I think this question can be rewritten to "Using Spring Boot and keycloak-spring-boot-starter, what happens after KeycloakSpringBootConfigResolver.resolve()?"
I have a custom keycloak config resolver:
public class CustomKeycloakConfigResolver
extends KeycloakSpringBootConfigResolver {
...
#Override
public KeycloakDeployment resolve(final HttpFacade.Request request) {
LOGGER.debug("-----------------------------------------------");
LOGGER.debug("Resolving Deployment for {}", request.getURI());
...
LOGGER.trace("---------- CREATING KEYCLOAK DEPLOYMENT ---------");
KeycloakDeployment keycloakDeployment =
KeycloakDeploymentBuilder.build(adapterConfig);
LOGGER.trace("---------- /CREATED KEYCLOAK DEPLOYMENT ---------");
return keycloakDeployment;
This pulls the KeycloakDeployment configuration from our database instead of from application.properties. Testing on a local docker swarm cluster, it works like a charm (but this is only on one machine, without SSL enabled, etc).
Pushing out to our QA environment (nginx on one machine with TLS termination, REST service on another, Keycloak on another, database provided by RDS), the generation of a KeycloakDeployment goes off without a hitch. This includes reaching out to .well-known/openid-configuration and resolving all of the Keycloak URLs, and printing both of the final trace() statements.
Almost immediately after (within 10-30ms) creating the KeycloakDeployment and returning it to the keycloak-spring-boot-starter framework, I receive a SocketTimeoutException exception. I can't tell from the exception what the system is trying to do when throws this exception, and I haven't been able to tell from https://github.com/keycloak/keycloak what the workflow is after the deployment is "resolved()".
So - what happens next?
A secured method is accessed
Spring Boot auth hands off to Keycloak auth
Keycloak auth generates a custom KeycloakDeployment
KeycloakDeployment is resolved - reaches out to Keycloak service and obtains the OIDC configuration
KeycloakDeployment is passed back to Keycloak auth framework
... Something happens that throws an immediate socket timeout exception...
Method is never invoked
How do I figure out what's happening in step 6? I find it hard to believe it's an actual socket timeout after only 20ms, and everything I think it should be accessing is up and responsive. But I'm willing to be wrong...
---- Original Question ----
I'm trying to get Keycloak working with a Spring Boot REST service behind an nginx proxy. TLS is terminated at the nginx server. Everything is in docker containers, but on separate machines (no kube, no swarm, etc).
Everything seems good. I can login to the master realm, create a new realm, add users, etc. However when the REST service tries to contact the Keycloak server (through the nginx proxy), I'm getting an SSL timeout error:
2022-03-22 18:59:13.384 INFO 26 --- [nio-8080-exec-3] o.keycloak.adapters.KeycloakDeployment : Loaded URLs from https://hostname/auth/realms/myrealm/.well-known/openid-configuration
javax.net.ssl|WARNING|18|http-nio-8080-exec-3|2022-03-22 18:59:13.409 UTC|SSLSocketImpl.java:1672|handling exception (
"throwable" : {
java.net.SocketTimeoutException: Read timed out
at java.base/sun.nio.ch.NioSocketImpl.timedRead(NioSocketImpl.java:283)
...
Thing is, this "timeout" happens almost instantaneously after the .well-known/openid-configuration response, so I'm skeptical it's even actually a timeout, unless the threshold is set to like 10ms by default or something.
I cranked up javax.net logging with System.setProperty("javax.net.debug", "ssl:all");, and I can't see anything obvious:
2022-03-22 18:59:13.384 INFO 26 --- [nio-8080-exec-3] o.keycloak.adapters.KeycloakDeployment : Loaded URLs from https://hostname/auth/realms/myrealm/.well-known/openid-configuration
javax.net.ssl|DEBUG|18|http-nio-8080-exec-3|2022-03-22 18:59:13.385 UTC|SSLSocketOutputRecord.java:331|WRITE: TLSv1.2 application_data, length = 11
javax.net.ssl|DEBUG|18|http-nio-8080-exec-3|2022-03-22 18:59:13.385 UTC|SSLCipher.java:1770|Plaintext before ENCRYPTION (
0000: 07 00 00 00 03 63 6F 6D 6D 69 74 .....commit
)
javax.net.ssl|DEBUG|18|http-nio-8080-exec-3|2022-03-22 18:59:13.388 UTC|SSLSocketOutputRecord.java:346|Raw write (
0000: 17 03 03 00 23 00 00 00 00 00 00 00 80 9C 76 46 ....#.........vF
0010: 44 FA F9 3A A4 9B A1 B2 D8 9B 6A 69 76 C7 1A 3D D..:......jiv..=
0020: 94 C4 40 D2 D8 F2 E4 7E ..#.....
)
javax.net.ssl|DEBUG|18|http-nio-8080-exec-3|2022-03-22 18:59:13.388 UTC|SSLSocketInputRecord.java:488|Raw read (
0000: 17 03 03 00 23 ....#
)
javax.net.ssl|DEBUG|18|http-nio-8080-exec-3|2022-03-22 18:59:13.388 UTC|SSLSocketInputRecord.java:214|READ: TLSv1.2 application_data, length = 35
javax.net.ssl|DEBUG|18|http-nio-8080-exec-3|2022-03-22 18:59:13.388 UTC|SSLSocketInputRecord.java:488|Raw read (
0000: 15 13 12 41 88 AD 18 6F B8 5E 25 90 9D BA 23 BF ...A...o.^%...#.
0010: B3 A5 A9 5E 61 FA 77 BD AE A4 C0 57 B2 1D 5B 18 ...^a.w....W..[.
0020: E8 C7 77 ..w
)
javax.net.ssl|DEBUG|18|http-nio-8080-exec-3|2022-03-22 18:59:13.388 UTC|SSLSocketInputRecord.java:247|READ: TLSv1.2 application_data, length = 35
javax.net.ssl|DEBUG|18|http-nio-8080-exec-3|2022-03-22 18:59:13.388 UTC|SSLCipher.java:1672|Plaintext after DECRYPTION (
0000: 07 00 00 01 00 00 00 00 00 00 00 ...........
)
javax.net.ssl|DEBUG|18|http-nio-8080-exec-3|2022-03-22 18:59:13.388 UTC|SSLSocketOutputRecord.java:331|WRITE: TLSv1.2 application_data, length = 21
javax.net.ssl|DEBUG|18|http-nio-8080-exec-3|2022-03-22 18:59:13.389 UTC|SSLCipher.java:1770|Plaintext before ENCRYPTION (
0000: 11 00 00 00 03 53 45 54 20 61 75 74 6F 63 6F 6D .....SET autocom
0010: 6D 69 74 3D 31 mit=1
)
javax.net.ssl|DEBUG|18|http-nio-8080-exec-3|2022-03-22 18:59:13.390 UTC|SSLSocketOutputRecord.java:346|Raw write (
0000: 17 03 03 00 2D 00 00 00 00 00 00 00 81 6B 87 27 ....-........k.'
0010: 9C 91 53 E2 F8 70 1C D4 FA F3 4A 79 1B B0 11 05 ..S..p....Jy....
0020: 13 3E 4F 10 A8 E8 43 B3 BB FA 1E 48 82 DF 59 25 .>O...C....H..Y%
0030: CF 9D ..
)
javax.net.ssl|DEBUG|18|http-nio-8080-exec-3|2022-03-22 18:59:13.392 UTC|SSLSocketInputRecord.java:488|Raw read (
0000: 17 03 03 00 23 ....#
)
javax.net.ssl|DEBUG|18|http-nio-8080-exec-3|2022-03-22 18:59:13.392 UTC|SSLSocketInputRecord.java:214|READ: TLSv1.2 application_data, length = 35
javax.net.ssl|DEBUG|18|http-nio-8080-exec-3|2022-03-22 18:59:13.392 UTC|SSLSocketInputRecord.java:488|Raw read (
0000: 15 13 12 41 88 AD 18 70 E3 20 7E 21 DA B0 24 28 ...A...p. .!..$(
0010: EF 6D EB BC 5C CE 5D 94 1D BC 04 BB F9 D1 3D 72 .m..\.].......=r
0020: 0C 71 83 .q.
)
javax.net.ssl|DEBUG|18|http-nio-8080-exec-3|2022-03-22 18:59:13.392 UTC|SSLSocketInputRecord.java:247|READ: TLSv1.2 application_data, length = 35
javax.net.ssl|DEBUG|18|http-nio-8080-exec-3|2022-03-22 18:59:13.393 UTC|SSLCipher.java:1672|Plaintext after DECRYPTION (
0000: 07 00 00 01 00 00 00 02 00 00 00 ...........
)
javax.net.ssl|WARNING|18|http-nio-8080-exec-3|2022-03-22 18:59:13.409 UTC|SSLSocketImpl.java:1672|handling exception (
"throwable" : {
java.net.SocketTimeoutException: Read timed out
at java.base/sun.nio.ch.NioSocketImpl.timedRead(NioSocketImpl.java:283)
...
So between the well-known configuration call and the final timeout exception:
18:59:13.384
18:59:13.409
all of 25ms passes by - seems hard to believe there would be a legitimate timeout exception thrown, but I can't seem to get any more clue as to what is causing the timeout. The keycloak service definitely IS reachable, and responds quite quickly.
Nothing at all in the Keycloak logs, and not terribly much in the nginx logs:
[--- AUTH ---] [22/Mar/2022:19:19:56 +0000] [200] "POST /auth/realms/myrealm/protocol/openid-connect/token HTTP/1.1" "https://web.mycompany.com/"
[--- AUTH ---] [22/Mar/2022:19:19:57 +0000] [200] "GET /auth/realms/myrealm/.well-known/openid-configuration HTTP/1.1" "-"
[--- AUTH ---] [22/Mar/2022:19:19:57 +0000] [200] "GET /auth/realms/myrealm/.well-known/openid-configuration HTTP/1.1" "-"
2022/03/22 19:19:57 [info] 73#73: *659 client #.#.#.# closed keepalive connection
[--- AUTH ---] [22/Mar/2022:19:19:57 +0000] [200] "GET /auth/realms/myrealm/.well-known/openid-configuration HTTP/1.1" "-"
[--- AUTH ---] [22/Mar/2022:19:19:57 +0000] [200] "GET /auth/realms/myrealm/.well-known/openid-configuration HTTP/1.1" "-"
[--- AUTH ---] [22/Mar/2022:19:19:58 +0000] [200] "GET /auth/realms/myrealm/.well-known/openid-configuration HTTP/1.1" "-"
[--- AUTH ---] [22/Mar/2022:19:19:58 +0000] [200] "GET /auth/realms/myrealm/.well-known/openid-configuration HTTP/1.1" "-"
2022/03/22 19:19:58 [info] 73#73: *670 client #.#.#.# closed keepalive connection
2022/03/22 19:19:58 [info] 73#73: *668 client #.#.#.# closed keepalive connection
[--- AUTH ---] [22/Mar/2022:19:19:58 +0000] [200] "GET /auth/realms/myrealm/.well-known/openid-configuration HTTP/1.1" "-"
[--- AUTH ---] [22/Mar/2022:19:19:58 +0000] [200] "GET /auth/realms/myrealm/protocol/openid-connect/certs HTTP/1.1" "-"
[--- AUTH ---] [22/Mar/2022:19:19:58 +0000] [200] "GET /auth/realms/myrealm/.well-known/openid-configuration HTTP/1.1" "-"
[--- AUTH ---] [22/Mar/2022:19:19:58 +0000] [200] "GET /auth/realms/myrealm/.well-known/openid-configuration HTTP/1.1" "-"
[--- AUTH ---] [22/Mar/2022:19:19:59 +0000] [200] "GET /auth/realms/myrealm/.well-known/openid-configuration HTTP/1.1" "-"
[--- AUTH ---] [22/Mar/2022:19:19:59 +0000] [200] "GET /auth/realms/myrealm/protocol/openid-connect/certs HTTP/1.1" "-"
2022/03/22 19:19:59 [info] 73#73: *677 client #.#.#.# closed keepalive connection
2022/03/22 19:19:59 [info] 73#73: *675 client #.#.#.# closed keepalive connection
[--- AUTH ---] [22/Mar/2022:19:19:59 +0000] [200] "GET /auth/realms/myrealm/.well-known/openid-configuration HTTP/1.1" "-"
[--- AUTH ---] [22/Mar/2022:19:19:59 +0000] [200] "GET /auth/realms/myrealm/.well-known/openid-configuration HTTP/1.1" "-"
[--- AUTH ---] [22/Mar/2022:19:19:59 +0000] [200] "GET /auth/realms/myrealm/.well-known/openid-configuration HTTP/1.1" "-"
[--- AUTH ---] [22/Mar/2022:19:20:00 +0000] [200] "GET /auth/realms/myrealm/.well-known/openid-configuration HTTP/1.1" "-"
2022/03/22 19:20:00 [info] 73#73: *664 client #.#.#.# closed keepalive connection
2022/03/22 19:20:00 [info] 73#73: *666 client #.#.#.# closed keepalive connection
2022/03/22 19:20:00 [info] 73#73: *672 client #.#.#.# closed keepalive connection
2022/03/22 19:20:00 [info] 73#73: *682 client #.#.#.# closed keepalive connection
2022/03/22 19:20:00 [info] 73#73: *684 client #.#.#.# closed keepalive connection
2022/03/22 19:20:00 [info] 74#74: *686 client #.#.#.# closed keepalive connection
[--- AUTH ---] [22/Mar/2022:19:20:00 +0000] [200] "GET /auth/realms/myrealm/.well-known/openid-configuration HTTP/1.1" "-"
[--- AUTH ---] [22/Mar/2022:19:20:00 +0000] [200] "GET /auth/realms/myrealm/.well-known/openid-configuration HTTP/1.1" "-"
[--- AUTH ---] [22/Mar/2022:19:20:01 +0000] [200] "GET /auth/realms/myrealm/.well-known/openid-configuration HTTP/1.1" "-"
[--- AUTH ---] [22/Mar/2022:19:20:01 +0000] [200] "GET /auth/realms/myrealm/protocol/openid-connect/certs HTTP/1.1" "-"
[--- REST ---] [22/Mar/2022:19:20:01 +0000] [401] "GET /api/v1/stuff HTTP/1.1" "https://web.mycompany.com/"
Any help as to what's going on?
Other notes:
I've gone through the Setting Up a load balancer or proxy instructions from Keycloak. Specifically, the nginx server has the following:
upstream AUTH {
server #.#.#.#:8080;
server #.#.#.#:8080;
}
...
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_pass http://AUTH;
I think that covers bullet points 1 and 2.
Bullet point 3 is covered by the keycloak server. The standalone-ha.xml file has:
<subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="true">
<buffer-cache name="default"/>
<server name="default-server">
<ajp-listener name="ajp" socket-binding="ajp"/>
<http-listener name="default" socket-binding="http" redirect-socket="https" proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING:false}" enable-http2="true"/>
<https-listener name="https" socket-binding="https" ssl-context="applicationSSC" proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING:false}" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker http-authentication-factory="application-http-authentication"/>
</host>
</server>
and the container is launched with the environment variable
PROXY_ADDRESS_FORWARDING=true
I've verified with a false login that Keycloak is seeing the end user's IP address rather than the nginx server:
15:17:07,304 WARN [org.keycloak.events] (default task-14) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=#.#.#.#, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=https://host.name/auth/admin/master/console/#/realms/MyRealm/login-settings, code_id=..., username=foo, authSessionParentId=..., authSessionTabId=...
Where #.#.#.# is my IP address.
Related
I am having a problem with Google's SMTP servers. They reject my SMTP server's IP for no valid reason. My server complies with all the necessary rules to deliver the message but Google rejects it by IP without giving me details and I cannot find support either. I have written to postmaster#gmail.com but got no response. My server sends notifications to the users of the system, it does not do SPAM and apparently everything is correct. I don't see a valid reason for this crash, and I can't find a way to fix it. I would like to know if the same thing happened to someone and how they could solve it. Next I copy the console with the delivery attempt and additionally some DNS checks that show that apparently there is no problem on my server:
root#venabili:~# hostname -f
venabili.tecnologica.com.ar
root#venabili:~# id
uid=0(root) gid=0(root) grupos=0(root)
root#venabili:~# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 200.69.236.179 netmask 255.255.255.0 broadcast 200.69.236.255
inet6 fe80::f816:3eff:fe27:b8e1 prefixlen 64 scopeid 0x20<link>
ether fa:16:3e:27:b8:e1 txqueuelen 1000 (Ethernet)
RX packets 302342269 bytes 32703331063 (30.4 GiB)
RX errors 0 dropped 17 overruns 0 frame 0
TX packets 75025298 bytes 12670842456 (11.8 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root#venabili:~# nslookup
> server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53
> set type=mx
> tecnologica.com.ar
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
tecnologica.com.ar mail exchanger = 10 venabili.tecnologica.com.ar.
Authoritative answers can be found from:
> set type=a
> venabili.tecnologica.com.ar
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: venabili.tecnologica.com.ar
Address: 200.69.236.179
> set type=aaaa
> venabili.tecnologica.com.ar
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: venabili.tecnologica.com.ar
Address: fe80::f816:3eff:fe27:b8e1
> set type=ptr
> 200.69.236.179
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
179.236.69.200.in-addr.arpa name = venabili.tecnologica.com.ar.
Authoritative answers can be found from:
> set type=txt
> tecnologica.com.ar
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
tecnologica.com.ar text = "v=spf1 a mx ip4:200.69.236.179 ip6:fe80::f816:3eff:fe27:b8e1 ~all"
Authoritative answers can be found from:
> set type=txt
> default._domainkey.tecnologica.com.ar
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
default._domainkey.tecnologica.com.ar text = "v=DKIM1; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz+GrX8vxp9W51ehJuixhL5AbjmCgcN2h7KqMiLI8LMUfmpWPP1GIhxlWCieFUVMOAQGlQrImuFE3kk/qLOgyumzUTRBwxlNX+7tix7dlBclXAWq8SjB9SbbAcPKkTBAq0pvXvp4l4qTCFnfVXAs1g/lCywlJrbfAFVVXWdN44ElFz+bD4YRYsXSmz//L1uFU7YE" "zkFUvbMtwBOL1xRvjAFXH4xQ7/vkHX6+OIxnm47vO/a2CqFVXok0FhAj44BmlBT+Py0x0SP8jsm+xhnLc238ZIsGylTwCb0Zbl3DR9bKGBy9FqXoUyRIzWKEkAtwaKq7qeBO3oRT4kQOKEOog2QIDAQAB"
Authoritative answers can be found from:
> _dmarc.tecnologica.com.ar
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
_dmarc.tecnologica.com.ar text = "v=DMARC1; p=reject; rua=mailto:postmaster#tecnologica.com.ar; ruf=mailto:postmaster#tecnologica.com.ar"
Authoritative answers can be found from:
> _smtp._tls.tecnologica.com.ar
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
_smtp._tls.tecnologica.com.ar text = "v=TLSRPTv1; rua=mailto:postmaster#tecnologica.com.ar"
Authoritative answers can be found from:
> _mta-sts.tecnologica.com.ar
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
_mta-sts.tecnologica.com.ar text = "v=STSv1; id=20200918192500"
Authoritative answers can be found from:
> set type=cname
> mta-sts.tecnologica.com.ar
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
mta-sts.tecnologica.com.ar canonical name = venabili.tecnologica.com.ar.
Authoritative answers can be found from:
> exit
root#venabili:~# openssl s_client -connect mta-sts.tecnologica.com.ar:443
CONNECTED(00000004)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = mta-sts.tecnologica.com.ar
verify return:1
---
Certificate chain
0 s:CN = mta-sts.tecnologica.com.ar
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFbTCCBFWgAwIBAgISBC7Vr1sblDEJHYgxBtfro6xcMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA5MTgyMzM4MjdaFw0y
MDEyMTcyMzM4MjdaMCUxIzAhBgNVBAMTGm10YS1zdHMudGVjbm9sb2dpY2EuY29t
LmFyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5glA7vEmuS0EzKhn
w9IfLPHHertYYOYx54t/2zr8G1pSmkCjrOlfV+YHwIuWeehxDUz/ezy1JXyK11kd
raDd71MoBd9mV12fjITO99oDpkYu9g09TxJ9rpIEkU8LRGkgjfDGBBtf5X5Za+Ah
gWbJ4JudVoykVZ00riQsZzbfJ8FNZcwEgErWCZCBL45tR7tfeFlXTJGFhyszqQN+
r4gS3C/JpsObIMaoqmkJrO5YUGcfGvqDOG3INthp2L9/t743OfYUGTqRFu09Rq5S
xwEYxR8GksaLwzMWOIRelMP4W5F9ce7hhdxU68cK4j9rHXaaeNXLySeMs7K9C2vt
p1nnowIDAQABo4ICcDCCAmwwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQ1A7mXXvtb
eS6ZYRtw4EA7WhJ3/zAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBv
BggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5s
ZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5s
ZXRzZW5jcnlwdC5vcmcvMCUGA1UdEQQeMByCGm10YS1zdHMudGVjbm9sb2dpY2Eu
Y29tLmFyMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYI
KwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBQYKKwYBBAHW
eQIEAgSB9gSB8wDxAHcA5xLysDd+GmL7jskMYYTx6ns3y1YdESZb8+DzS/JBVG4A
AAF0o8xFcQAABAMASDBGAiEAlc3Q8FEkd5ZUayxVfeorQv9+Jt1OSgOOP+jqVw5K
sskCIQCE0Hx7YDWcJ9o4Cck50WP7UtA/qRgmfn1fVIHyEZMftwB2AAe3XBvlfWj/
8bDGHSMVx7rmV3xXlLdq7rxhOhpp06IcAAABdKPMRZcAAAQDAEcwRQIgBVUd9xxC
DVX/kr0+308ra9YOqJC/yvBJnktxWg6YUVMCIQCR14/ouxc+Ydm4tePVBjBnmpRq
QzQEDYrd+4R7JjpiCjANBgkqhkiG9w0BAQsFAAOCAQEAlCnRwvP7wNRHTzB5N9/N
2cBPuVxKbvf1rHwusXYzQBVlyM6grEvjTgd5V/C+we1ueDUp991tP3z5AAksIGWM
/ssDlK0VSxv9PIzC1LxDK39Sl+P8xkuGj0zSDYg321sFjFyZLashP+xFYyzx3QdD
9h65J0uB/BigWOIN9sK1vLVhIB4yqV190vucyMamJBZ1dvSaYCi52dCgEEsAxM3v
LksETYgpSqB4+6zB2ae3/FN2/m3vyWCdFv1fL19hIidKjwIYhIKVOLKTQCYvCd+p
srhlTtnRf8i+P8Dni9xKmKSFwSGc8L+AS0AfTh6M/+IEPOO2zJsp1R/PBWgiy42v
fw==
-----END CERTIFICATE-----
subject=CN = mta-sts.tecnologica.com.ar
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3203 bytes and written 403 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-CHACHA20-POLY1305
Session-ID: 38FDD25BCB4C28F5364CA3418C05D13F279E62882E594190276850599BB67EAB
Session-ID-ctx:
Master-Key: 41AEF29EC1545AAE8C53958032EFF464E237232D8AA9D22CF9513297DFFBA40645226685FE58FEC782DA20CDFFEB5EDB
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 5f 78 fa 6f 3a 54 9c c2-f0 8e b2 b7 70 13 05 d4 _x.o:T......p...
0010 - 4b 39 84 62 c7 cb 96 f8-89 5c 27 09 6c 2b aa ad K9.b.....\'.l+..
0020 - 52 22 36 d6 a3 0b 8b 5e-ed 4b 78 f5 49 61 47 69 R"6....^.Kx.IaGi
0030 - c9 e7 41 88 c2 e6 29 86-b5 52 a9 8f 56 3f 79 3e ..A...)..R..V?y>
0040 - 14 bd b5 24 ca c5 f7 a4-ab b9 f9 26 dc 1c 71 7a ...$.......&..qz
0050 - ab 5a a2 a9 76 df 61 70-a5 91 5f 69 36 bc 64 69 .Z..v.ap.._i6.di
0060 - 02 b5 4b ba 79 e0 c9 a7-3b e2 a6 30 9b 2b 34 33 ..K.y...;..0.+43
0070 - 02 af 1e 3c 82 90 bc ca-32 b3 57 5b e0 b6 33 b0 ...<....2.W[..3.
0080 - a6 4c dc a8 c9 01 29 cf-98 ba 7c 40 3a ae 4b 04 .L....)...|#:.K.
0090 - 95 66 2f 96 b2 b9 5b f1-b0 f2 b0 6c e4 61 6f d0 .f/...[....l.ao.
00a0 - 98 a2 67 06 c9 22 ef a3-f5 ec 24 ac a2 b1 5f 4e ..g.."....$..._N
Start Time: 1600571394
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
GET /.well-known/mta-sts.txt HTTP/1.1
Host: venabili.tecnologica.com.ar
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Sun, 20 Sep 2020 03:10:22 GMT
Content-Type: text/plain
Content-Length: 77
Last-Modified: Sat, 19 Sep 2020 14:07:46 GMT
Connection: keep-alive
ETag: "5f6610b2-4d"
Accept-Ranges: bytes
version: STSv1
mode: testing
mx: venabili.tecnologica.com.ar
max_age: 604800
^C
root#venabili:~# openssl s_client -starttls smtp -connect venabili.tecnologica.com.ar:587 -crlf -ign_eof
CONNECTED(00000004)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = venabili.tecnologica.com.ar
verify return:1
---
Certificate chain
0 s:CN = venabili.tecnologica.com.ar
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFbzCCBFegAwIBAgISBAyLUnN1zyR0tAMF7k1G3023MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA5MTgyMjMxMjZaFw0y
MDEyMTcyMjMxMjZaMCYxJDAiBgNVBAMTG3ZlbmFiaWxpLnRlY25vbG9naWNhLmNv
bS5hcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/svQH9FsoQZyGh
krGZLrN3GAzwuAV2IEsYdAixVrVXGPPjA4oTxQDWncBPVh8x6nMstJqq4xP19aBr
pw5P2rcsMvLT9RJ14wGuNzzDcx9uOmR709ZrPpPzZJ4JJnZxQP5dE2jJMrPQ7tnI
3AudscEaAMW8qBLj91jPDiv4LbRHL4xU+w46yZbB6szgb4u567SSKFaVlRQ8tmCt
msIkYdA5mP5/1Z0QN6PgtAzCWECEkn/eRpuTUHliMjgCocwQ3RYkofGrNQ1a4H7F
RgdaQzjCjQ7JdT/pZTYWrejr3alMsFAukRfIH/FMI5v8ojaxzlQOhz46WJiw3qNH
rmjb+G0CAwEAAaOCAnEwggJtMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU91GfsO41
iPZN1SROqwqnCPSN9yIwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEw
bwYIKwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMu
bGV0c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMu
bGV0c2VuY3J5cHQub3JnLzAmBgNVHREEHzAdght2ZW5hYmlsaS50ZWNub2xvZ2lj
YS5jb20uYXIwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAm
BggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEFBgorBgEE
AdZ5AgQCBIH2BIHzAPEAdwDnEvKwN34aYvuOyQxhhPHqezfLVh0RJlvz4PNL8kFU
bgAAAXSjjusOAAAEAwBIMEYCIQDOwhtVW/tkJzexdCpcX2gLXX7axA8Fw4bDURrr
tu/ecQIhAKpdzqz+iWGw9I7pkKfYNjyyLdWojRlT+IYQfR7qxQc4AHYAB7dcG+V9
aP/xsMYdIxXHuuZXfFeUt2ruvGE6GmnTohwAAAF0o47rMwAABAMARzBFAiBUUOSO
S+8ueu2ACk+862qxbAsXylwZAfHhg/7HmEeEQQIhAKq3jqMMSIjTo47t2JXrU58d
PP6E3NwNHOgGCNje4R/nMA0GCSqGSIb3DQEBCwUAA4IBAQAua/T4drS/7xpNmGDV
Xp2iFhSaVsbWeHh5+40POEAy9NvaZ8O4CeNjV3NeV84QI2Jh1PjehebM72K85rCT
7jEOqaJY5vmKrLBVji6MsgryyGLm4Y368nMR3JrXDLUkATgart+jLdsxLbaRsI1t
Gf+BLc6TYb4roGiI7TTjEQDAy2SOGqfOWbAEdVKIEr9P3IBrlOSOl2o8gd97PXQ/
vEmklVM/5zr5l5paInHOidBL8y8qVk2s9AkaQNAS2QTX5+iFl9D1u8z5mz49eKPb
sb9GSFVTm/qe0KHl02qga4/1ANRoNCuKoaE5xxhqyboJwy58qp7opbzipqxbQI0T
N8e/
-----END CERTIFICATE-----
subject=CN = venabili.tecnologica.com.ar
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3389 bytes and written 432 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 CHUNKING
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: D8A0F5C48FBFE47FAEF6482AC696CBCAB01EB030F683053A41539DCD5B91E593
Session-ID-ctx:
Resumption PSK: 3CACF3832764ACCF8A00FFDAFA9A8771E62C04FCDF1429A85EB2A3AC0F39733F642045E4602CE73F62AEC75745B51392
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 30 00 51 89 4c df 15 62-da 50 55 37 92 60 65 f2 0.Q.L..b.PU7.`e.
0010 - 05 72 39 3d fb 1e 8a 05-2f 95 6b f0 cd 33 29 b0 .r9=..../.k..3).
0020 - b7 38 89 4f 2f 32 91 66-f7 59 2f 80 43 fc 81 f7 .8.O/2.f.Y/.C...
0030 - c6 53 68 3d d8 69 0d 10-6c 4c 62 9c 81 d9 ec 60 .Sh=.i..lLb....`
0040 - 9f ef a0 95 46 d3 e0 10-29 09 20 ab 48 3b 07 34 ....F...). .H;.4
0050 - 82 d3 0e 39 3d 11 18 e8-9e 44 b7 69 b9 d0 45 2e ...9=....D.i..E.
0060 - 97 4f da 69 aa 89 27 2c-e5 9c 63 39 4b f8 3f 54 .O.i..',..c9K.?T
0070 - 23 1a db 73 ac 7e 78 20-76 f5 67 b9 8f e1 c3 34 #..s.~x v.g....4
0080 - d7 f0 b5 0b 0d c7 dc 80-f6 40 0c 20 3f 8d 16 b7 .........#. ?...
0090 - 3a c2 e2 a9 c1 b6 fd 84-65 7f a5 1c 16 81 60 5a :.......e.....`Z
00a0 - 53 12 3a bf d0 4a 0c 0e-a2 3b 57 ce ad 63 89 e6 S.:..J...;W..c..
00b0 - a7 58 ea 21 f9 2e 04 00-ff 6f a7 40 9d 2c bf 39 .X.!.....o.#.,.9
00c0 - 8d d9 19 c9 e1 05 a6 19-a4 60 06 75 8d 3e 95 89 .........`.u.>..
Start Time: 1600567929
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
ehlo venabili.tecnologica.com.ar
250-venabili.tecnologica.com.ar
250-PIPELINING
250-SIZE
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
auth login
334 VXNlcm5hbWU6
bm8tcmVzcG9uZGVyQHRlY25vbG9naWNhLmNvbS5hcg==
334 UGFzc3dvcmQ6
!!!
235 2.7.0 Authentication successful
mail from: no-responder#tecnologica.com.ar
250 2.1.0 Ok
rcpt to: jmouriz#gmail.com
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
from: root <no-responder#tecnologica.com.ar>
to: Juan Manuel Mouriz <jmouriz#gmail.com>
subject: Mensaje de prueba
Hola, este es un mensaje de prueba
.
250 2.0.0 Ok: queued as 5E50844853
quit
221 2.0.0 Bye
closed
root#venabili:~# grep 5E50844853 /var/log/mail.log
Sep 19 23:18:54 venabili postfix/submission/smtpd[7994]: 5E50844853: client=venabili.tecnologica.com.ar[200.69.236.179], sasl_method=login, sasl_username=no-responder#tecnologica.com.ar
Sep 19 23:20:35 venabili postfix/cleanup[8543]: 5E50844853: message-id=<20200920021854.5E50844853#venabili.tecnologica.com.ar>
Sep 19 23:20:35 venabili postfix/qmgr[5677]: 5E50844853: from=<no-responder#tecnologica.com.ar>, size=554, nrcpt=1 (queue active)
Sep 19 23:20:35 venabili postfix/cleanup[8543]: 6F3BE4485D: message-id=<20200920021854.5E50844853#venabili.tecnologica.com.ar>
Sep 19 23:20:35 venabili amavis[26666]: (26666-19) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [200.69.236.179]:55833 [200.69.236.179] <no-responder#tecnologica.com.ar> -> <jmouriz#gmail.com>, Queue-ID: 5E50844853, Message-ID: <20200920021854.5E50844853#venabili.tecnologica.com.ar>, mail_id: bcEyyqxUQvNK, Hits: -1, size: 554, queued_as: 6F3BE4485D, dkim_new=default:tecnologica.com.ar, 329 ms
Sep 19 23:20:35 venabili postfix/smtp[8676]: 5E50844853: to=<jmouriz#gmail.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=115, delays=115/0.02/0.01/0.32, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10027): 250 2.0.0 Ok: queued as 6F3BE4485D)
Sep 19 23:20:35 venabili postfix/qmgr[5677]: 5E50844853: removed
root#venabili:~# grep 6F3BE4485D /var/log/mail.log
Sep 19 23:20:35 venabili postfix/smtpd[8679]: 6F3BE4485D: client=localhost[127.0.0.1]
Sep 19 23:20:35 venabili postfix/cleanup[8543]: 6F3BE4485D: message-id=<20200920021854.5E50844853#venabili.tecnologica.com.ar>
Sep 19 23:20:35 venabili postfix/qmgr[5677]: 6F3BE4485D: from=<no-responder#tecnologica.com.ar>, size=1625, nrcpt=1 (queue active)
Sep 19 23:20:35 venabili amavis[26666]: (26666-19) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [200.69.236.179]:55833 [200.69.236.179] <no-responder#tecnologica.com.ar> -> <jmouriz#gmail.com>, Queue-ID: 5E50844853, Message-ID: <20200920021854.5E50844853#venabili.tecnologica.com.ar>, mail_id: bcEyyqxUQvNK, Hits: -1, size: 554, queued_as: 6F3BE4485D, dkim_new=default:tecnologica.com.ar, 329 ms
Sep 19 23:20:35 venabili postfix/smtp[8676]: 5E50844853: to=<jmouriz#gmail.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=115, delays=115/0.02/0.01/0.32, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10027): 250 2.0.0 Ok: queued as 6F3BE4485D)
Sep 19 23:20:37 venabili postfix/smtp[8680]: 6F3BE4485D: to=<jmouriz#gmail.com>, relay=gmail-smtp-in.l.google.com[172.217.192.26]:25, delay=1.7, delays=0.02/0.02/0.88/0.8, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[172.217.192.26] said: 550-5.7.1 [200.69.236.179] The IP you're using to send mail is not authorized to 550-5.7.1 send email directly to our servers. Please use the SMTP relay at your 550-5.7.1 service provider instead. Learn more at 550 5.7.1 https://support.google.com/mail/?p=NotAuthorizedError a44si4686321qtk.87 - gsmtp (in reply to end of DATA command))
Sep 19 23:20:37 venabili postfix/bounce[8681]: 6F3BE4485D: sender non-delivery notification: 32EF64485E
Sep 19 23:20:37 venabili postfix/qmgr[5677]: 6F3BE4485D: removed
root#venabili:~#
The domain in question is tecnologica.com.ar and I leave a link to some verifications where it is seen that the RR SPF, DKIM, DMARC, _SMTP._TLS, _MTA-STS, MTA-STS, CAA and PTR are correct and it is not a open relay:
https://mxtoolbox.com/domain/tecnologica.com.ar
The certificates are signed by Let's Encrypt. The host name matches the certificate. The classes are correct. And finally, I do not SPAM. I would greatly appreciate a help because at this point I am completely disoriented and can't find what else to do.
I am not looking for a solution but rather where I can find it.
Thank you very much for your help
Additional info
This is a report domain for DMARC:
<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
<report_metadata>
<org_name>google.com</org_name>
<email>noreply-dmarc-support#google.com</email>
<extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
<report_id>7762784093316082866</report_id>
<date_range>
<begin>1603756800</begin>
<end>1603843199</end>
</date_range>
</report_metadata>
<policy_published>
<domain>tecnologica.com.ar</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>reject</p>
<sp>reject</sp>
<pct>100</pct>
</policy_published>
<record>
<row>
<source_ip>200.69.236.179</source_ip>
<count>2</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>tecnologica.com.ar</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>tecnologica.com.ar</domain>
<result>pass</result>
<selector>default</selector>
</dkim>
<spf>
<domain>tecnologica.com.ar</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
</feedback>
And this is a report domain for TLS:
{"organization-name":"Google Inc.","date-range":{"start-datetime":"2020-10-26T00:00:00Z","end-datetime":"2020-10-26T23:59:59Z"},"contact-info":"smtp-tls-reporting#google.com","report-id":"2020-10-26T00:00:00Z_tecnologica.com.ar","policies":[{"policy":{"policy-type":"sts","policy-string":["version: STSv1\r","mode: testing\r","mx: venabili.tecnologica.com.ar\r","max_age: 604800\r","\r"],"policy-domain":"tecnologica.com.ar"},"summary":{"total-successful-session-count":1,"total-failure-session-count":0}}]}
My application sends an email to an Exchange mail server, mail server is configured with a third party application where it routes email to agent and agent replies to that email. Application reads agent reply from the mailbox which is used to send the email.
Email sending code is below;
Message mimeMessage = new MimeMessage(session);
mimeMessage.setFrom(new InternetAddress(from));
mimeMessage.addRecipient(Message.RecipientType.TO, new InternetAddress(to));
mimeMessage.setSubject(subject);
mimeMessage.setContent(emailText,"text/plain");
mimeMessage.setReplyTo(replyToAddress);
Transport.send(mimeMessage);
This works perfectly. When agent reply is received, Application read it as;
if (message.isMimeType("multipart/MIXED")) {
logger.info("Email MIME Type is: multipart/MIXED");
MimeMultipart multipart =(MimeMultipart)message.getContent();
logger.info("Content type = "+multipart.getContentType());
int count = multipart.getCount();
}
The content type is "multipart/mixed" but the count is 0 means there are no parts in this emails.
I need to set System property,
System.setProperty("mail.mime.multipart.allowempty", "true");
if it is not set, multipart.getCount() throws "missingBoundryException".
Why it is so ?
I can see that the agent's reply is not empty.
The email was sent with content type as text/plain, why reply type is multipart/mixed?
Is this due to any invalid formatting of email by third party application, what is the workaround?
Below is the snap of agent reply.
Below is the raw MIME content,
Received: from sociaminer.host (192.168.1.29) by thirdpartHost
(192.168.1.53) with Microsoft SMTP Server (TLS) id 14.1.218.12; Thu, 19 Jan
2017 17:06:26 +0500
To: hafiz <hafiz#bla.bla>
Message-ID: <hassan.MESSAGEID#bla.bla>
In-Reply-To: <CF72F94#bla.bla>
References: <CF72F945A#bla.bla>
Subject: Re: 1122+50
Content-Type: multipart/mixed;
boundary="----=_Part_127_14151461.1484827604583"
From: <reply#bla.bla>
Return-Path: reply#bla.bla
Date: Thu, 19 Jan 2017 17:06:26 +0500
X-MS-Exchange-Organization-AuthSource: bla.bla
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 06
X-Originating-IP: [SocialMinerIP]
MIME-Version: 1.0
------=_Part_127_14151461.1484827604583
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 7bit
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">Reply to 50<br>
<blockquote><hr>
<b>From:</b> hafiz <hafiz#bla.bla><br><b>Sent:</b> Thursday, January 19, 2017 5:05 PM<br><b>To:</b> testing2 <testing2#bla.bla><br><b>Subject:</b> 1122+50<br>
<html dir="ltr">
<head>
<style type="text/css" id="owaParaStyle"></style>
</head>
<body fpstyle="1" ocsi="0">
<div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">Testing 50</div>
</body>
</html>
</blockquote>
------=_Part_127_14151461.1484827604583--
JavaMail debug output looks like below,
DEBUG: setDebug: JavaMail version 1.4.7
DEBUG: getProvider() returning javax.mail.Provider[STORE,imap,com.sun.mail.imap.IMAPStore,Oracle]
DEBUG IMAP: mail.imap.fetchsize: 16384
DEBUG IMAP: mail.imap.ignorebodystructuresize: false
DEBUG IMAP: mail.imap.statuscachetimeout: 1000
DEBUG IMAP: mail.imap.appendbuffersize: -1
DEBUG IMAP: mail.imap.minidletime: 10
DEBUG IMAP: disable AUTH=PLAIN
DEBUG IMAP: enable STARTTLS
DEBUG IMAP: trying to connect to host "Echange IP", port 143, isSSL false
* OK The Microsoft Exchange IMAP4 service is ready.
A0 CAPABILITY
* CAPABILITY IMAP4 IMAP4rev1 LOGINDISABLED STARTTLS UIDPLUS CHILDREN IDLE NAMESPACE LITERAL+
A0 OK CAPABILITY completed.
DEBUG IMAP: protocolConnect login, host=192.168.1.53, user=hafiz#bla.bla, password=<non-null>
A1 STARTTLS
A1 OK Begin TLS negotiation now.
A2 CAPABILITY
* CAPABILITY IMAP4 IMAP4rev1 AUTH=NTLM AUTH=GSSAPI AUTH=PLAIN UIDPLUS CHILDREN IDLE NAMESPACE LITERAL+
A2 OK CAPABILITY completed.
DEBUG IMAP: AUTH: NTLM
DEBUG IMAP: AUTH: GSSAPI
DEBUG IMAP: AUTH: PLAIN
DEBUG IMAP: AUTHENTICATE NTLM command trace suppressed
DEBUG NTLM: type 1 message: 4E 54 4C 4D 53 53 50 00 01 00 00 00 03 A2 00 00 00 00 00 00 23 00 00 00 03 00 03 00 20 00 00 00 31 39 32
DEBUG NTLM: type 3 message: 4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 68 00 00 00 18 00 18 00 80 00 00 00 00 00 00 00 40 00 00 00 22 00 22 00 40 00 00 00 06 00 06 00 62 00 00 00 00 00 00 00 98 00 00 00 01 82 00 00 68 00 61 00 66 00 69 00 7A 00 40 00 65 00 66 00 6C 00 61 00 62 00 2E 00 6C 00 6F 00 63 00 61 00 6C 00 31 00 39 00 32 00 3B 5E 2B 86 67 49 E3 01 C9 9E F2 CA ED 54 21 11 81 89 94 C6 EC E0 26 E3 BA DB E7 5A F4 CA 28 17 7C 0E 8A 08 18 B5 5A 4E 72 4F C5 7F 52 64 FA 76
DEBUG IMAP: AUTHENTICATE NTLM command result: A3 OK AUTHENTICATE completed.
A4 CAPABILITY
* CAPABILITY IMAP4 IMAP4rev1 AUTH=NTLM AUTH=GSSAPI AUTH=PLAIN UIDPLUS CHILDREN IDLE NAMESPACE LITERAL+
A4 OK CAPABILITY completed.
DEBUG IMAP: AUTH: NTLM
DEBUG IMAP: AUTH: GSSAPI
DEBUG IMAP: AUTH: PLAIN
DEBUG IMAP: connection available -- size: 1
A5 SELECT INBOX
* 40 EXISTS
* 0 RECENT
* FLAGS (\Seen \Answered \Flagged \Deleted \Draft $MDNSent)
* OK [PERMANENTFLAGS (\Seen \Answered \Flagged \Deleted \Draft $MDNSent)] Permanent flags
* OK [UNSEEN 39] Is the first unseen message
* OK [UIDVALIDITY 436] UIDVALIDITY value
* OK [UIDNEXT 46] The next unique identifier value
A5 OK [READ-WRITE] SELECT completed.
A6 SEARCH UNSEEN ALL
* SEARCH 39
A6 OK SEARCH completed.
A7 SEARCH UNSEEN ALL
* SEARCH 39
A7 OK SEARCH completed.
main INFO emailToSms.EmailReader - 1 unread emails read from inbox.
A8 STORE 39 +FLAGS (\Seen)
* 39 FETCH (FLAGS (\Seen))
A8 OK STORE completed.
A9 FETCH 39 (BODY.PEEK[HEADER])
* 39 FETCH (BODY[HEADER] {851}
MIME-Version: 1.0
Received: from HOST (IP) by HOST
(192.168.1.53) with Microsoft SMTP Server (TLS) id 14.1.218.12; Thu, 19 Jan
2017 17:06:26 +0500
To: hafiz <hafiz#bla.bla>
Message-ID: <hassan.B69E3DD110000159000004A73F57FEE3.1484827604448.cisco-ccp#bla.bla>
In-Reply-To: <CF72F945A1ED2E438A53A11DA9415F65A0E981#Expert.bla.bla>
References: <CF72F945A1ED2E438A53A11DA9415F65A0E981#Expert.bla.bla>
Subject: Re: 1122+50
Content-Type: multipart/mixed;
boundary="----=_Part_127_14151461.1484827604583"
From: <testing2#bla.bla>
Return-Path: testing2#bla.bla
Date: Thu, 19 Jan 2017 17:06:26 +0500
X-MS-Exchange-Organization-AuthSource: Expert.bla.bla
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 06
X-Originating-IP: [IP]
)
A9 OK FETCH completed.
A10 FETCH 39 (ENVELOPE INTERNALDATE RFC822.SIZE)
* 39 FETCH (ENVELOPE ("Thu, 19 Jan 2017 17:06:26 +0500" "Re: 1122+50" ((NIL NIL "testing2" "bla.bla")) NIL NIL (("hafiz" NIL "hafiz" "bla.bla")) NIL NIL "<CF72F945A1ED2E438A53A11DA9415F65A0E981#Expert.bla.bla>" "<hassan.B69E3DD110000159000004A73F57FEE3.1484827604448.cisco-ccp#bla.bla>") INTERNALDATE "19-Jan-2017 17:06:26 +0500" RFC822.SIZE 1250)
A10 OK FETCH completed.
A11 FETCH 39 (BODYSTRUCTURE)
* 39 FETCH (BODYSTRUCTURE ("multipart" "mixed" ("boundary" "----=_Part_127_14151461.1484827604583") NIL NIL 7BIT 0 NIL NIL NIL NIL))
A11 OK FETCH completed.
DEBUG IMAP: IMAPProtocol noop
A12 NOOP
A12 OK NOOP completed.
This is a bug in Microsoft Exchange. Report this bug to Microsoft and upgrade to a newer version or newer service pack if possible in case they've already fixed it.
Exchange is returning the BODYSTRUCTURE information for the message as if it were a single part message when in fact it is a multipart message. This is a violation of the IMAP protocol spec.
You can use the workaround in the JavaMail FAQ.
Also, you might want to upgrade to a newer version of JavaMail - 1.4.7 is pretty old, the current version is 1.5.6.
I'm using scala-ssh 0.7.0 to download a file from a remote server.
The download itself seems to be successful (I can find the downloaded file). Here is the last part of the log output:
16:14:43.824 [main] TRACE
net.schmizz.sshj.xfer.LoggingTransferListener -- transferred 100% of
log-file.txt 16:14:43.824 [main] INFO
net.schmizz.sshj.common.StreamCopier -- 44.82421875 KiB transferred in
1.572 seconds (28.514134064885496 KiB/s) 16:14:43.825 [main] DEBUG net.schmizz.sshj.xfer.scp.SCPEngine -- Remote agrees transfer done
16:14:43.826 [main] DEBUG net.schmizz.sshj.xfer.scp.SCPEngine --
Signalling: Transfer done 16:14:43.826 [main] TRACE
net.schmizz.sshj.transport.Encoder -- Encoding packet #10: 5e 00 00 00
00 00 00 00 01 00 16:14:43.826 [main] DEBUG
net.schmizz.sshj.connection.channel.Window$Remote -- Consuming by 1
down to 2097148 16:14:44.220 [reader] TRACE
net.schmizz.sshj.transport.Decoder -- Received packet #14: 62 00 00 00
00 00 00 00 0b 65 78 69 74 2d 73 74 61 74 75 73 00 00 00 00 00
16:14:44.221 [reader] TRACE net.schmizz.sshj.transport.TransportImpl
-- Received packet CHANNEL_REQUEST 16:14:44.221 [reader] DEBUG net.schmizz.sshj.connection.channel.direct.SessionChannel -- Got chan
request for exit-status 16:14:44.222 [reader] TRACE
net.schmizz.sshj.transport.Decoder -- Received packet #15: 60 00 00 00
00 16:14:44.222 [reader] TRACE
net.schmizz.sshj.transport.TransportImpl -- Received packet
CHANNEL_EOF 16:14:44.222 [reader] DEBUG
net.schmizz.sshj.connection.channel.direct.SessionChannel -- Got EOF
16:14:44.223 [reader] TRACE net.schmizz.sshj.transport.Decoder --
Received packet #16: 61 00 00 00 00 16:14:44.223 [reader] TRACE
net.schmizz.sshj.transport.TransportImpl -- Received packet
CHANNEL_CLOSE 16:14:44.223 [main] DEBUG
net.schmizz.sshj.connection.channel.direct.SessionChannel -- Sending
close 16:14:44.223 [reader] DEBUG
net.schmizz.sshj.connection.channel.direct.SessionChannel -- Got close
16:14:44.224 [main] TRACE net.schmizz.sshj.transport.Encoder --
Encoding packet #11: 61 00 00 00 00 16:14:44.225 [main] DEBUG
net.schmizz.concurrent.Promise -- Awaiting <>
16:14:44.225 [reader] DEBUG net.schmizz.sshj.connection.ConnectionImpl
-- Forgetting session channel (#0)
16:14:44.225 [reader] DEBUG net.schmizz.concurrent.Promise -- Setting <> to SOME
My code is very simple:
import com.decodified.scalassh._
val sshClient = new SshClient(new HostConfig(login = PasswordLogin(userName, SimplePasswordProducer(password)), hostName))
sshClient.download(filePath, targetDirectory)
Now, although the download finishes successfully, and the application execution continues after the download command, the application itself doesn't exit.
Any ideas?
The implicit conversion to RichSshClient seems to be behind this.
I avoided the implicit convertion to RichSshClient by creating a new class -- 'SshClientEnhanced' which extends SshClient with ScpTransferable. Invoking download method on an instance of SshClientEnhanced works fine.
This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center.
Closed 10 years ago.
I've encountered a serious bug in OpenSSL 1.0.1 on Ubuntu 12.04:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665452
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666051 <- dated Oct 3 2012!
The gist of it is that I'm able to connect to some servers but not others. Connecting to google works:
openssl s_client -connect mail.google.com:443 -debug -state -msg -CAfile /etc/ssl/certs/ca-certificates.crt
...
Protocol : TLSv1.1
Cipher : ECDHE-RSA-RC4-SHA
Session-ID: 94DB1AC8531115C501434B16A5E9B735722768581778E4FEA4D9B19988551397
Session-ID-ctx:
Master-Key: 8694BF510CD7568CBAB39ECFD32D115C511529871F3030B67A4F7AEAF957D714D3E94E4CE6117F686C975EFF21FB8708
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - fb 52 d6 d3 3c a8 75 e1-1f 1d f6 23 ab ce 55 44 .R..<.u....#..UD
0010 - 27 bf ad c4 7a 0d 83 c8-48 59 48 4b 39 bb 3c c7 '...z...HYHK9.<.
0020 - 01 1e ad b3 13 de 65 d4-e8 ea e4 35 89 83 55 8e ......e....5..U.
0030 - e4 d5 9f 60 58 51 33 9b-83 34 b9 35 3d 46 cb a3 ...`XQ3..4.5=F..
0040 - 35 7b 48 5d 7b 86 5c d5-a1 14 9d 8c 3e 93 eb fb 5{H]{.\.....>...
0050 - ac 78 75 72 9b d2 bc 67-f2 fa 5b 75 80 a6 31 d8 .xur...g..[u..1.
0060 - 71 15 85 7f 55 4d dc fb-b0 b5 33 db 6d 36 8c c6 q...UM....3.m6..
0070 - e8 f9 54 7a 29 69 87 2c-dd f3 c5 cf 26 55 6f 6e ..Tz)i.,....&Uon
0080 - 45 73 7a 1d e4 b3 be b2-92 3f 0b ed c4 1c a5 24 Esz......?.....$
0090 - 3c f0 ca a5 <...
Start Time: 1354063165
Timeout : 300 (sec)
Verify return code: 0 (ok)
But connecting to facebook doesn't:
openssl s_client -connect graph.facebook.com:443 -debug -state -msg -CAfile /etc/ssl/certs/ca-certificates.crt -cipher SRP-AES-256-CBC-SHA
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0xddd2c0 [0xddd340] (64 bytes => 64 (0x40))
0000 - 16 03 01 00 3b 01 00 00-37 03 02 50 b5 5d 75 42 ....;...7..P.]uB
0010 - c2 78 55 49 b5 2e de 4f-00 a6 a8 d5 cf 10 92 44 .xUI...O.......D
0020 - 28 62 34 d6 61 5e 88 c3-68 8b 96 00 00 04 c0 20 (b4.a^..h......
0030 - 00 ff 02 01 00 00 09 00-23 00 00 00 0f 00 01 01 ........#.......
>>> TLS 1.1 [length 003b]
01 00 00 37 03 02 50 b5 5d 75 42 c2 78 55 49 b5
2e de 4f 00 a6 a8 d5 cf 10 92 44 28 62 34 d6 61
5e 88 c3 68 8b 96 00 00 04 c0 20 00 ff 02 01 00
00 09 00 23 00 00 00 0f 00 01 01
SSL_connect:unknown state
read from 0xddd2c0 [0xde28a0] (7 bytes => 7 (0x7))
0000 - 15 03 02 00 02 02 28 ......(
SSL3 alert read:fatal:handshake failure
<<< TLS 1.1 [length 0002]
02 28
SSL_connect:error in unknown state
140581179446944:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:724:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 64 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
The facebook connection either hangs after the client sends its hello buffer and never receives the server hello response, or returns with an error code if I pass in a cipher it recognizes. This happens with both -tls1 and -ssl3. I've tried every parameter to openssl I can think of.
apt-cache showpkg openssl
...
Provides:
1.0.1-4ubuntu5.5 -
1.0.1-4ubuntu5.3 -
1.0.1-4ubuntu3 -
I've also tried every parameter I can think of to curl but with no success, because it uses openssl under the hood.
I'm concerned that Ubuntu can't establish secure connections (an astounding statement, I realize). After two solid days of beating my head against this problem, I'm basically praying at this point that someone knows a workaround. I'm considering a downgrade to OpenSSL 1.0.0 or using libcurl4-dev with gnutls-dev instead. Both solutions leave a rotten taste in my mouth. Thanks in advance for any help you can provide.
P.S. all of this work is so that my server can interface with external https REST APIs. I consider this a fundamental requirement in any webserver today, no excuses.
UPDATE: Here is my output without passing a cipher. It doesn't matter if I pass -CAfile or not either:
openssl s_client -connect graph.facebook.com:443 -debug -state -msg -CAfile /etc/ssl/certs/ca-certificates.crt
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x14ed1a0 [0x1515bf0] (226 bytes => 226 (0xE2))
0000 - 16 03 01 00 dd 01 00 00-d9 03 02 50 b6 39 78 6a ...........P.9xj
0010 - 24 95 8e dc 62 19 37 4b-ab 77 b8 66 cd 48 ba a2 $...b.7K.w.f.H..
0020 - a1 2a f8 1d f8 c9 5d fb-9d db 84 00 00 66 c0 14 .*....]......f..
0030 - c0 0a c0 22 c0 21 00 39-00 38 00 88 00 87 c0 0f ...".!.9.8......
0040 - c0 05 00 35 00 84 c0 12-c0 08 c0 1c c0 1b 00 16 ...5............
0050 - 00 13 c0 0d c0 03 00 0a-c0 13 c0 09 c0 1f c0 1e ................
0060 - 00 33 00 32 00 9a 00 99-00 45 00 44 c0 0e c0 04 .3.2.....E.D....
0070 - 00 2f 00 96 00 41 c0 11-c0 07 c0 0c c0 02 00 05 ./...A..........
0080 - 00 04 00 15 00 12 00 09-00 14 00 11 00 08 00 06 ................
0090 - 00 03 00 ff 02 01 00 00-49 00 0b 00 04 03 00 01 ........I.......
00a0 - 02 00 0a 00 34 00 32 00-0e 00 0d 00 19 00 0b 00 ....4.2.........
00b0 - 0c 00 18 00 09 00 0a 00-16 00 17 00 08 00 06 00 ................
00c0 - 07 00 14 00 15 00 04 00-05 00 12 00 13 00 01 00 ................
00d0 - 02 00 03 00 0f 00 10 00-11 00 23 00 00 00 0f 00 ..........#.....
00e0 - 01 01 ..
>>> TLS 1.1 [length 00dd]
01 00 00 d9 03 02 50 b6 39 78 6a 24 95 8e dc 62
19 37 4b ab 77 b8 66 cd 48 ba a2 a1 2a f8 1d f8
c9 5d fb 9d db 84 00 00 66 c0 14 c0 0a c0 22 c0
21 00 39 00 38 00 88 00 87 c0 0f c0 05 00 35 00
84 c0 12 c0 08 c0 1c c0 1b 00 16 00 13 c0 0d c0
03 00 0a c0 13 c0 09 c0 1f c0 1e 00 33 00 32 00
9a 00 99 00 45 00 44 c0 0e c0 04 00 2f 00 96 00
41 c0 11 c0 07 c0 0c c0 02 00 05 00 04 00 15 00
12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff 02
01 00 00 49 00 0b 00 04 03 00 01 02 00 0a 00 34
00 32 00 0e 00 0d 00 19 00 0b 00 0c 00 18 00 09
00 0a 00 16 00 17 00 08 00 06 00 07 00 14 00 15
00 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0f
00 10 00 11 00 23 00 00 00 0f 00 01 01
SSL_connect:unknown state
Why are you passing -cipher SRP-AES-256-CBC-SHA when connecting to graph.facebook.com? Facebook certainly doesn't support SRP: http://srp.stanford.edu/.
Does it work if you don't pass that?
Also, can you give the IP address that you're getting? With 69.171.229.17, I can reproduce that exact ClientHello (modulo the nonce and with RC4-SHA are the only cipher save the SCSV) and I get a successful handshake.
Lastly, have you tried doing over an SSH tunnel to somewhere else? Sadly, when deploying TLS features in Chrome we have repeatedly found networking hardware that breaks TLS connections. (Although I can't think of a case where -ssl3 wouldn't fix it unless the hardware was actively trying to censor connections.)
Setting the MTU on my Ubuntu box from 1500 to 1496 (due to one of our firewalls being set too low) allows me to receive a response from the server without having to reboot (be sure to call ifconfig first and write down your original MTU which should be 1500):
sudo ifconfig eth0 mtu 1496
I discovered my MTU by pinging with successively larger buffers (add 28 bytes for UDP header):
Fails for 1472 + 28 = 1500:
ping -s 1472 facebook.com
PING facebook.com (66.220.158.16) 1472(1500) bytes of data.
...
Works for 1468 + 28 = 1496:
ping -s 1468 facebook.com
PING facebook.com (69.171.229.16) 1468(1496) bytes of data.
1476 bytes from www-slb-ecmp-06-prn1.facebook.com (69.171.229.16): icmp_req=1 ttl=242 time=30.0 ms
...
With 1496 I'm now able to curl to facebook.com:
curl -v https://facebook.com
* About to connect() to facebook.com port 443 (#0)
* Trying 66.220.152.16... connected
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-SHA
* Server certificate:
* subject: C=US; ST=California; L=Palo Alto; O=Facebook, Inc.; CN=www.facebook.com
* start date: 2012-06-21 00:00:00 GMT
* expire date: 2013-12-31 23:59:59 GMT
* subjectAltName: facebook.com matched
* issuer: O=VeriSign Trust Network; OU=VeriSign, Inc.; OU=VeriSign International Server CA - Class 3; OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
* SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: facebook.com
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Location: https://www.facebook.com/
< Content-Type: text/html; charset=utf-8
< X-FB-Debug: 3vAg1O5OG9hB/EWC+gk1Kl3WLJRGmlQDaEodirWb+i0=
< Date: Wed, 28 Nov 2012 19:52:25 GMT
< Connection: keep-alive
< Content-Length: 0
<
* Connection #0 to host facebook.com left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
I personally think that MTU should have absolutely nothing to do with what the user sees at the stream level with TCP so I hope the OpenSSL folks fix this. I also wish that someone would invent an automagic bug submitter for bugs that are profoundly widespread and time-sucking.
Any code using Mail::IMAPClient is having this error. To verify I have used the below example from the topic: How do I authenticate into Gmail using Perl?
#!/usr/bin/env perl -w
use strict; use warnings;
use Mail::IMAPClient;
# Connect to IMAP server
my $client = Mail::IMAPClient->new(
Server => 'imap.gmail.com',
User => $user,
Password => $pass,
Port => 993,
Ssl => 1,
)
or die "Cannot connect through IMAPClient: $#";
# List folders on remote server (see if all is ok)
if ( $client->IsAuthenticated() ) {
print "Folders:\n";
print "- ", $_, "\n" for #{ $client->folders() };
};
# Say so long
$client->logout();
Now, I have gone through questions similar to this but have never seen such a strange error like "Network Unreachable". There is no actual network problem, ping works fine. I have IO::Socket::SSL, Net::SSLeay installed.
$ echo -n | openssl s_client -connect imap.gmail.com:993
CONNECTED(00000003)
depth=2 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = imap.gmail.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com
i:/C=US/O=Google Inc/CN=Google Internet Authority
1 s:/C=US/O=Google Inc/CN=Google Internet Authority
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDWzCCAsSgAwIBAgIKFefcnAADAAA7OzANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMTExMTgwMjAxMjRaFw0xMjExMTgwMjExMjRa
MGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRcwFQYDVQQDEw5pbWFw
LmdtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmv2pvvhXOyOA
Uq053VLGMAErgk2NcDzxWNB5PWwXHzkcFuZOa0q1YUlff6LaJurq5UctkOO+3mt1
L+/wcZiEzxTdfOclyJcY/qBsjz8qgG+4Kx3/dVlTYz2geUyxvGNibNQfuXpoI1M5
iUQ/FSaFIazXZ01tpb+mgCOtwzENMk8CAwEAAaOCASwwggEoMB0GA1UdDgQWBBRd
l+HsAH5IwfNuc25lLuryGEaXwzAfBgNVHSMEGDAWgBS/wDDr9UMRPme6npH7/Gra
42sSJDBbBgNVHR8EVDBSMFCgTqBMhkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dv
b2dsZUludGVybmV0QXV0aG9yaXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNy
bDBmBggrBgEFBQcBAQRaMFgwVgYIKwYBBQUHMAKGSmh0dHA6Ly93d3cuZ3N0YXRp
Yy5jb20vR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRo
b3JpdHkuY3J0MCEGCSsGAQQBgjcUAgQUHhIAVwBlAGIAUwBlAHIAdgBlAHIwDQYJ
KoZIhvcNAQEFBQADgYEAa6JYZBInXMfojI4bXLusfDlzZ6gnGtHxOO8hUZbDAwcL
t2/4uDDj8sroVrTWXMqURzk1lCsXlGPFhaKdnsMrmcgC01THAKPFrrQnQc/BM5H/
kr5ZAyJKHyu4dNnL3NNjig+22fp8slaLo25C95YQT5LiBL2qnAzLs4nWBzqih74=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 1850 bytes and written 299 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID: D98F3659858A0F39D32F1B5D96F756DE6E093E849A6AE0066C391BE2881B9A69
Session-ID-ctx:
Master-Key: 8D4BE4DFEB7F3218A501FE9240E0B51CC987B99EE0DDBA5EC13E9A10137B63508692DA684DA25E8B2839906F0F7ADDD5
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - 6e 26 64 bb c3 97 30 9c-32 6f c5 38 d6 db 23 54 n&d...0.2o.8..#T
0010 - 65 43 b8 01 4e 46 5b b3-81 7e 26 6b 3a 36 2b 62 eC..NF[..~&k:6+b
0020 - 03 96 44 de 3d b0 81 be-18 b0 14 a1 09 99 28 73 ..D.=.........(s
0030 - 2d 5a 87 6c b9 26 64 94-af f2 5e f1 f4 10 ba ff -Z.l.&d...^.....
0040 - 68 a0 6a 31 d6 10 f8 88-61 63 5a 58 0b 1d d0 98 h.j1....acZX....
0050 - 81 ed f7 45 11 1d 4a 22-23 2f 44 0c 62 b4 18 e9 ...E..J"#/D.b...
0060 - e7 4a 57 10 f1 3c a0 d6-ee 46 98 5d df e9 a5 52 .JW..<...F.]...R
0070 - a6 75 da a6 25 89 87 f0-b0 ec 60 0d c0 19 0e 6f .u..%.....`....o
0080 - 23 53 a2 f2 18 e8 8d 51-28 e7 f2 d3 52 8a 02 f4 #S.....Q(...R...
0090 - 32 aa 82 db 2...
Start Time: 1342180574
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
DONE
this could be an ipv6 error. Gmail enabled ipv6 access recently. Can you try putting this before the 'use Mail::IMAPClient;' line:
use IO::Socket::SSL 'inet4';