# Ssmtp cannot send email using Gmail and ECDHE_RSA_AES_256_GC

## AstroFloyd

Since the beginning of June, I have not been able to send email using smtp.gmail.com:587.  After a lot of digging, I found that in my mail.log, a succesful entry looks like

```
    Jun  5 21:02:26 think sSMTP[32336]: Creating SSL connection to host

    Jun  5 21:02:26 think sSMTP[32336]: SSL connection using ECDHE_RSA_CHACHA20_POLY1305

    Jun  5 21:02:28 think sSMTP[32336]: Sent mail for root@think (221 2.0.0 closing connection b25sm5759833ede.34 - gsmtp) uid=1000 username=af outbytes=1129

```

while a faillure looks like

```
    Jun  5 21:17:26 think sSMTP[8165]: Creating SSL connection to host

    Jun  5 21:17:27 think sSMTP[8165]: SSL connection using ECDHE_RSA_AES_256_GCM_SHA384

    Jun  5 21:17:27 think sSMTP[8165]:  (think)
```

The thing that strikes me most here is the encryption: it always used to be ECDHE_RSA_CHACHA20_POLY1305 and then changed to ECDHE_RSA_AES_256_GCM_SHA384.  Strangely, this did not happen overnight, and after the first occurrence of SHA384 (resulting in a faillure), sometimes emails were still succesfully sent using POLY1305 (for about 17 hours).  As far as I can see, all emails using SHA failed (entry ending in " (think)" (the name of my host), while all emails using POLY were sent succesfully (ending with "Sent mail for ...").

My emerge.log does not show any merged packages during those days, nor does last reboot show any reboots.  An Arch Linux box I'm running is still working fine with the GMail account, and has recently changed from ECDHE-RSA-CHACHA20-POLY1305 (identical to Gentoo) to TLS_AES_256_GCM_SHA384 (similar, but not identical).  There, I had to add a line like TLS_CA_File="/usr/share/ncat/ca-bundle.crt".  Doing something similar on my Gentoo box doesn't help, partly because I don't seem to have a decent ca-bundle.crt (there is one from kdelibs4support, but it looks quite different), but even when I copy the file from the Arch machine, I get Unable to set TLS_CA_File=/etc/ssl/certs/ca-certificates.crt".

My /etc/ssmtp/ssmtp.conf looks like

```
AuthUser=myAddress@gmail.com

AuthPass=myPassword

FromLineOverride=YES

mailhub=smtp.gmail.com:587

UseSTARTTLS=YES
```

When trying to send an email from the command line, I get

```
$ echo "testX" | ssmtp -v some@email.adr

[<-] 220 smtp.gmail.com ESMTP o18sm20775012edq.18 - gsmtp

[->] EHLO think

[<-] 250 SMTPUTF8

[->] STARTTLS

[<-] 220 2.0.0 Ready to start TLS

[->] EHLO think

[<-] 

ssmtp:  (think)
```

I'm using a stable mail-mta/ssmtp-2.64-r3 with USE flags: gnutls ipv6 mta ssl -libressl

Allow less secure apps is ON for this GMail account.

Does anyone know what the problem is?

EDIT: interestingly enough, in my Arch box, I had to set TLS_CA_File=/etc/ssl/certs/ca-certificates.crt in ssmtp.conf to get ssmtp working again, but in the Gentoo version TLS_CA_File is not recognised and is missing from the man page, even though both are v2.64.

EDIT: ah, Arch uses Fedora patches...

----------

## AstroFloyd

For posterity, out of my two options, using ssmtp with Fedora patches or using postfix, I ended up choosing the latter, which solved my problem.

----------

