Pi, exim4 and google smtp

Google randomly breaks mail from the real world of SMTP all the time. As long as other gmail users and outlook.com users can get their mail in, they're happy; trying to send reliably from anything else is a generally waste of effort.

That said, sending via an ISP's smarthost may have a better chance of success.

How is Exim configured? Remote debugging attempts on configuration one can?t see aren?t very practical.

Can you see what happens in the SMTP connection? At the least you need to establish whether Exim is attempting to authenticate and failing, or not even trying.

Something like:

(echo ?To: user@address ; echo Subject: t; echo; echo body) | exim -odf -v -t

Sorry, remove the quote:

(echo To: user@address ; echo Subject: t; echo; echo body) | exim -odf -v -t

FWIW I've seen perfectly standard email to gmail.com addresses rejected with this specific error in the last few weeks. It's just gmail being big enough not to have to care.

On Thu, 17 Oct 2019 23:19:32 +0100, MArtin declaimed the following:

Using what /software/? The account/password may not be the problem, rather features of the client doing the connection.

Presuming it is not a matter of not having the current gmail SSL key chain (I'd hope exim, et al have been patched to handle the security keys now in use -- that's the biggest problem with using Eudora on gmail; Eudora's key store doesn't recognize newer security chains), then the most likely aspect is that gmail considers exim (or your host) as an untrusted client.

For that, have you tried the information provided via that link? """ Allow less secure apps: If you don't use 2-Step Verification, you might need to allow less secure apps to access your account. """

That is a setting you have to make via the web interface to gmail.

Typically, for sending, one should first try using the SMTP provided by one's own ISP, even if the "account" of the email is not with that ISP. The client is configured to login in using the ISP credentials, but then sends the email using headers of the foreign account. (in old Eudora, this was a "relay host" -- you define one connection as the relay, and set a flag on other accounts telling them to send using the relay host instead of making a direct connection).

It's a gmail issue and I don't think there is any fix for it. You pretty much can't use gmail as a smarthost anymore. We've been doing the same thing for years but are having to come up with another solution now. All the email providers want you to use their application or use two step authentication and I don't think it is going to go away ever.

Gmail is using a black hole list, maybe RBL. If your ISP's sending MTA gets on the list, your mail will be delayed or rejected.

Been there, maybe even now.

logging in via web mail just to make sure the password hadn't been changed by outside agency.

It suddenly stopped working in the last couple of days. I'verun an update upgrade cycle on the pi but while it found things to update it made no difference to this issue.

That was already set, it had to be to work originally. Checking showed it as still set.

Yes, I tried that originally before using Google, and have spent today trying again, unfortunately it seems my ISP while supporting smtp isn't compatible with exim. I couldn't persuade it to work and gave up and used google and still cant - looking at their support forums it seems a selection of other people cant get the isp smtp to work with with a selection of clients either.

Unfortunately the reason I was using google was because configuration with the ISP server proved too difficult originally. Having spent all day trying to configure to use the ISP servers and trawling their support forums it seems I am not alone in having difficulty with the isp servers and the previous advice has been google is easier to configure and get working!

MArtin

I can send happily from gmail web mail to my isp account. which removed my worries about the password having changed or a blocklist against the isp or my receving address being the issue. It sems it is specifically the exim config which is no longer compatible with google.

MArtin

Fwiw: I have found TuffMail to be an excellent for-fee email service provider. Their technical expertise is excellent, and their customer service is very good. In my experience, their spam filtering is superb.

On a different topic, the signature delimiter line above is defective. It's supposed to be "-- ", two hyphens followed by a space.

HTH

These two logs are non-trivially different to me. Let's break them down to what's different (that I think matters).

A) H=gmail-smtp-msa.l.google.com [74.125.133.109] CV=no A=plain C="250 2.0.0 OK 1571140782 a10sm21277754wrm.52 - gsmtp"

B) H=smtp.gmail.com [173.194.76.108] CV=yes: SMTP error from remote mail server after pipelined MAIL FROM: SIZE=1568: 530-5.5.1 Authentication Required. Learn more at 530 5.5.1

I hope that point #4 is talking about point #3. Given that it looks like you're using IPv4 and not IPv6, you are likely not running into more stringent requirements that Google enforces on IPv6.

My first guess is that something happened and your client is not trying to use SMTP Authentication any more. I have no idea why.

I don't know if that helps or not. Hopefully it gives you something to look at.

For what it's worth, I successfully send email to Google / Gmail daily from my VPS. So it is possible to successfully get email into Google, even as a small email operator.

Its worse than that.

I needed to fake an email fr a friuend who was sitting beside me ta the time. To send off a large dicument I had hlepned him preprae.

No problem I thought, I can fake his BT email account and send it through my own SMTP relay.

No chnace. the target systenm rejected it in te grounds that BT email doesnt get sent from random relays on the internet.

When I used his own domain however it worked perfectly.

The point is that it is now almost unacceptable to use your ISPs SMTP relay.

You have to send via your mail persons SMTP relay.

Last year, visiting my sister in Germany, I could not even connect to a third party port 25 without adding a whitelist to the ROUTER.

Before the commercialisation of the Internet, there was no point in sending random emails to people you didn't know.

Apart from malware, I wonder how many people, like me, simply refuse to buy anything they have seen advertised on the internet or on TV?

Is there any point in SPAM?

I only have one charity apart from poppy day, that I ever give serious money to. I bought a charity produt online

Every week since then I was emailed junk promotion for more charity products. Clicking unsubscribe made no difference. I blacklisted the domain. I will never contribute to that charity again.

set up exim on your own virtual server out there in internet land.

The rules of authenticated email are getting quite complex.

That at least allows you to control both ends of te smnart relay link to your client.

If you run Imap it also allows you global cloud access to your email.

That seems to be to do with googles response to: host smtp.gmail.com

which used to give a set of gmail-smtp-msa.N.google.com has address x.x.x.x responses where N went from 1 to 4

and now gives smtp.gmail.com has address 173.194.76.108 smtp.gmail.com has IPv6 address 2a00:1450:400c:c00::6d

I don't know whether it used to have ipv6 results because I don't have ipv6 connectivity so would have ignored it.

that seems to be certificate verification result though what certificate and where it is I am not sure

I think that is because the connection has failed so the error is logged instead of the connection used

or possibly google is now requiring more / different authentication that i don't have

thanks for the thoughts - i am no further forward but have a slightly better view on the log entries

I would have claimed similar a week ago!

This is just the reason why the ISP mail agent is so important. IIRC, there is an EU recommendation that consumer accounts should be allowed to send email via licensed ISP servers only.

This at least makes it more difficult to fake emails (which we have far too much of in the current Net).

Sending mail is extremely easy through a PHP script running on the same server your mail provider is hosted on, e.g. in a contact form. If you make a machine accessible PHP instead of one for humans to fill in, it should be easy to access that from your PI.

And makes it far easier to enforce the ability of government organisations to read them.

That is a useful idea thanks, though it would seem that there are no longer free accounts.

Yes, I am aware of the required delimeter, unfortunately it is set by avast and i don't know of a way to change it. My own if i set one which i frequently don't should be correct.

MArtin

-- Someone who thinks logically, provides a nice contrast to the real world.