Using TLS with email and GMX is broken since last week

[thenktor]

Hi,

apparently GMX (a big German freemail provider) has changed their server settings and now sending mail with TLS encryption is broken in email:

email -V -c /etc/email/email.conf -no-encoding -tls -f sender@gmx.de -s "subject" -r "mail.gmx.net" -p 587 -u "sender@gmx.de" -i "password" "receiver@gmail.com" < /tmp/email.text
Connecting to server mail.gmx.net on port 587
Greeting the SMTP server...                                                                                                                                                                                                                  
email: FATAL: Smtp error: 503 Bad sequence of commands

It still works with kontact (KDE4) and claws-mail. Here is a claws-mail log:

* Konto: 'sender@gmx.de': Verbinden mit SMTP-Server: mail.gmx.net ...
[11:54:17] SMTP< 220 gmx.com (mrgmx001) Nemesis ESMTP Service ready
[11:54:17] ESMTP> EHLO stat3.localdomain
[11:54:17] ESMTP< 250-gmx.com Hello stat3.localdomain [87.ip.addr.ess]
[11:54:17] ESMTP< 250-SIZE 69920427
[11:54:17] ESMTP< 250-AUTH LOGIN PLAIN
[11:54:17] ESMTP< 250 STARTTLS
[11:54:17] ESMTP> STARTTLS
[11:54:17] ESMTP< 220 OK
[11:54:18] ESMTP> EHLO stat3.localdomain
[11:54:18] ESMTP< 250-gmx.com Hello stat3.localdomain [87.ip.addr.ess]
[11:54:18] ESMTP< 250-SIZE 69920427
[11:54:18] ESMTP< 250 AUTH LOGIN PLAIN
[11:54:18] ESMTP> AUTH LOGIN
[11:54:18] ESMTP< 334 XXXXXXXXXXXX
[11:54:18] ESMTP> [USERID]
[11:54:18] ESMTP< 334 XXXXXXXXXXXX
[11:54:18] ESMTP> [PASSWORD]
[11:54:18] ESMTP< 235 Authentication succeeded
[11:54:18] ESMTP> MAIL FROM:<sender@gmx.de> SIZE=379
[11:54:18] SMTP< 250 Requested mail action okay, completed
[11:54:18] SMTP> RCPT TO:<receiver@gmail.com>
[11:54:18] SMTP< 250 OK
[11:54:18] SMTP> DATA
[11:54:18] SMTP< 354 Start mail input; end with <CRLF>.<CRLF>
[11:54:18] SMTP> . (EOM)
[11:54:18] SMTP< 250 Requested mail action okay, completed: id=0MGAdz-1V0PDZ12DH-XXXXX
* E-Mail erfolgreich gesendet.
[11:54:18] SMTP> QUIT
[11:54:18] SMTP< 221 gmx.com Service closing transmission channel

[thenktor]

OK, here is the problem. It does HELO instead of EHLO after STARTTLS. So the AUTH command is not valid afterwards:

<-- 220 gmx.com (mrgmx003) Nemesis ESMTP Service ready

--> EHLO stat3

<-- 220 gmx.com (mrgmx003) Nemesis ESMTP Service ready
250-gmx.com Hello stat3 [87.ip.addr.ess]
250-SIZE 69920427
250-AUTH LOGIN PLAIN
250 STARTTLS
--> STARTTLS
<-- 220 OK

--> RSET
<-- 250 OK

--> HELO
<-- 250 gmx.com Hello stat3 [87.ip.addr.ess]

--> AUTH LOGIN

email: FATAL: Smtp error: 503 Bad sequence of commands

[deanproxy]

Is it possible that there is another issue at hand here? smtpInit should do an ehlo first and then run an helo as a fallback if ehlo isn't supported. It makes sense that ehlo would be supported since the server is using TLS, but it appears that the ehlo was completely bypassed somehow in smtpInit and helo was called instead.

[thenktor]

The problem with the original code was:
After the STARTTLS command the smtpInit() is run again. This one calls the ehlo() function and it exits with ERROR because it expects an initial greeting message. Then it falls back to the helo() function, which is wrong.
So the changes actually are:
An init() function was created, which expects the initial greeting message (this was moved from the ehlo() function). The smtpInit() function for normal startup calls both, the init() and ehlo() functions. A smtpInitAfterTLS() function was created to be run after the STARTTLS command. This one has no fallback to helo() because STARTTLS is only available in ESMTP anyway.

[deanproxy]

Ah, I see. Thanks for the help! Pulling now.