smtplib and TLS

Re: smtplib and TLS

"Matthias Kluwe" <mkluwe@gmail.c om> writes:[color=blue]
> The server accepts and delivers my messages, but the last command
> raises
>
> socket.sslerror : (8, 'EOF occurred in violation of protocol')
>
> Did I miss something? Any hint is welcome.[/color]

Looks like the module didn't send an TLS Close Notify message before
closing the socket. I don't see anything in the docs about how to
send one from smtplib or socket, though.

Re: smtplib and TLS

> "Matthias Kluwe" <mkl...@gmail.c om> writes:[color=blue][color=green]
>> The server accepts and delivers my messages, but the last command
>> raises[/color][/color]
[color=blue][color=green]
>> socket.sslerror : (8, 'EOF occurred in violation of protocol')[/color][/color]
[color=blue][color=green]
>> Did I miss something? Any hint is welcome.[/color][/color]
[color=blue]
> Looks like the module didn't send an TLS Close Notify message before
> closing the socket. I don't see anything in the docs about how to
> send one from smtplib or socket, though.[/color]

Hmm. I tried

server.sock.rea lsock.shutdown( 2)

before server.quit() with the result of

SMTPServerDisco nnected('Server not connected')

being raised. Quite an improvement ...

Matthias

Re: smtplib and TLS

"Matthias Kluwe" <mkluwe@gmail.c om> writes:[color=blue]
> Hmm. I tried
>
> server.sock.rea lsock.shutdown( 2)
> before server.quit() with the result of[/color]

I don't think that's exactly what you want. You need to send a
specific TLS message BEFORE shutting down the socket, to tell the
other end that the TLS connection is ending. That tells the server
that it shouldn't accept a TLS session resumption later. The close
notify message is required because if you don't send it, an attacker
could truncate one of your TLS messages by cutting your connection.

Basically the socket library's SSL implementation is pretty crude.
You might try http://trevp.net/tlslite for a pure-Python
implementation that's also still missing stuff, but is getting there.

Re: smtplib and TLS


----- Original Message -----
From: "Paul Rubin" "http://phr.cx"@NOSPAM. invalid

[color=blue]
> "Matthias Kluwe" <mkluwe@gmail.c om> writes:[color=green]
> > Hmm. I tried
> >
> > server.sock.rea lsock.shutdown( 2)
> > before server.quit() with the result of[/color]
>
> I don't think that's exactly what you want. You need to send a
> specific TLS message BEFORE shutting down the socket, to tell the
> other end that the TLS connection is ending. That tells the server
> that it shouldn't accept a TLS session resumption later. The close
> notify message is required because if you don't send it, an attacker
> could truncate one of your TLS messages by cutting your connection.
>
> Basically the socket library's SSL implementation is pretty crude.
> You might try http://trevp.net/tlslite for a pure-Python
> implementation that's also still missing stuff, but is getting there.[/color]

I have found problems with the TLS built into smtplib when you are doing
something with sock elswhere in your app.
eg for me using [something].sock.settimeou t(x) or setting the default
timeout anywhere broke TLS in smtplib.

Have you verified that its your end that is broken, not gmail's, do other
servers give the same response ? The following servers accept incoming
TLS on port 25

e32.co.us.ibm.c om
mail.donkeyisla nd.com
smtp.myrealbox. com

And for quick tests you don't need to send an email (or authenticate), just
use a NOOP after STARTTLS (and perhaps a RSET) then QUIT eg

server = smtplib.SMTP(ho stname [,port])
server.set_debu glevel(1)
server.ehlo('x' )
server.starttls ()
server.ehlo('x' )
server.noop()
server.rset()
server.quit()


Trevor's http://trevp.net/tlslite did the job nicely, solving my previous
TLS problems

(completely untested)

from tlslite.api import *[color=blue]
>
>[/color]
server = SMTP_TLS('smtp. gmail.com', 587)
server.set_debu glevel(1)
server.ehlo()
settings = HandshakeSettin gs()
server.starttls (settings=setti ngs)
server.ehlo()
server.login('m kluwe@gmail.com ', password)
server.sendmail ("mkluwe@gmail. com", toaddress, message)
server.quit()

HTH :)

Re: smtplib and TLS

> From: "Paul Rubin" "http://phr.cx"@NOSPAM. invalid
[color=blue][color=green]
>> "Matthias Kluwe" <mkl...@gmail.c om> writes:
>> After getting a @gmail.com address, I recognized I had to use TLS in my
>> python scripts using smtplib in order to get mail to the smtp.gmail.com
>> server.[/color][/color]
[color=blue][color=green]
>> [...][/color][/color]
[color=blue][color=green]
>> The server accepts and delivers my messages, but the last command
>> raises[/color][/color]
[color=blue][color=green]
>> socket.sslerror : (8, 'EOF occurred in violation of protocol')[/color][/color]
[color=blue]
> [...][/color]
[color=blue]
> Have you verified that its your end that is broken, not gmail's, do other
> servers give the same response ?[/color]

No, I have not -- I should have, as I know now: Connecting, starttls,
login and sending mail works fine without the above mentioned error
using my previous mail provider.

Does that mean Gmail is in error here? I don't know...

Regards,
Matthias

Re: smtplib and TLS

----- Original Message -----
From: "Matthias Kluwe" <mkluwe@gmail.c om>
[color=blue][color=green]
> > Have you verified that its your end that is broken, not gmail's, do[/color][/color]
other[color=blue][color=green]
> > servers give the same response ?[/color]
>
> No, I have not -- I should have, as I know now: Connecting, starttls,
> login and sending mail works fine without the above mentioned error
> using my previous mail provider.
>
> Does that mean Gmail is in error here? I don't know...[/color]


Looks like it is GMAIL , (though TLS is not required to be able to send via
smtp.gmail.com: 587 )

TLS using TLSlite also fails when connecting to GMAIL, but not to other
servers.

('5 send:', '(16:39:23) ehlo x\r\n')
('6 reply:', '(16:39:23) 250-mx.gmail.com at your service\r\n')
('6 reply:', '(16:39:23) 250-SIZE 20971520\r\n')
('6 reply:', '(16:39:23) 250-8BITMIME\r\n')
('6 reply:', '(16:39:23) 250-STARTTLS\r\n')
('6 reply:', '(16:39:23) 250 ENHANCEDSTATUSC ODES\r\n')
('5 send:', '(16:39:23) STARTTLS\r\n')
('6 reply:', '(16:39:23) 220 2.0.0 Ready to start TLS\r\n')
('Status:', '(16:39:24) 2202.0.0 Ready to start TLS')
('5 send:', '(16:39:24) ehlo x\r\n')
('6 reply:', '(16:39:24) 250-mx.gmail.com at your service\r\n')
('6 reply:', '(16:39:24) 250-SIZE 20971520\r\n')
('6 reply:', '(16:39:24) 250-8BITMIME\r\n')
('6 reply:', '(16:39:24) 250-AUTH LOGIN PLAIN\r\n')
('6 reply:', '(16:39:24) 250 ENHANCEDSTATUSC ODES\r\n')
('5 send:', '(16:39:24) noop\r\n')
('6 reply:', '(16:39:24) 250 2.0.0 OK\r\n')
('5 send:', '(16:39:24) rset\r\n')
('6 reply:', '(16:39:24) 250 2.1.0 Flushed d61sm2700367wra \r\n')
('5 send:', '(16:39:24) noop\r\n')
('6 reply:', '(16:39:24) 250 2.0.0 OK\r\n')
('5 send:', '(16:39:24) quit\r\n')
Traceback (most recent call last):
File "C:\test\tls.py ", line 103, in ?
s.quit()
File "C:\test\smtpli b.py", line 737, in quit
self.docmd("qui t")
File "C:\test\smtpli b.py", line 395, in docmd
return self.getreply()
File "C:\test\smtpli b.py", line 367, in getreply
line = self.file.readl ine()
File "C:\Python23\Li b\site-packages\tlslit e\FileObject.py ", line 152, in
readline
data = self._sock.recv (self._rbufsize )
File "C:\Python23\Li b\site-packages\tlslit e\TLSRecordLaye r.py", line 393,
in recv
return self.read(bufsi ze)
File "C:\Python23\Li b\site-packages\tlslit e\TLSRecordLaye r.py", line 182,
in read
for result in self.readAsync( max, min):
File "C:\Python23\Li b\site-packages\tlslit e\TLSRecordLaye r.py", line 201,
in readAsync
for result in self._getMsg(Co ntentType.appli cation_data):
File "C:\Python23\Li b\site-packages\tlslit e\TLSRecordLaye r.py", line 564,
in _getMsg
for result in self._getNextRe cord():
File "C:\Python23\Li b\site-packages\tlslit e\TLSRecordLaye r.py", line 737,
in _getNextRecord
raise TLSAbruptCloseE rror()
tlslite.errors. TLSAbruptCloseE rror