search cancel

Setup maileater against Google Mail or Gmail - mail.google.com

book

Article ID: 74442

calendar_today

Updated On:

Products

CA Service Management - Service Desk Manager CA Service Desk Manager

Issue/Introduction

With Service Desk Manager we are able to use IMAP over SSL directly. That means that we should be able to connect to a 3rd party Email solutions like Google Mail etc.,  This article shows a step by step approach on what needs to be done to get our Maileater to work with Google Mail.

Similar approach could be implemented for any other IMAP over SSL mail solution.

Environment

Release: SDMU0M99000-17.x -Service Desk Manager-Full License
Component:

Resolution

1) Obtain Gmail's IMAP Server's Root CA Certificate first. 

You can do so by opening a browser to mail.google.com and exporting the certificate there manually to base64 encoded cert file.

a) Here's an example from IE after you have logged into Gmail.com

b) click the padlock icon to view the certificate

c) Go to the Certification Path tab

d) Highlight the root certificate there (in this case its Google Trust Services GlobalSign Root)

e) It brings the properties for that root CA cert,  select the Details tab on that one now

f) Click Copy to File button and save it as a Base64 encoded file.  Copy this file to the SDM Server now.


2) The thumbprint of that certificate is here below in case you want to just Save it to a file and use it on SDM Maileater  (Note, you need all the lines in the code below, including ---- BEGIN.....   all the way to -----END CERTIFICATE-----  including those lines)

NOTE: The certificate below is provided as an example, it's possible that Google may change the certificate at any time, and then the example will no longer work.

-----BEGIN CERTIFICATE-----
MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4G
A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp
Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1
MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG
A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPL
v4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8
eoLrvozps6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklq
tTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzd
C9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pa
zq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCB
mTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IH
V2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5n
bG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG
3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4Gs
J0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO
291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavS
ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd
AfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7
TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg==
-----END CERTIFICATE-----

A more reliable approach to obtaining the Root CA certificate is to use OpenSSL.  The reason why OpenSSL is advised is that one can run a specific command that accesses the given Gmail server being used for IMAP connections to look up the necessary Root CA Certificate specification which can change per Google's specifications.

Download OpenSSL from the following location:

https://sourceforge.net/projects/openssl/

You may download and run OpenSSL to any computer that has an internet connection.  This utility does not need to be placed on the same server where Service Desk is installed.

Extract the "openssl-1.0.2j-fips-x86_64.zip" file and then locate/run the following command in an Administrative Command prompt:

openssl s_client -connect imap.gmail.com:993 -showcerts -debug

openssl.exe is located in the "openssl-1.0.2j-fips-x86_64\OpenSSL\bin" location (where you would have unzipped "openssl-1.0.2j-fips-x86_64.zip". 

Look for a text line that reads "Root CA". This will most likely be "GlobalSign Root CA"

This line will be where you can locate the root certificate which you can then copy into a cer file.

Copy all of the content between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".  Make sure to include the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" header/footer and include a single carriage return at the end of the file.  You will be writing/saving the "cer" file in Notepad, ie:  "gmail_root.cer".  

The certificate file that is attached to this tech doc is NOT the same as the content being pulled from openssl, but can be viewed as an example of the content format that should be followed when creating the given cer file.

The reason that this approach is recommended is that Google may change their certificate requirements at will and the above will provide a snapshot into their latest certificate file usage.

Once you have located and written the text of the certificate file to Notepad or a text editor, save the file .  In this case, we will use file "gmail_root.txt" and save it to the C:\ drive location.  

3) Now configure your SDM mailbox to something like below (of course it has to be Active, my screenprint below shows Inactive as the mailbox was deactivated)


4)  When you click Save, that's when SDM maileater program attempts to import the certificate into SDM's keystore (NX.keystore)


5) If it is the first time you are creating the NX.keystore, it'll take a minute or so for SDM to install the NX_KEYSTORE option, import the cert etc., 

 

2018-03-19 07:03:24:886 DEBUG [main] c.c.S.maileater.Maileater - Setting NX_ROOT to: C:/PROGRA~2/CA/SERVIC~1
2018-03-19 07:03:24:964 DEBUG [main] c.c.S.m.c.PDMMailerUtil - Not using keystore C:/PROGRA~2/CA/SERVIC~1/pdmconf/nx.keystore. Probably not configured.
2018-03-19 07:03:24:995 INFO [main] c.c.S.maileater.Maileater - Startup of pdm_maileater Daemon with name 'pdm_maileater_nxd'; Catcher name: pdm_maileater Classpath: C:/PROGRA~2/CA/SERVIC~1/java/lib/pdm_mail_assembly.jar;C:/PROGRA~2/CA/SERVIC~1/java/lib/javax.mail-1.5.6.jar;C:/PROGRA~2/CA/SERVIC~1/java/lib/slump.jar;C:/PROGRA~2/CA/SERVIC~1/java/lib/domsrvr_utils.jar;C:/PROGRA~2/CA/SERVIC~1/java/lib/BOPIntegration.jar;C:/PROGRA~2/CA/SERVIC~1/java/lib/sd-utils.jar;C:/PROGRA~2/CA/SERVIC~1/java/lib/log4j-1.2.15.jar;C:/PROGRA~2/CA/SERVIC~1/site/cfg;C:/PROGRA~2/CA/SERVIC~1/java/lib/bc-fips-1.0.0.jar;C:/PROGRA~2/CA/SERVIC~1/java/resources
2018-03-19 07:03:25:042 INFO [main] c.c.S.maileater.Maileater - Maileater connected to domsrvr domsrvr
2018-03-19 07:03:25:058 DEBUG [main] c.c.S.m.NXMailEater - NX_SITE path is C:/PROGRA~2/CA/SERVIC~1/site
2018-03-19 07:03:25:136 INFO [Thread-3] c.c.S.m.c.PDMMailerUtil - Keystore file is not yet created, importing certificate should create the file.
2018-03-19 07:03:25:136 DEBUG [Thread-3] c.c.S.m.c.PDMMailerUtil - [pdm_perl, pdm_keystore_mgr.pl, -import, c:\gmail_root.txt]
2018-03-19 07:03:37:797 DEBUG [Thread-4] c.c.S.m.c.PDMMailerUtil - Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 36,500 days
2018-03-19 07:03:37:797 DEBUG [Thread-4] c.c.S.m.c.PDMMailerUtil - for: CN=CA, OU=CA Service Desk Manager, O=EITM, L=Islandia, ST=NY, C=US
2018-03-19 07:03:37:797 DEBUG [Thread-4] c.c.S.m.c.PDMMailerUtil - [Storing C:\PROGRA~2\CA\SERVIC~1\pdmconf\nx.keystore]
2018-03-19 07:03:44:351 DEBUG [Thread-4] c.c.S.m.c.PDMMailerUtil - Certificate was added to keystore
2018-03-19 07:03:44:351 DEBUG [Thread-4] c.c.S.m.c.PDMMailerUtil - [Storing C:\PROGRA~2\CA\SERVIC~1\pdmconf\nx.keystore]
2018-03-19 07:03:47:211 DEBUG [Thread-5] c.c.S.m.c.PDMMailerUtil - 
2018-03-19 07:03:47:211 DEBUG [Thread-5] c.c.S.m.c.PDMMailerUtil - SUCCESS!
2018-03-19 07:03:47:211 DEBUG [Thread-5] c.c.S.m.c.PDMMailerUtil - The certificate gmail_root.txt has been imported.
2018-03-19 07:03:47:211 DEBUG [Thread-5] c.c.S.m.c.PDMMailerUtil - Use -list to see the contents of the keystore.
2018-03-19 07:03:47:227 DEBUG [Thread-3] c.c.S.m.c.PDMMailerUtil - Exit value from pdm_keystore_mgr.pl: 0
2018-03-19 07:03:47:227 DEBUG [Thread-3] c.c.S.m.c.PDMMailerUtil - Keystore exists at: C:/PROGRA~2/CA/SERVIC~1/pdmconf/nx.keystore. Setting properties.

 

And then it polls.   If there was no issue, you should see that the mails got eaten fine.

2018-03-19 07:08:31:071 INFO [pool-4-thread-1] c.c.S.m.MailboxPollingRequest - Performing scheduled Mail Poll for Mailbox 400052.
2018-03-19 07:08:31:634 DEBUG [ForkJoinPool-1-worker-0] c.c.S.maileater.Mailbox - [mailbox:[email protected]gmail.com:400052] ([email protected]gmail.com@imap.gmail.com/Inbox) signalled for Mail Poll...
2018-03-19 07:08:31:634 DEBUG [ForkJoinPool-1-worker-0] c.c.S.maileater.Mailbox - [mailbox:[email protected]gmail.com:400052] ([email protected]gmail.com@imap.gmail.com/Inbox) polling for mail...
2018-03-19 07:08:31:634 DEBUG [ForkJoinPool-1-worker-0] c.c.S.m.ConnectSession - [mailbox:[email protected]gmail.com:400052] Password was already decrypted
2018-03-19 07:08:31:634 DEBUG [ForkJoinPool-1-worker-0] c.c.S.m.c.JavaMailIMAPClient - Connection properties set
2018-03-19 07:08:32:290 INFO [pool-4-thread-2] c.c.S.m.MailboxPollingRequest - Performing scheduled Mail Poll for Mailbox 400001.
2018-03-19 07:08:32:399 DEBUG [ForkJoinPool-1-worker-0] c.c.S.m.c.JavaMailIMAPClient - Connected to IMAP host
2018-03-19 07:08:32:540 INFO [ForkJoinPool-1-worker-0] c.c.S.m.ConnectSession - [mailbox:[email protected]gmail.com:400052] Received messages count : 7


NOTE:  While it was not seen in our testing, its possible that a Service Desk restart is needed here if the NX.keystore is not being read properly.

Alternatively, instead of recycling SDM, you may also try bouncing maileater and mail processes by running:

pdm_bounce maileater_nxd
pdm_bounce mail_nxd

Additional Information

It is not unheard of for Google or GMail to block the IMAP connection being made by Maileater as it may perceive the connection to be insecure.

Example of logging in the maileater_nxd.log file describing this:

2018-03-19 07:06:09:118 ERROR [ForkJoinPool-1-worker-1] c.c.S.m.c.JavaMailIMAPClient - Failed to make connection with STARTTLS to server imap.gmail.com, port 993, trying SSL connection

2018-03-19 07:06:10:665 ERROR [ForkJoinPool-1-worker-1] c.c.S.m.c.JavaMailIMAPClient - Failed to connect to the Store.
javax.mail.AuthenticationFailedException: [ALERT] Please log in via your web browser: https://support.google.com/mail/accounts/answer/78754 (Failure)

 You may even get an email from Google about it, such as the following screencap:

Monday, January 1, 201X 00:00 AM (PT) 
Santa Clara, CA, USA*Don't recognize this activity? 
If you didn't recently receive an error while trying to access a Google service, like Gmail, from a non-Google application, someone may have your password.

SECURE YOUR ACCOUNT

Are you the one who tried signing in? 
Google will continue to block sign-in attempts from the app you're using because it has known security problems or is out of date. You can continue to use this app by allowing access to less secure apps, but this may leave your account vulnerable.

The Google Accounts team *The location is approximate and determined by the IP address it was coming from. 
This email can't receive replies. For more information, visit the Google Accounts Help Center. You received this mandatory email service announcement to update you about important changes to your Google product or account. © 2018 Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA et:27

Some apps and devices use less secure sign-in technology, which could leave your account vulnerable. You can turn off access for these apps (which we recommend) or choose to use them despite the risks.

 

To resolve this, you may need to change your security in Google to allow the SDM connection:

1) Within your "My Account"  settings of Gmail account

2) select  Sign-in & Security



3) Click on Apps with account access

4) Turn ON the option   "Allow less secure apps"



5) Retest your maileater again

If you enable "Less Secure Apps", you should get a Gmail message that states: 




Another way to test is to test this directly using OpenSSL against the IMAP/POP ports in question. This lets you test a basic connection to see the certificate chain that the port is using.  The usage of OpenSSL is described earlier in this document.

 

Checking and Updating the Keystore 

The root CA certificate file attached to this tech doc previously worked for POP and IMAP protocols as well as the outgoing mail notifications with Gmail.  However, the certificate was issued by GlobalSign while Google had moved to using DigiCert.  Please make sure that you are using a Root CA file in the above.  A way to confirm that you are importing a root certificate file is to use the keytool.exe command (supplied with all JRE implementations):

An example command you can run:

"C:\Program Files (x86)\Java\jre1.8.0_261\bin\keytool.exe" -printcert -v -file test-new.cer

The "test-new.cer" file is a text based file that contains a certificate block.  Running keytool on the root certificate will result in text similar to this output:

Owner: CN=DigiCert Cloud Services CA-1, O=DigiCert Inc, C=US
Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

We do not recommend placing multiple certificate entries in the same certificate file, including appending the certificate content into an existing certificate file.

To verify that the certificate is present:

  • Go to a command prompt on a running SDM Server where you copied the certificate file.

  • Run "nxcd bin" to access the SDM install directory's bin directory.

  • Run the command "pdm_perl pdm_keystore_mgr.pl -list -v"

You should see a result such as:

Alias name: gmail.cer
Creation date: May 13, 2021
Entry type: trustedCertEntry

Owner: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
Serial number: 40000000001154b5ac394
Valid from: Tue Sep 01 08:00:00 EDT 1998 until: Fri Jan 28 07:00:00 EST 2028
Certificate fingerprints:
         SHA1: B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C
         SHA256: EB:D4:10:40:E4:BB:3E:C7:42:C9:E3:81:D3:1E:F2:A4:1A:48:B6:68:5C:96:E7:CE:F3:C1:DF:6C:D4:33:1C:99
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

If the above certificate is not present in the nx.keystore, or there is a problem with the certificate import attempt (usually done automatically by SDM during the above), you may also try importing the certificate file manually into the nx.keystore by doing the following in an Admin Command Prompt on the SDM Server:

1.  Run "nxcd bin" to access the SDM install directory's bin directory.

2.  Run "pdm_perl pdm_keystore_mgr.pl -list -v"
This will list all certificates in the keystore; write down the existing email certificate ALIAS NAME exactly as displayed

3.  Run "pdm_perl pdm_keystore_mgr.pl -delete [enter alias name here no brackets]"

4.  Run "pdm_perl pdm_keystore_mgr.pl -import "[path and location of newly updated .cer file]"

Example:  pdm_perl pdm_keystore_mgr.pl -import C:\certs\gmail_root.cer

5.  restart pdm_maileater_nxd and pdm_mail_nxd.

If manually adding the root CA certificate to the above nx.keystore is unsuccessful, follow this tech article which can be used to completely rebuild the nx.keystore from scratch:

https://knowledge.broadcom.com/external/article?articleId=103456

Attachments