cygwin /usr/bin/email

Paul McKinley Cygwin_Forums@ariesinternet.com
Thu Jan 2 15:48:37 GMT 2025 

Hi, Reneé, thanks so much for your help!

The command reports version 1.3, nothing else.  Would it have listed 
additional versions, possibly in different paragraphs if supported?

I use current version of Mozilla Thunderbird for an email client, no 
issues with smtp sending there and connecting to the same email server 
so I know that side's working, but it's using the Thunderbird ssl stack, 
not openssl from cygwin.

Is TLS 1.3 not supported in cygwin email yet?

The error I get is the timeout while trying to read from SMTP server so 
it seems something's going wrong in the handshake sequence.

Greeting the SMTP server...
email: FATAL: Smtp error: Timeout(10) while trying to read from SMTP server

<snip>

---
SSL handshake has read 3669 bytes and written 455 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

On port 465 it connects but doesn't do STARTTLS.

CONNECTED(00000005)
Didn't find STARTTLS in server response, trying anyway...
100000000A000000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof 
while reading:ssl/record/rec_layer_s3.c:322:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 382 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)


On 12/31/2024 7:51 PM, René Berber wrote:
> On 12/31/2024 5:49 PM, Paul McKinley via Cygwin wrote:
>
>> I accidentally sent the previous reply directly to René, so included 
>> below.
>>
>> I created the registry entries and rebooted per other instructions 
>> from Google search:
>>
>> C:\Windows\System32>reg query 
>> HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols 
>> /s
>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 
>> 1.0
>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 
>> 1.0\Client
>>      Enabled    REG_DWORD    0x1
>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 
>> 1.0\Server
>>      Enabled    REG_DWORD    0x1
>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 
>> 1.1
>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 
>> 1.1\Client
>>      Enabled    REG_DWORD    0x1
>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 
>> 1.1\Server
>>      Enabled    REG_DWORD    0x1
>>
>> No joy:
> [snip]
>
> Correcting my previous message, STARTTLS is port 587.
>
> I was right, the registry change is not needed, OpenSSL takes care, 
> and supports all versions.
>
> Tested again (with Postfix as server) and email works fine over port 
> 587, doesn't over port 465.  I had previously used "email --verbose" 
> which is what causes email to behave as if I've asked for version 
> (i.e. -V kind of works, --verbose is taken as --version).
>
> The verbose option is useless, still shows a progress bar instead of 
> the actual protocol exchange.
>
> Next step for you is to check which version of TLS is suported by your 
> smtp server.  It would be interesting to see if only 1.3 is accepted 
> and it doesn't work with eMail.
>
> Using port 587:
>
> $ openssl s_client -starttls smtp -showcerts -connect 
> mail.<server>:587 -servername <...>
> CONNECTED(00000004)
> depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = R10
> verify return:1
> depth=0 CN = *.<server>
> verify return:1
> ---
> Certificate chain
>  0 s:CN = *.<server>
>    i:C = US, O = Let's Encrypt, CN = R10
>    a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
>    v:NotBefore: Nov 14 19:29:40 2024 GMT; NotAfter: Feb 12 19:29:39 
> 2025 GMT
> [snip]
> SSL handshake has read 3467 bytes and written 496 bytes
> Verification: OK
> ---
> New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> [snip]
>
> Same test over the 465 port show that the server doesn't have it enabled:
>
> 100000000A000000:error:8000006F:system library:BIO_connect:Connection 
> refused:crypto/bio/bio_sock2.c:114:calling connect()

More information about the Cygwin mailing list