Discussion:
gmail
(too old to reply)
brian
2024-10-06 11:48:47 UTC
Permalink
How do I set up Turnpike ( and stunnel) to send and receive e-mail as a
second mail provider ? Just receiving would be OK.

There was a fred in 2022 about it, citing security issues, but it was
inconclusive.

Brian
--
Brian Howie
John Hall
2024-10-06 16:59:35 UTC
Permalink
Post by brian
How do I set up Turnpike ( and stunnel) to send and receive e-mail as a
second mail provider ? Just receiving would be OK.
There was a fred in 2022 about it, citing security issues, but it was
inconclusive.
Brian
I have a gmail account as a back-up, and I used to use TP and Stunnel
with it to download emails, but when they said they were bringing in the
dreaded 2FA if one used "less secure" clients such as TP with it, I
decided it was getting too complicated. As I don't get much email to it,
I just look at it via my browser every few days.

This is the Stunnel configuration that I was using:

-------------------------------------

; Debugging stuff (may useful for troubleshooting)
debug = 6
output = stunnel.log
log = overwrite

; Disable FIPS mode to allow non-approved protocols and algorithms
fips = no

;
*************************************************************************
*
; * Service defaults may also be specified in individual service
sections *
;
*************************************************************************
*

; Certificate/key is needed in server mode and optional in client mode
;cert = stunnel.pem
;key = stunnel.pem

; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = ca_certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively CRLfile can be used
;CRLfile = crls.pem

; Disable support for insecure SSLv2 protocol
options = NO_SSLv2

; These options provide additional security at some performance
degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE

;
*************************************************************************
*
; * Service definitions (at least one service has to be defined)
*
;
*************************************************************************
*

[gmail-pop3]
client = yes
accept = 127.0.0.1:3110
connect = pop.gmail.com:995
verifyChain = yes
CAfile = ca-certs.pem
checkHost = pop.gmail.com
OCSPaia = yes
TIMEOUTconnect = 60
TIMEOUTidle = 40
TIMEOUTbusy = 40
TIMEOUTclose = 40
;time to wait for close_notify (set to 0 for buggy MSIE)

[gmail-smtp]
client = yes
accept = 127.0.0.1:25
connect = smtp.gmail.com:465
verifyChain = yes
CAfile = ca-certs.pem
checkHost = smtp.gmail.com
OCSPaia = yes
;Google say:
;If you connect using SMTP, you can only send mail to Gmail or Google
Apps users; if you connect using SSL/TLS, you can ;send mail to anyone.
If your device or application supports SSL - connect to smtp.gmail.com
on port 465. To connect with ;SSL, you need to provide a Google username
and password for authentication.

------------------------

You could try using that and see what happens. Maybe it will be viewed
as secure enough not to need 2FA after all. (The comments were in the
example config file on the Stunnel web site that I edited to produce my
own. Don't ask me what they all mean!)
--
John Hall

"I don't even butter my bread; I consider that cooking."
Katherine Cebrian
brian
2024-10-07 13:39:58 UTC
Permalink
Post by John Hall
Post by brian
How do I set up Turnpike ( and stunnel) to send and receive e-mail as
a second mail provider ? Just receiving would be OK.
There was a fred in 2022 about it, citing security issues, but it was
inconclusive.
Brian
I have a gmail account as a back-up, and I used to use TP and Stunnel
with it to download emails, but when they said they were bringing in
the dreaded 2FA if one used "less secure" clients such as TP with it, I
decided it was getting too complicated. As I don't get much email to
it, I just look at it via my browser every few days.
------------------------
You could try using that and see what happens. Maybe it will be viewed
as secure enough not to need 2FA after all. (The comments were in the
example config file on the Stunnel web site that I edited to produce my
own. Don't ask me what they all mean!)
I had a go but no joy. Stunnel log looked promising. I had to download
the latest version to get the current ca-certs.pem

22024.10.07 14:25:10 LOG5[0]: Service [gmail-pop3] accepted connection
from 127.0.0.1:49782
2024.10.07 14:25:10 LOG5[0]: s_connect: connected 66.102.1.108:995
2024.10.07 14:25:10 LOG5[0]: Service [gmail-pop3] connected remote
server from 192.168.1.137:49783
2024.10.07 14:25:10 LOG5[0]: Certificate accepted at depth=0:
CN=pop.gmail.com
2024.10.07 14:25:10 LOG3[0]: OCSP: No OCSP stapling response received
2024.10.07 14:25:10 LOG5[0]: OCSP: Connecting the AIA responder
"http://o.pki.goog/wr2"
2024.10.07 14:25:10 LOG5[0]: s_connect: connected 216.58.214.163:80
2024.10.07 14:25:10 LOG5[0]: OCSP: Certificate accepted
2024.10.07 14:25:10 LOG5[0]: OCSP: Accepted (good)
2024.10.07 14:25:11 LOG5[0]: Connection closed: 48 byte(s) sent to TLS,
155 byte(s) sent to socket
2024.10.07 14:26:07 LOG5[1]: Service [gmail-pop3] accepted connection
from 127.0.0.1:49788
2024.10.07 14:26:07 LOG5[1]: s_connect: connected 66.102.1.108:995
2024.10.07 14:26:07 LOG5[1]: Service [gmail-pop3] connected remote
server from 192.168.1.137:49789
2024.10.07 14:26:08 LOG5[1]: Connection closed: 48 byte(s) sent to TLS,
157 byte(s) sent to socket
2024.10.07 14:29:20 LOG5[2]: Service [gmail-pop3] accepted connection
from 127.0.0.1:49810
2024.10.07 14:29:20 LOG5[2]: s_connect: connected 66.102.1.108:995
2024.10.07 14:29:20 LOG5[2]: Service [gmail-pop3] connected remote
server from 192.168.1.137:49811
2024.10.07 14:29:21 LOG5[2]: Connection closed: 48 byte(s) sent to TLS,
157 byte(s) sent to socket
2024.10.07 14:29:27 LOG5[3]: Service [gmail-pop3] accepted connection
from 127.0.0.1:49814
2024.10.07 14:29:28 LOG5[3]: s_connect: connected 66.102.1.108:995
2024.10.07 14:29:28 LOG5[3]: Service [gmail-pop3] connected remote
server from 192.168.1.137:49817
2024.10.07 14:29:29 LOG5[3]: Connection closed: 48 byte(s) sent to TLS,
157 byte(s) sent to socket


However the login failed.


Mon, 7 Oct 2024 14:29:26 POP3[C2] <- -ERR [AUTH] Username and password
not accepted.
Mon, 7 Oct 2024 14:29:26 POP3 command failure while talking to
127.0.0.1:
PASS *****
-ERR [AUTH] Username and password not accepted.

2FA probably

Tnx Brian
--
Brian Howie
John Hall
2024-10-07 14:02:19 UTC
Permalink
Post by brian
Post by John Hall
Post by brian
How do I set up Turnpike ( and stunnel) to send and receive e-mail as
second mail provider ? Just receiving would be OK.
There was a fred in 2022 about it, citing security issues, but it was
inconclusive.
Brian
I have a gmail account as a back-up, and I used to use TP and Stunnel
with it to download emails, but when they said they were bringing in
the dreaded 2FA if one used "less secure" clients such as TP with it,
I decided it was getting too complicated. As I don't get much email to
it, I just look at it via my browser every few days.
------------------------
You could try using that and see what happens. Maybe it will be viewed
as secure enough not to need 2FA after all. (The comments were in the
example config file on the Stunnel web site that I edited to produce
my own. Don't ask me what they all mean!)
I had a go but no joy. Stunnel log looked promising. I had to download
the latest version to get the current ca-certs.pem
<>snip log>
Post by brian
However the login failed.
Mon, 7 Oct 2024 14:29:26 POP3[C2] <- -ERR [AUTH] Username and password
not accepted.
Mon, 7 Oct 2024 14:29:26 POP3 command failure while talking to
PASS *****
-ERR [AUTH] Username and password not accepted.
2FA probably
Tnx Brian
That Stunnel log is a bit odd, as the connection seems to have been
negotiated not just once but three times, although all three were
seemingly successful. Judging by the log timings, it was on the last of
those occasions that the username and password were rejected.

Are you 100% sure that you entered the username and password correctly
in the TP Connect configuration details? I can't remember whether the
username only requires the bit to the left of the @ or the whole thing
including the @gmail.com bit.

Could you post your Stunnel config file, just in case I can spot
something?
--
John Hall

"I don't even butter my bread; I consider that cooking."
Katherine Cebrian
brian
2024-10-07 19:04:05 UTC
Permalink
Post by John Hall
That Stunnel log is a bit odd, as the connection seems to have been
negotiated not just once but three times, although all three were
seemingly successful. Judging by the log timings, it was on the last of
those occasions that the username and password were rejected.
Are you 100% sure that you entered the username and password correctly
in the TP Connect configuration details? I can't remember whether the
Could you post your Stunnel config file, just in case I can spot
something?
debug = 5
output = stunnel.log

[b-howie POP3]
client = yes
accept = 127.0.0.1:310
connect = pop3.hosts.co.uk:995

[namesco SMTP]
protocol = smtp
client = yes
accept = 127.0.0.1:25
connect = smtp.hosts.co.uk:25


For the test I did I removed everything above (except debug and output)
so that it was just using gmail . Below is what I used . I just copied
yours and changed the POP3 port to 3110 in the dialog box.

[gmail-pop3]
client = yes
accept = 127.0.0.1:3110
connect = pop.gmail.com:995
verifyChain = yes
CAfile = ca-certs.pem
checkHost = pop.gmail.com
OCSPaia = yes
TIMEOUTconnect = 60
TIMEOUTidle = 40
TIMEOUTbusy = 40
TIMEOUTclose = 40
;time to wait for close_notify (set to 0 for buggy MSIE)

[gmail-smtp]
client = yes
accept = 127.0.0.1:25
connect = smtp.gmail.com:465
verifyChain = yes
CAfile = ca-certs.pem
checkHost = smtp.gmail.com
OCSPaia = yes

I used the full user name including @gmail.com. The same as I do for
***@b-howie.co.uk . The password is correct . I've got APOP
authentication ticked. The SMTP sever is still set to b-howie . There is
only a box for one SMTP server.

Brian
--
Brian Howie
John Hall
2024-10-08 17:17:44 UTC
Permalink
Post by John Hall
That Stunnel log is a bit odd, as the connection seems to have been
negotiated not just once but three times, although all three were
seemingly successful. Judging by the log timings, it was on the last
of those occasions that the username and password were rejected.
Are you 100% sure that you entered the username and password correctly
in the TP Connect configuration details? I can't remember whether the
Could you post your Stunnel config file, just in case I can spot
something?
<snip>

It looks all in order.
I had a look in my own Connect config. Fortunately I'd only unticked the
gmail entry, not deleted it. I found that back in the day I had
successfully been using just the bit before the @gmail.co.uk, so I
suggest you try doing that.
The password is correct . I've got APOP authentication ticked.
I had APOP authentication not ticked.
The SMTP sever is still set to b-howie . There is only a box for one
SMTP server.
Brian
There must be a lot of people using Stunnel with Gmail, so if that
doesn't help you could see if anyone on the stunnel.org mailing list has
raised the issue and had it solved; if not, then you could try raising
it yourself.

https://www.stunnel.org/lists.html
--
John Hall

"I don't even butter my bread; I consider that cooking."
Katherine Cebrian
brian
2024-10-09 08:47:26 UTC
Permalink
Post by John Hall
Post by John Hall
That Stunnel log is a bit odd, as the connection seems to have been
negotiated not just once but three times, although all three were
seemingly successful. Judging by the log timings, it was on the last
of those occasions that the username and password were rejected.
Are you 100% sure that you entered the username and password
correctly in the TP Connect configuration details? I can't remember
Could you post your Stunnel config file, just in case I can spot
something?
<snip>
It looks all in order.
I had a look in my own Connect config. Fortunately I'd only unticked
the gmail entry, not deleted it. I found that back in the day I had
suggest you try doing that.
The password is correct . I've got APOP authentication ticked.
I had APOP authentication not ticked.
The SMTP sever is still set to b-howie . There is only a box for one
SMTP server.
Brian
There must be a lot of people using Stunnel with Gmail, so if that
doesn't help you could see if anyone on the stunnel.org mailing list
has raised the issue and had it solved; if not, then you could try
raising it yourself.
https://www.stunnel.org/lists.html
At the moment I can't run b-howie and gmail at the same time because of
this. I'll investigate

Thanks

Brian
--
Brian Howie
brian
2024-10-14 12:04:33 UTC
Permalink
Post by brian
Post by John Hall
There must be a lot of people using Stunnel with Gmail, so if that
doesn't help you could see if anyone on the stunnel.org mailing list
has raised the issue and had it solved; if not, then you could try
raising it yourself.
https://www.stunnel.org/lists.html
At the moment I can't run b-howie and gmail at the same time because of
this. I'll investigate
Thanks
Brian
It seems to be Turnpike problem that I can't run 2 SMTP servers .
Stunnel can do it OK ,but I have to swap over to gmail in Turnpike to
send to gmail.

It's possible that Turnpike/6.07-S it won't allow this. It's
impossible to tick the "use with other ISPs" box. Someone with a paid
for version of Turnpike might be able to advise. There's nothing in the
.INI files

It's no great issue as I only really want to receive gmail usually.

Brian
--
Brian Howie
John Hall
2024-10-14 15:30:33 UTC
Permalink
Post by brian
Post by brian
Post by John Hall
There must be a lot of people using Stunnel with Gmail, so if that
doesn't help you could see if anyone on the stunnel.org mailing list
has raised the issue and had it solved; if not, then you could try
raising it yourself.
https://www.stunnel.org/lists.html
At the moment I can't run b-howie and gmail at the same time because
of this. I'll investigate
Thanks
Brian
It seems to be Turnpike problem that I can't run 2 SMTP servers .
Stunnel can do it OK ,but I have to swap over to gmail in Turnpike to
send to gmail.
It's possible that Turnpike/6.07-S it won't allow this. It's
impossible to tick the "use with other ISPs" box. Someone with a paid
for version of Turnpike might be able to advise. There's nothing in the
.INI files
It's no great issue as I only really want to receive gmail usually.
Brian
I don't think any version of TP has ever been able to configure in more
than one server. Presumably the problem is how TP would know which
server to use for any given outbound email, but it would be nice to be
able to configure more than one server at a time and then use tick boxes
to select the one to be used.
--
John Hall

"I don't even butter my bread; I consider that cooking."
Katherine Cebrian
SilverE
2024-10-08 17:57:08 UTC
Permalink
At 20:04:05 on Mon, 7 Oct 2024, brian wrote in
<***@b-howie.co.uk>

<snip>
When 2FA is enforced I'm fairly sure you'll need an App Password, not
one you set yourself. Is that what you're using - if not you can get
that from among your Google account security settings.
--
SilverE
brian
2024-10-09 08:45:35 UTC
Permalink
Post by SilverE
At 20:04:05 on Mon, 7 Oct 2024, brian wrote in
<snip>
When 2FA is enforced I'm fairly sure you'll need an App Password, not
one you set yourself. Is that what you're using - if not you can get
that from among your Google account security settings.
Yes that's the problem. I've got it to work.

Thanks

Brian
--
Brian Howie
John Hall
2024-10-09 13:49:39 UTC
Permalink
Post by brian
Post by SilverE
At 20:04:05 on Mon, 7 Oct 2024, brian wrote in
<snip>
When 2FA is enforced I'm fairly sure you'll need an App Password, not
one you set yourself. Is that what you're using - if not you can get
that from among your Google account security settings.
Yes that's the problem. I've got it to work.
That's good news. So was it just as simple as replacing the password you
were using by the App Password (which Google presumably generated for
you)? And having done that, do you just go on using that same App
Password, or does Google insist that you have to keep changing it to a
new App Password?
--
John Hall

"I don't even butter my bread; I consider that cooking."
Katherine Cebrian
brian
2024-10-09 15:41:13 UTC
Permalink
Post by John Hall
Post by brian
Post by SilverE
At 20:04:05 on Mon, 7 Oct 2024, brian wrote in
<snip>
When 2FA is enforced I'm fairly sure you'll need an App Password, not
one you set yourself. Is that what you're using - if not you can get
that from among your Google account security settings.
Yes that's the problem. I've got it to work.
That's good news. So was it just as simple as replacing the password
you were using by the App Password (which Google presumably generated
for you)? And having done that, do you just go on using that same App
Password, or does Google insist that you have to keep changing it to a
new App Password?
Yes I use the App password and it knows it's Turnpike . I had to enable
2FA to do it and allow POP mail .

It seems ok with the same password , so far anyway.

Brian
--
Brian Howie
SilverE
2024-10-10 09:24:43 UTC
Permalink
At 16:41:13 on Wed, 9 Oct 2024, brian wrote in
Post by brian
Post by John Hall
Post by brian
Post by SilverE
At 20:04:05 on Mon, 7 Oct 2024, brian wrote in
<snip>
When 2FA is enforced I'm fairly sure you'll need an App Password,
not one you set yourself. Is that what you're using - if not you can
get that from among your Google account security settings.
Yes that's the problem. I've got it to work.
Good.
Post by brian
Post by John Hall
That's good news. So was it just as simple as replacing the password
you were using by the App Password (which Google presumably generated
for you)? And having done that, do you just go on using that same App
Password, or does Google insist that you have to keep changing it to a
new App Password?
Yes I use the App password and it knows it's Turnpike . I had to enable
2FA to do it and allow POP mail .
It seems ok with the same password , so far anyway.
The App Password won't change. You might also be able to use it on other
programs, I used to have to use one for my Outlook account esp. on phone
apps, if I changed to another app I could still use the same password.
But now Outlook requires OAuth/Modern authentication so the app password
is defunct. I haven't tried using the OAuth module pointed to by Paul
Overell a while back

https://github.com/simonrob/email-oauth2-proxy

which may become necessary for Gmail at some point.
--
SilverE
Loading...