Re: gmail and the infamous "530 5.7.0 Must issue a STARTTLS command first"

[Ted Zlatanov]

On Thu, 07 Jan 2010 01:59:43 +0000 Paul Bibbings <paul.bibbings@tesco.net> 
wrote: 

PB> (if (and do-starttls
PB>        (smtpmail-find-credentials smtpmail-starttls-credentials host port)
PB>        (member 'starttls supported-extensions)                  // line 719
PB>        (numberp (process-id process)))
PB>     (progn
PB>        (smtpmail-send-command process (format "STARTTLS"))
PB>     (if (or (null (car (setq response-code (smtpmail-read-response 
process))))
PB>        (not (integerp (car response-code)))
PB>               (>= (car response-code) 400))
PB>                           (throw 'done nil))
PB>                       (starttls-negotiate process)
PB>                       (setq do-starttls nil))
PB>                   (setq do-ehlo nil))))

PB> Here, (member !startls supported-extensions) is failing, not because
PB> gmail doesn't require a STARTTLS here, but because, apparently, one of
PB> the other extensions "isn't supported." Consequently, the sending of
PB> STARTTLS is skipped and the whole thing fails. I haven't gone into that
PB> much detail to remember which it is that is failing, and I have to admit
PB> that I don't know Lisp at all. Does anyone here know enough to be able
PB> to dig a little deeper, and perhaps offer a solution?

How about a variable smtpmail-do-starttls-always which can be set to a
list of server names?  It could be inserted in the list above.  I don't
know if it's a good idea to change the logic of the supported
extensions, which is the other route to solve this.

PB> Perhaps better still, does anyone have an alternative or add-on
PB> implementation that uses openssl directly, rather than through starttls?
PB> openssl has a very different command line invocation to both starttls
PB> and gnutls-cli, but if it could be hooked in in their place, it handles
PB> the STARTLS directly, so the above code wouldn't fail for not being able
PB> to issue it in this case. Call it a challenge, but I would like to get
PB> gmail smtp working with one of these (starttls or gnutls-cli), even
PB> though I am aware and have tested many other alternatives - mostly
PB> without success, or at least with issues of their own.

I'm pretty sure you can wrap your SMTP connection in a shell script that
sets it up the way you want, then just does STDIN/STDOUT as far as Gnus
is concerned.  This seems to be a problem on Windows, though (many
bug reports and few people have reported that it all just works).

The best solution is to provide TLS support inside Emacs as a core
function to transform a network connection but I don't know if that's
ever going to happen.  Maybe someone else here does; if not I can ask on
emacs-devel.  I'm cc-ing Simon who probably has some idea.

Ted