Ye vish, but this board is cranky. After I posted my reply to Rob, it expected me to post another reply to him, and wouldn't let me post a reply here until I canceled the one above. Not nearly as user-friendly as the BBS software that Fountain Pen Network uses, or what TrekBBS uses.
Be that as it may, once I pulled in all of the CA certs as per Rob, I tried importing the certs from Google, as CA certs. That didn't work until I tried
reverse numeric order. That's weird.
Still no joy with sending email. I will hopefully be able to check what's happening at the Google end later today.
One thing: last week, I added "IBM i TCP/IP SMTP Server" and "IBM i TCP/IP SMTP Client" to the application definitions for the local-CA-signed cert I have for TN5250 connections. Could that be interfering? I don't see a way to remove an assignment, other than deleting either the cert or the application definition.
------------------------------
James H H Lampert
------------------------------
Original Message:
Sent: Mon October 24, 2022 07:42 AM
From: Steve Pitcher
Subject: Getting the SMTP server talking to a Google Relay
You need to extract all certs in the cert chain. You can do that from the cert you pulled down.
Then you import them in the system store in the order of the chain omitting the actual server cert you downloaded. You're simply looking to establish trust.
------------------------------
Steve Pitcher
Original Message:
Sent: Fri October 21, 2022 12:17 PM
From: James H H Lampert
Subject: Getting the SMTP server talking to a Google Relay
The problem is that the *SYSTEM certificate store isn't accepting the certs from Google, because it doesn't recognize the CA that signed them.
Currently, the only CA cert in the *SYSTEM cert store is the one for the local CA.
The first cert file contains "GTS CA 1C3" with a subject of "CN=GTS CA 1C3,O=Google Trust Services LLC,C=US" and an issuer of "CN=GTS Root R1,O=Google Trust Services LLC,C=US"
The second cert file contains "GTS Root R1" with a subject of "CN=GTS Root R1,O=Google Trust Services LLC,C=US" and an issuer of "CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE"
And the IBM help page shows an older version of DCM, and the behavior I'm seeing is radically different from what's shown.
How do I get it to accept the certs? Do I need to sign either or both with the local CA? If so, how do I do that?
------------------------------
James H H Lampert
Original Message:
Sent: Thu October 20, 2022 03:46 PM
From: James H H Lampert
Subject: Getting the SMTP server talking to a Google Relay
It took a bit of doing just to get QMGTOOLS/GETSSL running, and when I did get it running, I got error messages every time.
The most recent iteration still gave me error messages (see joblog excerpts below) but it did give me a couple of .cer files in IFS /tmp.
QMGTOOLS/GETSSL IP('smtp-relay.gmail.com') PORT(587) STRTLS(Y) SERVICE(SMTP) AUTOIMP(Y) STOREPWD()
Printer device PRT01 not found. Output queue changed to QPRINT in library QGPL.
Object SSLRESULTS in QTEMP type *FILE not found.
Object SSL_LOG in QTEMP type *FILE deleted.
File SSLRESULTS created in library QTEMP.
Member SSLRESULTS added to file SSLRESULTS in QTEMP.
32 records copied from member SSL.
Object not found. Object is /tmp/RABBIT_sslchain01.cer.
Object copied.
Object SSLRESULTS in QTEMP type *FILE deleted.
Object SSL_LOG in QTEMP type *FILE not found.
File SSLRESULTS created in library QTEMP.
Member SSLRESULTS added to file SSLRESULTS in QTEMP.
31 records copied from member SSL.
Object not found. Object is /tmp/RABBIT_sslchain02.cer.
Object copied.
End of file detected for file SSL in QTEMP.
Object SSL in QTEMP type *FILE deleted.
Object SSLCHAIN in QTEMP type *FILE deleted.
Object SSLRESULTS in QTEMP type *FILE deleted.
Object CRTFILE in library QTEMP not found.
Data area CRTFILE created in library QTEMP.
Object CHK_DBCS in library QTEMP not found.
Data area CHK_DBCS created in library QTEMP.
File TMPFILE created in library QTEMP.
Member TMPFILE added to file TMPFILE in QTEMP.
Object QSHSTS in library QTEMP not found.
Data area QSHSTS created in library QTEMP.
Stream file copied to object.
An error occurred during certificate validation. The issuer of the certificate may not be in the certificate store or the issuer may not be enabled. RC34..
I tried manually importing the first cert from DCM, and got more-or-less the same error message as what's at the bottom of the file. Ditto for the second file.
I then downloaded the two .cer files to my Mac, and inspecting them with Keystore Explorer. They're signed by "CN=GTS Root R1,O=Google Trust Services LLC,C=US" and at this time the only certs in *SYSTEM that I see in DCM are the local CA I created, and a cert generated from it in order to bring up secured TN5250. And I am importing the cert as a CA. How do I get it to accept it?
------------------------------
James H H Lampert
Original Message:
Sent: Thu October 20, 2022 09:18 AM
From: Matt Seeberger
Subject: Getting the SMTP server talking to a Google Relay
James,
Here are some resources to help you. Did you download the CA certificates from Google and add them to your IBM i LPAR?
Configuration of the IBM i SMTP Client to Relay Email to Office365 and Gmail: https://www.ibm.com/support/pages/node/959599
How To Configure the SMTP Client To Use SMTP Authentication with a SMTP Relay: https://www.ibm.com/support/pages/node/643091
Sending Email from IBM i Applications: http://rd.radile.com/rdweb/info2/smtp.html
You can use this process to see where the breakdown is:
- End the SMTP Server: ENDTCPSVR SERVER(*SMTP)
- Turn SMTP tracing on: TRCTCPAPP APP(*SMTPCLT) SET(*ON )
- Start SMTP: STRTCPSVR SERVER(*SMTP)
- Send a test email using SNDSMTPEMM
- Wait for 1-2 minutes and then end the trace: TRCTCPAPP APP(*SMTPCLT) SET(*OFF)
- View the spool file for information on what is failing: WRFKSPLF (it's usually the larger spool file that is generated)
You may need to add this additional system value (I believe you said you already had 587 added):
ADDENVVAR ENVVAR(QIBM_SMTP_RLY_TLS_FIRST) VALUE('YES') LEVEL(*SYS)
ADDENVVAR ENVVAR(QIBM_SMTP_SERVER_PORT) VALUE('587') LEVEL(*SYS)
I noticed in your SMTP settings that you do not have it allowing email relay over SSL. You will need to turn that on as well.
CHGSMTPA FWDHUBSVR('smtp.gmail.com') MAILROUTER('smtp.gmail.com') FIREWALL(*NO) ALWIMPSSL(*YES)
Every time I have set this up I have had to add authentication as well but you might not need to. This is what that would look like:
ADDSMTPLE TYPE(*HOSTAUTH) HOSTNAME('smtp.gmail.com') USERNAME(xxxxx@gmail.com) PASSWORD('password')
------------------------------
Matt Seeberger
Power i Engineer
CMA Technology Solutions
Original Message:
Sent: Tue October 18, 2022 03:40 PM
From: James H H Lampert
Subject: Getting the SMTP server talking to a Google Relay
I'm in the process of moving some applications onto a cloud box, running V7R5, and I'm running into problems with sending email from that box.
The CHGSMTPA on the box currently looks like this:
Autostart server . . . . . . . . AUTOSTART *NO
Clear e-mail on start-up . . . . COLDSTART *NO
E-mail directory type . . . . . DIRTYPE *SMTP
Retries by minute: RTYMIN
Number of retries . . . . . . 3
Time interval . . . . . . . . 30
Retries by day: RTYDAY
Number of retries . . . . . . 0
Time interval . . . . . . . . 0
Retries by hour: RTYHOUR
Number of retries . . . . . . 0
Time interval . . . . . . . . 0
Retry remote name server . . . . RTYRMTSVR *NO
Coded character set identifier CCSID 819
Journal . . . . . . . . . . . . JOURNAL *NO
Percent routing character . . . PCTRTGCHR *NO
Support ETRN for server . . . . ETRNSVR *NO
Support 8-bit MIME . . . . . . . MIME8BIT *NO
Delivery status notification: NFYDLVRY
Responsible person . . . . . . *NONE
Subsystem description . . . . . SBSD QSYSWRK
Library . . . . . . . . . . . QSYS
Realtime Blackhole List . . . . RBLSVR *NONE
Allow relayed mail . . . . . . . ALWRLY *NONE
+ for more values
POP send mail window . . . . . . POPWDW *NONE
Interface/domain association . . IFCDMN *NONE
Filter mail for virus . . . . . FTRACN *NONE
Override reject connect list . . OVRRJTCNNL *NO
Allow bare line feed . . . . . . ALWBARELF *YES
Verify identification . . . . . VFYID *NO
Allow authentication . . . . . . ALWAUTH *NONE
Verify MSF messages . . . . . . VFYMSFMSG *YES
Verify from user . . . . . . . . VFYFROMUSR *ALL
Forwarding mailhub server . . . FWDHUBSVR 'smtp-relay.gmail.com'
Automatic registration . . . . . AUTOADD *NO
User ID prefix . . . . . . . . USRIDPFX QSM
Address . . . . . . . . . . . ADDRESS QSMRMTAD
System name . . . . . . . . . SYSNAME TCPIP
Alias table type . . . . . . . TBLTYPE *SYSTEM
User ID delimiter . . . . . . . USRIDDELIM '?'
Mail router . . . . . . . . . . MAILROUTER *SAME
Outgoing EBCDIC/ASCII table: TBLSMTPOUT
Outgoing EBCDIC/ASCII table . *CCSID
Library . . . . . . . . . .
Incoming ASCII/EBCDIC table: TBLSMTPIN
Incoming ASCII/EBCDIC table . *CCSID
Library . . . . . . . . . .
Firewall . . . . . . . . . . . . FIREWALL *NO
Process all mail through MSF . . ALLMAILMSF *NO
Dial-up scheduler: DIALSCD
Start with SMTP server . . . . *NO
Configuration profile . . . .
Connection time interval . . .
Support ETRN for client: ETRNCLT
Enable client ETRN . . . . . . *NO
Incoming mail server address
Mail domain name . . . . . . .
Allow e-mail over implicit SSL ALWIMPSSL *NO
Max incoming e-mail messages . . MAXINEMM *DFT
Max outgoing e-mail messages . . MAXOUTEMM *DFT
Keep until: KEEPUNTIL
Successful final state . . . . *DFT
Unsuccessful final state . . . *DFT
Maximum e-mail message size . . MAXEMMSIZE *DFT
SMTP domain alias . . . . . . . ALIASDMN *NONE
The Google Relay was created to accept anything from the public IP address of the box, with TLS active. Following instructions, I set a QIBM_SMTP_SERVER_PORT environment variable at the system level; in WRKENVVAR, it looks like:
QIBM_SMTP_SERVER_PORT '587'
Am I missing anything?
Incidentally, for some reason, if I attempt to open a case, whether for this or for another issue, under this IBM ID, all I get after signing on is a 503 page. Others don't have that problem. Could there be something wrong with my IBM ID?
--
James H. H. Lampert
------------------------------
James H H Lampert
------------------------------