certs.pem_32 OISTE WISeKey Global Root GA CA 41c923866ab4cad6b7ad578081582e020797a6cbdf4fff78ce8396b38937d7f5
33 T certs.pem_33 Certigna e3b6a2db2ed7ce48842f7ac53241c7b71d54144bfb40c11f3f1d0b42f5eea12d
34 LT certs.pem_34 Cybertrust Global Root 960adf0063e96356750c2965dd0a0867da0b9cbd6e77714aeafb2349ab393da3
35 T certs.pem_35 c0a6f4dc63a24bfdcf54ef2a6a082a0a72de35803e2ff5ff527ae5d87206dfd5
36 T certs.pem_36 eaa962c4fa4a6bafebe415196d351ccd888d4f53f3fa8ae6d7c466a94e6042bb
37 T certs.pem_37 GeoTrust Primary Certification Authority - G3 b478b812250df878635c2aa7ec7d155eaa625ee82916e2cd294361886cd1fbd4
38 T certs.pem_38 thawte Primary Root CA - G2 a4310d50af18a6447190372a86afaf8b951ffb431d837f1e5688b45971ed1557
39 T certs.pem_39 thawte Primary Root CA - G3 4b03f45807ad70f21bfc2cae71c9fde4604c064cf5ffb686bae5dbaad7fdd34c
40 T certs.pem_40 GeoTrust Primary Certification Authority - G2 5edb7ac43b82a06a8761e8d7be4979ebf2611f7dd79bf91c1c6b566a219ed766
41 T certs.pem_41 VeriSign Universal Root Certification Authority 2399561127a57125de8cefea610ddf2fa078b5c8067f4e828290bfb860e84b3c
42 T certs.pem_43 6c61dac3a2def031506be036d2a6fe401994fbd13df9c8d466599274c446ec98
43 T certs.pem_44 Hongkong Post Root CA 1 f9e67d336c51002ac054c632022d66dda2e7e3fff10ad061ed31d8bbb410cfb2
44 T certs.pem_45 SecureSign RootCA11 bf0feefb9e3a581ad5f9e9db7589985743d261085c4d314f6f5d7259aa421612
45 T certs.pem_46 Microsec e-Szigno Root CA 2009 email:info@e-szigno.hu 3c5f81fea5fab82c64bfa2eaecafcde8e077fc8620a7cae537163df36edbf378
46 T certs.pem_47 GlobalSign cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b
47 T certs.pem_48 Autoridad de Certificacion Firmaprofesional CIF A62634068 04048028bf1f2864d48f9ad4d83294366a828856553f3b14303f90147f5d40ef
48 T certs.pem_49 Izenpe.com email:info@izenpe.com 2530cc8e98321502bad96f9b1fba1b099e2d299e0f4548bb914f363bc0d4531f
49 T certs.pem_50 Chambers of Commerce Root - 2008 063e4afac491dfd332f3089b8542e94617d893d7fe944e10a7937ee29d9693c0
50 T certs.pem_51 Global Chambersign Root - 2008 136335439334a7698016a0d324de72284e079d7b5220bb8fbd747816eebebaca
51 T certs.pem_52 Go Daddy Root Certificate Authority - G2 45140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda
52 T certs.pem_53 Starfield Root Certificate Authority - G2 2ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f5
53 T certs.pem_54 Starfield Services Root Certificate Authority - G2 568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab5
54 T certs.pem_55 AffirmTrust Commercial 0376ab1d54c5f9803ce4b2e201a0ee7eef7b57b636e8a93c9b8d4860c96f5fa7
55 T certs.pem_56 AffirmTrust Networking 0a81ec5a929777f145904af38d5d509f66b5e2c58fcdb531058b0e17f3f0b41b
56 T certs.pem_57 AffirmTrust Premium 70a73f7f376b60074248904534b11482d5bf0e698ecc498df52577ebf2e93b9a
57 T certs.pem_58 AffirmTrust Premium ECC bd71fdf6da97e4cf62d1647add2581b07d79adf8397eb4ecba9c5e8488821423
58 T certs.pem_59 Certum Trusted Network CA 5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e
59 T certs.pem_60 TWCA Root Certification Authority bfd88fe1101c41ae3e801bf8be56350ee9bad1a6b9bd515edc5c6d5b8711ac44
60 T certs.pem_61 513b2cecb810d4cde5dd85391adfc6c2dd60d87bb736d2b521484aa47a0ebef6
61 T certs.pem_62 EC-ACC email:ec_acc@catcert.net 88497f01602f3154246ae28c4d5aef10f1d87ebb76626f4ae0b7f95ba7968799
62 T certs.pem_63 Hellenic Academic and Research Institutions RootCA 2011 bc104f15a48be709dca542a7e1d4b9df6f054527e802eaa92d595444258afe71
63 T certs.pem_64 Actalis Authentication Root CA 55926084ec963a64b96e2abe01ce0ba86a64fbfebcc7aab5afc155b37fd76066
64 T certs.pem_65 c1b48299aba5208fe9630ace55ca68a03eda5a519c8802a0d3a673be8f8e557d
65 T certs.pem_66 Buypass Class 2 Root CA 9a114025197c5bb95d94e63d55cd43790847b646b23cdf11ada4a00eff15fb48
66 T certs.pem_67 Buypass Class 3 Root CA edf7ebbca27a2a384d387b7d4010c666e2edb4843e4c29b4ae1d5b9332e6b24d
67 T certs.pem_68 T-TeleSec GlobalRoot Class 3 fd73dad31c644ff1b43bef0ccdda96710b9cd9875eca7e31707af3e96d522bbd
68 T certs.pem_69 EE Certification Centre Root CA 3e84ba4342908516e77573c0992f0979ca084e4685681ff195ccba8a229b8a76
69 LT certs.pem_70 D-TRUST Root Class 3 CA 2 2009 49e7a442acf0ea6287050054b52564b650e4f49e42e348d6aa38e039e957b1c1
70 LT certs.pem_71 D-TRUST Root Class 3 CA 2 EV 2009 eec5496b988ce98625b934092eec2908bed0b0f316c2d4730c84eaf1f3d34881
71 T certs.pem_72 CA Disig Root R2 e23d4a036d7b70e9f595b1422079d2b91edfbb1fb651a0633eaa8a9dc5f80703
72 LT certs.pem_73 ACCVRAIZ1 email:accv@accv.es 9a6ec012e1a7da9dbe34194d478ad7c0db1822fb071df12981496ed104384113
73 T certs.pem_74 TWCA Global Root CA 59769007f7685d0fcd50872f9f95d5755a5b2b457d81f3692b610a98672f0e1b
74 T certs.pem_75 TeliaSonera Root CA v1 dd6936fe21f8f077c123a1a521c12224f72255b73e03a7260693e8a24b0fa389
75 T certs.pem_76 E-Tugra Certification Authority b0bfd52bb0d7d9bd92bf5d4dc13da255c02c542f378365ea893911f55e55f23c
76 T certs.pem_77 T-TeleSec GlobalRoot Class 2 91e2f5788d5810eba7ba58737de1548a8ecacd014598bc0b143e041b17052552
77 T certs.pem_78 Atos TrustedRoot 2011 f356bea244b7a91eb35d53ca9ad7864ace018e2d35d5f8f96ddf68a6f41aa474
78 T certs.pem_79 QuoVadis Root CA 1 G3 8a866fd1b276b57e578e921c65828a2bed58e9f2f288054134b7f1f4bfc9cc74
79 T certs.pem_80 QuoVadis Root CA 2 G3 8fe4fb0af93a4d0d67db0bebb23e37c71bf325dcbcdd240ea04daf58b47e1840
80 T certs.pem_81 QuoVadis Root CA 3 G3 88ef81de202eb018452e43f864725cea5fbd1fc2d9d205730709c5d8b8690f46
81 T certs.pem_82 DigiCert Assured ID Root G2 7d05ebb682339f8c9451ee094eebfefa7953a114edb2f44949452fab7d2fc185
82 T certs.pem_83 DigiCert Assured ID Root G3 7e37cb8b4c47090cab36551ba6f45db840680fba166a952db100717f43053fc2
83 T certs.pem_84 DigiCert Global Root G2 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
84 T certs.pem_85 DigiCert Global Root G3 31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0
85 T certs.pem_86 DigiCert Trusted Root G4 552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988
86 T certs.pem_87 COMODO RSA Certification Authority 52f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b40234
87 T certs.pem_88 USERTrust RSA Certification Authority e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd2
88 T certs.pem_89 USERTrust ECC Certification Authority 4ff460d54b9c86dabfbcfc5712e0400d2bed3fbc4d4fbdaa86e06adcd2a9ad7a
89 T certs.pem_90 GlobalSign bec94911c2955676db6c0a550986d76e3ba005667c442c9762b4fbb773de228c
90 T certs.pem_91 GlobalSign 179fbc148a3dd00fd24ea13458cc43bfa7f59c8182d783a513f6ebec100c8924
91 T certs.pem_92 Staat der Nederlanden Root CA - G3 3c4fb0b95ab8b30032f432b86f535fe172c185d0fd39865837cf36187fa6f428
92 T certs.pem_93 Staat der Nederlanden EV Root CA 4d2491414cfe956746ec4cefa6cf6f72e28a1329432f9d8a907ac4cb5dadc15a
93 T certs.pem_94 IdenTrust Commercial Root CA 1 5d56499be4d2e08bcfcad08a3e38723d50503bde706948e42f55603019e528ae
94 T certs.pem_95 IdenTrust Public Sector Root CA 1 30d0895a9a448a262091635522d1f52010b5867acae12c78ef958fd4f4389f2f
95 T certs.pem_96 Entrust Root Certification Authority - G2 43df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f339
96 T certs.pem_97 Entrust Root Certification Authority - EC1 02ed0eb28c14da45165c566791700d6451d7fb56f0b2ab1d3b8eb070e56edff5
97 T certs.pem_98 CFCA EV ROOT 5cc3d78e4e1d5e45547a04e6873e64f90cf9536d1ccc2ef800f355c4c5fd70fd
98 T certs.pem_99 OISTE WISeKey Global Root GB CA 6b9c08e86eb0f767cfad65cd98b62149e5494a67f5845e7bd1ed019f27b86bd6
99 T certs.pem_100 SZAFIR ROOT CA2 a1339d33281a0b56e557d3d32b1ce7f9367eb094bd5fa72a7e5004c8ded7cafe
100 T certs.pem_101 Certum Trusted Network CA 2 b676f2eddae8775cd36cb0f63cd1d4603961f49e6265ba013a2f0307b6d0b804
101 T certs.pem_102 Hellenic Academic and Research Institutions RootCA 2015 a040929a02ce53b4acf4f2ffc6981ce4496f755e6d45fe0b2a692bcd52523f36
102 T certs.pem_103 Hellenic Academic and Research Institutions ECC RootCA 2015 44b545aa8a25e65a73ca15dc27fc36d24c1cb9953a066539b11582dc487b4833
103 T certs.pem_104 ISRG Root X1 96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6
104 T certs.pem_105 ebc5570c29018c4d67b1aa127baf12f703b4611ebc17b7dab5573894179b93fa
105 T certs.pem_106 Amazon Root CA 1 8ecde6884f3d87b1125ba31ac3fcb13d7016de7f57cc904fe1cb97c6ae98196e
106 T certs.pem_107 Amazon Root CA 2 1ba5b2aa8c65401a82960118f80bec4f62304d83cec4713a19c39c011ea46db4
107 T certs.pem_108 Amazon Root CA 3 18ce6cfe7bf14e60b2e347b8dfe868cb31d02ebb3ada271569f50343b46db3a4
108 T certs.pem_109 Amazon Root CA 4 e35d28419ed02025cfa69038cd623962458da5c695fbdea3c22b0bfb25897092
109 T certs.pem_110 TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 46edc3689046d53a453fb3104ab80dcaec658b2660ea1629dd7e867990648716
110 T certs.pem_111 GDCA TrustAUTH R5 ROOT bfff8fd04433487d6a8aa60c1a29767a9fc2bbb05e420f713a13b992891d3893
111 T certs.pem_112 TrustCor RootCert CA-1 d40e9c86cd8fe468c1776959f49ea774fa548684b6c406f3909261f4dce2575c
112 T certs.pem_113 TrustCor RootCert CA-2 0753e940378c1bd5e3836e395daea5cb839e5046f1bd0eae1951cf10fec7c965
113 T certs.pem_114 TrustCor ECA-1 5a885db19c01d912c5759388938cafbbdf031ab2d48e91ee15589b42971d039c
114 T certs.pem_115 SSL.com Root Certification Authority RSA 85666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69
115 T certs.pem_116 SSL.com Root Certification Authority ECC 3417bb06cc6007da1b961c920b8ab4ce3fad820e4aa30b9acbc4a74ebdcebc65
116 T certs.pem_117 SSL.com EV Root Certification Authority RSA R2 2e7bf16cc22485a7bbe2aa8696750761b0ae39be3b2fe9d0cc6d4ef73491425c
117 T certs.pem_118 SSL.com EV Root Certification Authority ECC 22a2c1f7bded704cc1e701b5f408c310880fe956b5de2a4a44f99c873a25a7c8
118 T certs.pem_119 GlobalSign 2cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf69
119 T certs.pem_120 OISTE WISeKey Global Root GC CA 8560f91c3624daba9570b5fea0dbe36ff11a8323be9486854fb3f34a5571198d
120 T certs.pem_121 GTS Root R1 2a575471e31340bc21581cbd2cf13e158463203ece94bcf9d3cc196bf09a5472
121 T certs.pem_122 GTS Root R2 c45d7bb08e6d67e62e4235110b564e5f78fd92ef058c840aea4e6455d7585c60
122 T certs.pem_123 GTS Root R3 15d5b8774619ea7d54ce1ca6d0b0c403e037a917f131e8a04e1e6b7a71babce5
123 T certs.pem_124 GTS Root R4 71cca5391f9e794b04802530b363e121da8a3043bb26662fea4dca7fc951a4bd
124 T certs.pem_125 UCA Global G2 Root 9bea11c976fe014764c1be56a6f914b5a560317abd9988393382e5161aa0493c
125 T certs.pem_126 UCA Extended Validation Root d43af9b35473755c9684fc06d7d8cb70ee5c28e773fb294eb41ee71722924d24
126 LT certs.pem_127 Certigna Root CA d48d3d23eedb50a459e55197601c27774b9d7b18c94d5a059511a10250b93168
127 T certs.pem_128 emSign Root CA - G1 40f6af0346a99aa1cd1d555a4e9cce62c7f9634603ee406615833dc8c8d00367
128 T certs.pem_129 emSign ECC Root CA - G3 86a1ecba089c4a8d3bbe2734c612ba341d813e043cf9e8a862cd5c57a36bbe6b
129 T certs.pem_130 emSign Root CA - C1 125609aa301da0a249b97a8239cb6a34216f44dcac9f3954b14292f2e8c8608f
130 T certs.pem_131 emSign ECC Root CA - C3 bc4d809b15189d78db3e1d8cf4f9726a795da1643ca5f1358e1ddb0edc0d7eb3
131 T certs.pem_132 Hongkong Post Root CA 3 5a2fc03f0c83b090bbfa40604b0988446c7636183df9846e17101a447fb8efd6
132 T certs.pem_133 Entrust Root Certification Authority - G4 db3517d1f6732a2d5ab97c533ec70779ee3270a62fb4ac4238372460e6f01e88
133 T certs.pem_134 Microsoft ECC Root Certificate Authority 2017 358df39d764af9e1b766e9c972df352ee15cfac227af6ad1d70e8e4a6edcba02
134 T certs.pem_135 Microsoft RSA Root Certificate Authority 2017 c741f70f4b2a8d88bf2e71c14122ef53ef10eba0cfa5e64cfa20f418853073e0
135 T certs.pem_136 e-Szigno Root CA 2017 beb00b30839b9bc32c32e4447905950641f26421b15ed089198b518ae2ea1b99
136 T certs.pem_137 657cfe2fa73faa38462571f332a2363a46fce7020951710702cdfbb6eeda3305
137 T cacert.pem_0 VeriSign Class 3 Public Primary Certification Authority - G4 69ddd7ea90bb57c93e135dc85ea6fcd5480b603239bdc454fc758b2a26cf7f79
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: TLS handshake failed when relaying via smtp.gmail.com

Sat Sep 12, 2020 1:34 pm

Have you tried: smtp-relay.gmail.com
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 206
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Re: TLS handshake failed when relaying via smtp.gmail.com

Sat Sep 12, 2020 1:39 pm

Have you tried: smtp-relay.gmail.com

Same issue:

20:38:51 e-mail,error Error sending e-mail <email test>: TLS handshake failed

Where should I be downloading CA root certs from?

I have put the config back, this is the command line I am executing to test:

[admin@chateau] /tool/e-mail> print
       address: smtp.gmail.com
          port: 587
           tls: yes
          from: xxxxxxx@gmail.com
          user: xxxxxxx@gmail.com
      password: xxxxxxx
   last-status: failed
  last-address: 74.125.200.28
[admin@chateau] /tool/e-mail>
[admin@chateau] /tool/e-mail>
[admin@chateau] /tool/e-mail>
[admin@chateau] /tool/e-mail> send to=xxxxxxx@gmail.com subject="email test" body="email test"
d
Last edited by ilium007 on Sat Sep 12, 2020 4:24 pm, edited 1 time in total.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: TLS handshake failed when relaying via smtp.gmail.com

Sat Sep 12, 2020 2:16 pm

Delivering a e-mail to them is a PITA and the best chance is using the relay.

In the middle of the linked page is a PEM file and have a look at that.

I can't test anything being on my tablet.
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 206
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Re: TLS handshake failed when relaying via smtp.gmail.com

Sat Sep 12, 2020 2:34 pm

Delivering a e-mail to them is a PITA and the best chance is using the relay.

In the middle of the linked page is a PEM file and have a look at that.

I can't test anything being on my tablet.
I thought the relay was for G-Suite users only (I use it for SMTP access for printers / scanners at work).
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 206
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Re: TLS handshake failed when relaying via smtp.gmail.com

Sat Sep 12, 2020 2:52 pm

All of the Google Trust Services root CA's were already in the list of 138 certs that are already present on the device.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: TLS handshake failed when relaying via smtp.gmail.com

Sat Sep 12, 2020 2:56 pm

I have gone to my computer and looked up the used certificate, both are using the same root cert
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
. The root cert is on the first line. I am not a expert on this and Mikrotik checking a cert is a also a PITA.
openssl s_client -connect smtp.gmail.com:25 -starttls smtp
CONNECTED(00000005)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = smtp.gmail.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = smtp.gmail.com
   i:C = US, O = Google Trust Services, CN = GTS CA 1O1
 1 s:C = US, O = Google Trust Services, CN = GTS CA 1O1
   i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEyTCCA7GgAwIBAgIRAJrPpLI0oZfCAgAAAAB5ZFkwDQYJKoZIhvcNAQELBQAw
QjELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczET
MBEGA1UEAxMKR1RTIENBIDFPMTAeFw0yMDA4MjYwODEyNTFaFw0yMDExMTgwODEy
NTFaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
Ew1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgTExDMRcwFQYDVQQDEw5z
bXRwLmdtYWlsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNg3aTMBeiTA
O0rrLRChnguMwDAM5ZUpfYvOEGeAkRVfI2C/UVsS3GZ8oa04oVKKt4dlz2zbRXLc
UiZWnCXdcC+jggJdMIICWTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB
BQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUCuwtM6w8U31G+wCQx0hCSw7V
v/swHwYDVR0jBBgwFoAUmNH4bhDrz5vsYJ8YkBug630J/SswaAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzABhh9odHRwOi8vb2NzcC5wa2kuZ29vZy9ndHMxbzFjb3Jl
MCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2cvZ3NyMi9HVFMxTzEuY3J0MBkG
A1UdEQQSMBCCDnNtdHAuZ21haWwuY29tMCEGA1UdIAQaMBgwCAYGZ4EMAQICMAwG
CisGAQQB1nkCBQMwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5wa2kuZ29v
Zy9HVFMxTzFjb3JlLmNybDCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3ALIeBcyL
os2KIE6HZvkruYolIGdr2vpw57JJUy3vi5BeAAABdCoKm74AAAQDAEgwRgIhAJxE
Qm11aEkoGEvY6L/EqfX1ibUWExyBDsFkN9Ye4GWOAiEAlHoxQ64b3WNVAL5E3vvR
QN3idEVT/aRjxYIYBEQZFikAdgDGUqDsSM6z/KsXCZLEOodBMwnoAGWiYlJAG6M2
KhfFZQAAAXQqCpvQAAAEAwBHMEUCIQCTpczWzpMx7REOsVGKT75FyXO4tS3znTsf
cS5gfbL54wIgfiKfwnfJNGM8BZjINFH1VG8R7nqDsJP4UC7LQxI8OhMwDQYJKoZI
hvcNAQELBQADggEBAK7HqfD+/qFWdzJqm8SfoK/V1i9KBNcerDD+PoqlbIedHQnO
sIuIkGMdrZed/ynzvcn+co5IxmfiIe3nWHQfolYsw35z1+cTsAmV25Jz0WLLswOT
UbefRyfbw4X3h9GQduRmUssmBgmwHfjFXEt84rZf5pWWKZkfbgrUjwhj4XsWUCo4
DIzGGrhRw7xOAkGq/wZIIVF4j3ed5/76WSFW+qsC1b5toj+kRfXKxnUcfSx/K9/b
GXx40K9O1tL51sPYgvaIVQ/Mnl4KC6pknmFMpfDSSrP1HqUlqdA5tTprWTIHRlEx
uUPvofgGCQ95lLUJVrtVCtLC9+mpwi9a3vmK6NA=
-----END CERTIFICATE-----
subject=C = US, ST = California, L = Mountain View, O = Google LLC, CN = smtp.gmail.com

issuer=C = US, O = Google Trust Services, CN = GTS CA 1O1

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2892 bytes and written 419 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
And for smtp-relay.gmail.com
openssl s_client -connect smtp-relay.gmail.com:25 -starttls smtp
CONNECTED(00000005)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = smtp-relay.gmail.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = smtp-relay.gmail.com
   i:C = US, O = Google Trust Services, CN = GTS CA 1O1
 1 s:C = US, O = Google Trust Services, CN = GTS CA 1O1
   i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE1jCCA76gAwIBAgIRAKmlG4o+s5kOCAAAAABWBjwwDQYJKoZIhvcNAQELBQAw
QjELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczET
MBEGA1UEAxMKR1RTIENBIDFPMTAeFw0yMDA4MjYwODEyNTVaFw0yMDExMTgwODEy
NTVaMG4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
Ew1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgTExDMR0wGwYDVQQDExRz
bXRwLXJlbGF5LmdtYWlsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDSs
BrdJE5LUgiUQ7tTFMcRIZCqfSP7Trdk3B1/Y35idNyofzVVTeHNoyhWaWyWpj2lL
Mc1D4h9WtLzcx/VSN9CjggJkMIICYDAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAww
CgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU0c/M8bTj7R1HBa6H
qbvL3sNHy+IwHwYDVR0jBBgwFoAUmNH4bhDrz5vsYJ8YkBug630J/SswaAYIKwYB
BQUHAQEEXDBaMCsGCCsGAQUFBzABhh9odHRwOi8vb2NzcC5wa2kuZ29vZy9ndHMx
bzFjb3JlMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2cvZ3NyMi9HVFMxTzEu
Y3J0MB8GA1UdEQQYMBaCFHNtdHAtcmVsYXkuZ21haWwuY29tMCEGA1UdIAQaMBgw
CAYGZ4EMAQICMAwGCisGAQQB1nkCBQMwMwYDVR0fBCwwKjAooCagJIYiaHR0cDov
L2NybC5wa2kuZ29vZy9HVFMxTzFjb3JlLmNybDCCAQYGCisGAQQB1nkCBAIEgfcE
gfQA8gB3AF6nc/nfVsDntTZIfdBJ4DJ6kZoMhKESEoQYdZaBcUVYAAABdCoKqqUA
AAQDAEgwRgIhAPVGlqkNsSNrk1leP4h2ckibmLaLirkz/tMblSvIiQWTAiEA9XMl
X4EUQYSWgNu9Tj9/7qbMklyRoUEXv9NUGaHTG+wAdwAHt1wb5X1o//Gwxh0jFce6
5ld8V5S3au68YToaadOiHAAAAXQqCqqnAAAEAwBIMEYCIQC8QJDDhCoPUCouZW4F
Jiacl0zRtJ8tmeKgT1FgPf0iCQIhAOsrw6uaI1VHS4hmt3xQQqaYClXi1C8jGYX+
A8pT8vfTMA0GCSqGSIb3DQEBCwUAA4IBAQCk3/D7LysFC7s8pbU7IA5GJ+39msim
rJec38vhASxXM8ZXm9Uzg/gNKay+2cPRKA3Ay1Ua5O11Ug0ACGSC80PztPo+R5Q+
PjT8zh2g6xaUfm1znpxhvHJ13kH3Bv9S+ig47whJp48YjFbc9lE0wTPvTfFz8EKy
rQ3NDAYDVzRylGQdIZHQJR/mkXRAM8Dwx8CUxBrhTt0exEwaSACKrViIGuFx8XFZ
HaTJ24yg03qsOjUTYlT8H/VYrvWqaGeefxR5Ysj8ZLaynYwOT9fpLmqc7cbyB8Zi
tyWTEDxFq2+fT7ZXn2rJG6eXg7KGW5OXKJ4HjOICLaF6ro9uYJXOqP6L
-----END CERTIFICATE-----
subject=C = US, ST = California, L = Mountain View, O = Google LLC, CN = smtp-relay.gmail.com

issuer=C = US, O = Google Trust Services, CN = GTS CA 1O1

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2918 bytes and written 425 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: TLS handshake failed when relaying via smtp.gmail.com

Sat Sep 12, 2020 3:05 pm

I think that you also need this file:

http://crl.globalsign.net/root-r2.crl

Source:
https://www.tbs-certificates.co.uk/FAQ/ ... CA_R2.html

Hope it works?
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 206
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Re: TLS handshake failed when relaying via smtp.gmail.com

Sat Sep 12, 2020 3:26 pm

I think that you also need this file:

http://crl.globalsign.net/root-r2.crl

That CRL was already in the CRL list but shows up as invalid. I tried re-importing from the URL but it was invalid as well.

Screen Shot 2020-09-12 at 10.25.31 pm.png
You do not have the required permissions to view the files attached to this post.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: TLS handshake failed when relaying via smtp.gmail.com

Sat Sep 12, 2020 3:36 pm

CRL seems only be possible for certificates you generate on your Router.

This what I remembered reading your posting: viewtopic.php?f=21&t=163482&p=805719&hilit=crl#p805719
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 206
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Re: TLS handshake failed when relaying via smtp.gmail.com

Sat Sep 12, 2020 3:39 pm

CRL seems only be possible for certificates you generate on your Router.

Looks like thats the end of sending emails via Google SMTP relays? It really shouldn't be this difficult!
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: TLS handshake failed when relaying via smtp.gmail.com

Sat Sep 12, 2020 3:42 pm

ehmmmm I did not see that earlier. You are a gmail user (port 587, normal 25) so you should use inbound....if I am correct.

Use this server: aspmx.l.google.com and if not works try it with TLS off.

Else go the SMTP/25 way.
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 206
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Re: TLS handshake failed when relaying via smtp.gmail.com

Sat Sep 12, 2020 3:49 pm

Else go the SMTP/25 way.
Plain text / no encryption?
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 206
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Re: TLS handshake failed when relaying via smtp.gmail.com

Sat Sep 12, 2020 3:52 pm

ehmmmm I did not see that earlier. You are a gmail user (port 587, normal 25) so you should use inbound

The only secure documented method of sending mail via Googles SMTP servers for non-GSuite users is via smtp.gmail.con:587 with TLS
Last edited by ilium007 on Sat Sep 12, 2020 3:58 pm, edited 2 times in total.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: TLS handshake failed when relaying via smtp.gmail.com

Sat Sep 12, 2020 3:55 pm

Else go the SMTP/25 way.
Plain text / no encryption?
I think that it is only the checking on Mikrotiks side that is disabled. Used it before on IKEv2 connections of which I had no certificates installed.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: TLS handshake failed when relaying via smtp.gmail.com

Sat Sep 12, 2020 4:00 pm

ehmmmm I did not see that earlier. You are a gmail user (port 587, normal 25) so you should use inbound

The only secure documented method of sending mail via Googles SMTP servers for non-GSuite users is via smtp.gmail.con:587 with TLS
I can't get anything on port 587 for gmail.com

https://network-tools.webwiz.net/email-test.htm
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: TLS handshake failed when relaying via smtp.gmail.com

Sat Sep 12, 2020 4:09 pm

I still use smtp.gmail.com with tls(port 587) a user with an app password and never have imported certs to get this to work.

I have a scheduled script that emails me exports once a week and it works fine.

I have a feeling this is due to 2fa or an incomplete user name. I have a service account that I use only for relaying. In the user name field it should be your email address.
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 206
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Re: TLS handshake failed when relaying via smtp.gmail.com

Sat Sep 12, 2020 4:23 pm

I have a feeling this is due to 2fa or an incomplete user name. In the user name field it should be your email address.
I had been using email address for user name with no success. The generated app password with 2FA is the documented method of authentication. The error in getting is a TLS handshake failure.
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 206
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Re: TLS handshake failed when relaying via smtp.gmail.com  [SOLVED]

Sat Sep 12, 2020 4:28 pm

Enabling starttls has resolved the problem, email is now sending.

[admin@chateau] /tool/e-mail> print
       address: smtp.gmail.com
          port: 587
           tls: starttls
          from: xxxxxxx@gmail.com
          user: xxxxxxx@gmail.com
      password: xxxxxxx
   last-status: succeeded
  last-address: 74.125.24.108
[admin@chateau] /tool/e-mail> 
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: TLS handshake failed when relaying via smtp.gmail.com

Sat Sep 12, 2020 4:34 pm

That was easy. :-)
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 206
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Re: TLS handshake failed when relaying via smtp.gmail.com

Sat Sep 12, 2020 4:40 pm

That was easy. :-)

Sometimes it’s the little things 🤷‍♂️

Who is online

Users browsing this forum: No registered users and 23 guests