Thanks for the explanation about Gmail's sending options - I must have seen that some time ago but didn't use it.

Anyway, I'm glad you found a solution to the problem.  I assume that something has changed with Gmail's use of TLS and Mercury's Cryptlib library is no longer compatible.  When Mercury switches over to using OpenSSL these sorts of issues should disappear!

When gmail attempts to send a message to my Mercury mail server (v 4.72) the connection proceeds normally until STARTTLS when everything goes south.  The session log looks like this:

02:19:37.640: >> STARTTLS<cr><lf>
02:19:37.640: << 220 OK, begin SSL/TLS negotiation now.<cr><lf>
02:19:37.781: 22: Error -32 activating SSL session (locus 0, type 0, code 0, 'Invalid TLS extension list item header')
02:19:37.781: --- Connection closed normally at Sat Jun 30 02:19:37 2012. ---
02:19:37.781:

Does anyone have any idea what is going on here?

Thanks in advance!

I ran into this a while ago with Gmail but didn't worry about it because the next connection attempt didn't call STARTTLS and the email was delivered successfully. (v.4.72, 73 and 74) Recently I have noticed that Gmail no longer tries to send without STARTTLS after the first connection. It just keeps trying a new connection using STARTTLS and after a few days it finally gives up and sends the email without it.

I found a posting by a user that asked Gmail to add support for STARTTLS but I don't know if they have implemented it: https://groups.google.com/forum/?fromgroups#!topic/Gmail-Help-Message-Delivery-en/YBKHhri9EoQ

If you use it, I suppose it may be possible that Gmail doesn't like the 1024-bit SSL cert generated by Mercury. Perhaps Gmail wants a stronger key? Not sure though, just wondering.

In light of the recent delays, for now I have disabled "SSL/TLS support by default on primary port" in MercuryS (SMTP Server) and all is working fine now.

Hope that helps a bit.

In a similar topic on the Mercury email list today (thanks Craig!)  it was pointed out that one option would be to have SSL/TLS enabeled by default for MercuryS, but add an entry for the Google netblock in MercuryS configuration / Connection control to disable SSL/TLS for that range only.

/Rolf 

Great suggestion, thanks!

Google lists their authorized hosts in their SPF record. You can use this to get the IP ranges (quite a few) needed to populate the connection control rule in MercuryS.

nslookup -q=TXT _netblocks.google.com 8.8.8.8

http://support.google.com/a/bin/answer.py?hl=en&answer=60764

I got Google's IP ranges in CIDR format from their SPF record and converted it into plain IP ranges ready to be entered in Mercury's Connection Control dialog box.

Should anyone else need the table, here it is:

216.239.32.0/19        216.239.32.0 - 216.239.63.255
64.233.160.0/19        64.233.160.0 - 64.233.191.255
66.249.80.0/20        66.249.80.0 - 66.249.95.255
72.14.192.0/18        72.14.192.0 - 72.14.255.255
209.85.128.0/17        209.85.128.0 - 209.85.255.255
66.102.0.0/20        66.102.0.0 - 66.102.15.255
74.125.0.0/16        74.125.0.0 - 74.125.255.255
64.18.0.0/20        64.18.0.0 - 64.18.15.255
207.126.144.0/20    207.126.144.0 - 207.126.159.255
173.194.0.0/16        173.194.0.0 - 173.194.255.255

HTH,

  Corrado

I am having the same problem, but it is when gmail tries to relay through my Mercury mail server (not when trying to deliver mail to my Mercury mail server).  The session log looks like this:

 15:36:34.953: Connection from 209.85.213.171, Thu Aug 09 15:36:34 2012<lf>

15:36:34.968: << 220 mail.myserver.com ESMTP server ready.<cr><lf>

15:36:34.046: >> EHLO mail-yx0-f171.google.com<cr><lf>

15:36:34.062: << 250-mail.myserver.com Hello mail-yx0-f171.google.com; ESMTPs are:<cr><lf>250-TIME<cr><lf>

15:36:34.062: << 250-SIZE 0<cr><lf>

15:36:34.062: << 250-AUTH CRAM-MD5<cr><lf>

15:36:34.062: << 250-STARTTLS<cr><lf>

15:36:34.062: << 250 HELP<cr><lf>

15:36:34.265: >> STARTTLS<cr><lf>

15:36:34.265: << 220 OK, begin SSL/TLS negotiation now.<cr><lf>

15:36:35.343: 22: Error -32 activating SSL session (locus 0, type 0, code 0, 'Invalid TLS extension list item header')

15:36:35.343: --- Connection closed normally at Thu Aug 09 15:36:35 2012. ---

I turned off the global option to enable SSL/TLS on the default port, but then gmail would not relay my mail since I didn't support TLS.

I use gmail as my mail reader, but when sending I have it relay through my mail server with TLS.  It used to work...  Any suggestions?

Thanks,

Mark 

[quote user="beiley"]I turned off the global option to enable SSL/TLS on the default port, but then gmail would not relay my mail since I didn't support TLS.

I use gmail as my mail reader, but when sending I have it relay through my mail server with TLS.  It used to work...  Any suggestions?[/quote]

Can you give us more details on what you are doing.  How do you setup Gmail to 'relay'?

Isn't the SMTP transaction the same whether you are delivering or forwarding?

Hi PaulW,

Thanks for the reply.  In gmail you can set up multiple email addresses to send email from within a given gmail account.  In gmail, go to "Settings / Accounts and Import / Send mail as:".  Gmail has help for this feature that describes it here:

 http://support.google.com/mail/bin/answer.py?hl=en&ctx=mail&answer=22370

This is quite handy for being able to read/reply from multiple email addresses within a single gmail inbox.

When you set up these other email addresses to send from, gmail gives you the option of how you want to send.  You can send through gmail's mail server, or you can choose to relay through any other mail server you specify.  When choosing to relay through a specified mail server you must choose either TLS or SSL.  They do not allow relaying without one of these.  (There are benefits to relaying through your own mail server, but this is besides the point of this topic.)

An SMTP transaction is the same whether delivering or forwarding, but the other solutions described in this topic work only when delivering, as apparently gmail's mail server will do a final delivery without TSL/SSL, but when using the feature I'm describing which relays mail through a specified mail server gmail will only relay if the mail server supports TLS or SSL.  It makes sense that gmail must allow non-secure SMTP when doing final delivery, as not every mail server in the world supports TSL/SSL and they want to be able to deliver anywhere.  However, when relaying, they are more strict, and require a secure connection.  This secure connection seems to be broken between gmail and Mercury currently.  Something has changed with gmail, as this used to work.  Currently Mercury does not work when receiving a TLS SMTP transaction from gmail.  I've tested it with both v4.73 and v4.74.

Thanks,
Mark 

(this is my second reply, as it seems my first may have been lost/delayed, or maybe it was put on hold since I included a link?) 

Hi PaulW,

Thanks for the reply.  In gmail you can set up multiple email addresses to send mail from under a single gmail account.  This is handy for reading/replying from multiple addresses within a single gmail account.  From within gmail, see "Settings / Accounts and Import / Send mail as:".  When setting up one of these emails to send mail as you can specify what mail server to relay through.  When relaying, gmail will only relay when you choose either TLS or SSL.  I believe gmail's mail servers will do a final delivery without TLS or SSL, but if you want to use gmail to send email as a particular email address through a specified mail server, that mail server must support TLS or SSL.  The solutions discussed in this topic deal with a work-around for gmail doing final delivery, but not relaying mail through Mercury from gmail.

Thanks,

Mark

I just discovered that if you choose port 25 when setting up this feature in gmail they do offer an option of relaying through an unsecured connection.  Not ideal, but it does offer a work-around to this problem...

 Mark