I use: Python 2.7.15, OpenSSL 1.1.0h (27 Mar 2018), MS Exchange 2007.
My MS exchange allows to send login/pass only after STARTTLS.
In python I try to connect to server like:
from stmplib import SMTP
conn = SMTP(server,port)
conn.set_debuglevel(1)
conn.starttls()
conn.login(username, password)
conn.quit()
And finally I get error in starttls
:
/python2.7/ssl.py", line 847, in do_handshake self._sslobj.do_handshake()
The problem is follow python try to establish connection with TLS v1.2 but Exchange only support TLS v.1.0. I tried ports 25 and 587.
When I tried to connect and login to server by console openssl
application it is work fine for both ports with TLS v.1.0:
openssl s_client -connect sever:587 -starttls smtp -no_tls1_2 -no_tls1_1 -crlf
Server answer:
SSL handshake has read 1481 bytes and written 530 bytes
--- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: xxxx
Session-ID-ctx:
Master-Key: xxxx
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1533874470
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
--- 250 CHUNKING ehlo 250-xxxxxxx Hello [xxxx] 250-SIZE 26214400 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-AUTH GSSAPI NTLM LOGIN 250-8BITMIME 250-BINARYMIME 250 CHUNKING ^C
I try to inherits standard SMTP class to overload starttls
method to use context
option like:
# show only changes to standard `starttls` method
def starttls(self, keyfile=None, certfile=None, context=None):
...
if context is None:
context = ssl._create_stdlib_context(certfile=certfile, keyfile=keyfile)
self.sock = context.wrap_socket(self.sock, server_hostname=self._hostname)
...
And use this class in my script:
context = ssl.SSLContext(ssl.PROTOCOL_TLS)
context.options |= ssl.OP_NO_TLSv1_2 | ssl.OP_NO_TLSv1_1
conn = mySMTP(server,port)
conn.set_debuglevel(1)
conn.starttls(context = context)
conn.login(username, password)
conn.quit()
But the error still the same.
What I do wrong? May be options of context have to be other or may be I miss something?
How to set smtplib and starttls method to force use only TLS v.1.0 in this situation?
Something that's been successful for me in the past when connecting to old email-serivces using deprecated SSL-versions is setting up a local tunnel with stunnel or similar and connecting on localhost through that, you can also set up a local sendmail instance as a proxy.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With