Login via starttls method from smtplib to old e-mail server

Question

I use: Python 2.7.15, OpenSSL 1.1.0h (27 Mar 2018), MS Exchange 2007.

My MS exchange allows to send login/pass only after STARTTLS.

In python I try to connect to server like:

from stmplib import SMTP
conn = SMTP(server,port)
conn.set_debuglevel(1)
conn.starttls()
conn.login(username, password)
conn.quit()

And finally I get error in starttls:

/python2.7/ssl.py", line 847, in do_handshake self._sslobj.do_handshake()

The problem is follow python try to establish connection with TLS v1.2 but Exchange only support TLS v.1.0. I tried ports 25 and 587.

When I tried to connect and login to server by console openssl application it is work fine for both ports with TLS v.1.0: openssl s_client -connect sever:587 -starttls smtp -no_tls1_2 -no_tls1_1 -crlf Server answer:

SSL handshake has read 1481 bytes and written 530 bytes
--- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: xxxx
    Session-ID-ctx:
    Master-Key: xxxx
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1533874470
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
--- 250 CHUNKING ehlo 250-xxxxxxx Hello [xxxx] 250-SIZE 26214400 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-AUTH GSSAPI NTLM LOGIN 250-8BITMIME 250-BINARYMIME 250 CHUNKING ^C

I try to inherits standard SMTP class to overload starttls method to use context option like:

    # show only changes to standard `starttls` method
    def starttls(self, keyfile=None, certfile=None, context=None):
        ...
        if context is None:
            context = ssl._create_stdlib_context(certfile=certfile, keyfile=keyfile)                                        
        self.sock = context.wrap_socket(self.sock, server_hostname=self._hostname)
       ...

And use this class in my script:

context = ssl.SSLContext(ssl.PROTOCOL_TLS)
context.options |= ssl.OP_NO_TLSv1_2 | ssl.OP_NO_TLSv1_1

conn = mySMTP(server,port)
conn.set_debuglevel(1)
conn.starttls(context = context)
conn.login(username, password)
conn.quit()

But the error still the same.

What I do wrong? May be options of context have to be other or may be I miss something?

How to set smtplib and starttls method to force use only TLS v.1.0 in this situation?

Answer 1

Something that's been successful for me in the past when connecting to old email-serivces using deprecated SSL-versions is setting up a local tunnel with stunnel or similar and connecting on localhost through that, you can also set up a local sendmail instance as a proxy.