03-18-2013 01:06 PM - last edited on 03-18-2013 07:02 PM by maikoro
Running the latest version of the firmware (20121220 48.272.0) but clearly the implementation of "SSL Support for SMTP" isn't adequate for today's world. I am posting in hopes for others to save themselves time and grief while getting this to work specifically with Google Apps (or GMail).
To recap, tried to interface the printer with Google Apps using SSL. As per Google, you have two options - one is to use SSL authentication which permits you to authenticate to their services and scan-to-email to any valid email address or to use regular SMTP and only send to other Google Apps or GMail address. The non-SSL works fine, you just point to aspmx.l.google.com on port 25 and you are done.
The SSL option is what causes a lot of grief as the hp mfp throws errors of either Unknown CA or Unknown Certificate as per Wireshark.
The setup is relatively easy in theory, point to smtp.gmail.com, checkmark "Enable SSL Support for SMTP" and either use port 465 (SSL) or 587 (STARTTLS).
Port 465 doesn't work at all. I don't think the mfp knows that it has to establish an SSL connection on port 465 and it just keeps sending packets to the remote host without success. So scratch getting port 465 to work at all.
Port 587 was more promising. The "Test" button works in the web console since the remote host responds in plain text and switches to TLS when STARTTLS is issued... and this is when all the trouble begins.
Looking at Wireshark, the devices successfully connects and sends the STARTTLS, sends a Client Hello, the remote responds in turn with a Server Hello and it sends its certificates. For smtp.gmail.com it sends two certificates - one for smtp.gmail.com which is issued by Google Internet Authority, and then it also sends the certificate for Google Internet Authority which is signed by Equifax Secure Certificate Authority.
This is when the mfp device throws the first error - Alert: (Level: Fatal, Description: Unknown CA). This is a farily common error in most email setups which basically means the device is not aware of the Equifax Certificate... No problem, the mfp has a Certificate Management option. I've uploaded the equifax certificate and tried again! This time the device exchanges certificates but throws a fatal Unknown Certificate error which is pretty generic. I've tried extracting (using openssl) the smtp.gmail.com certificate and importing it into the device to no avail, then I tried to extract and import the Google Internet Authority certificate and again to no avail... I've had all /three/ certificates on the device which is the entire chain of certificates but clearly the mfp chokes on something else in this setup and I've had to chose the lesser frustrating route and just use the non-SSL SMTP delivery for now.
If anybody from HP is reading, it would be nice if you guys could open a problem ticket for this because it seems like all the functionality is there but clearly a bug/feature prevents this from working. It would also be nice if an option existed in the device to ignore certificate errors because what we really want is simple a secure tunnel vs verifying the chain of certificates when sending emails in 99.99% of the cases. I am certain this would resolve this issue and help many scenarios.
If needed, I can provide the wireshark captures for this.
P.S. this thread has been moved from LaserJets to Multifunction and All-in-One - Hp Forums moderator
03-18-2013 01:27 PM
You are not alone:
HP is not required to respond to anything posted here as this is a user to user forum. Open an incident with HP directly for a more speedy and official response.
03-18-2013 08:25 PM
>I've tried extracting (using openssl) the smtp.gmail.com certificate and importing it into the device to no avail, then I tried to extract and import the Google Internet Authority certificate and again to no avail... I've had all /three/ certificates on the device which is the entire chain of certificates
Could you please zip up and attach these three certificates and I'll check to see if "openssl verify" likes them.
03-27-2014 08:38 PM
Figured I'd post a quick update... HP has fixed the issues with SSL email, specifically GMail. I've updated to the latest version as of today, 20140127 48.301.7, and it works as intended. Kudos to HP for fixing the bug.
To make it work, enter smtp.gmail.com as the Device's SMTP Gateway, checkmark Enable SSL Support for SMTP, use 587 for the Port, checkmark Enable SMTP Authentication and either use the Public Credentials to hardcode one username and password or Use Device User Credentials.
Note that Google Apps, paid version, also permits you now to relay email without using TLS/SSL - https://support.google.com/a/answer/2956491?hl=en
This is a decent workaround for devices which only speak SMTP but it does require a paid subscription to Google Apps.
07-15-2014 05:41 AM
I still cannot make this work following these directions. If anyone else has had any luck getting Gmail to work with an M4345, I would really like to hear how. I know there are two screens where you input email settings. I think the same information gets input in both.
2 weeks ago
Indeed something seems to be broken as the test passes in the web interface but when you click on the Email button on the control panel the printer attempts to do a PTR dns lookup of the gmail server that it connected to last, here is packet trace
6390 472.918815000 220.127.116.11 18.104.22.168 DNS 87 Standard query 0x6eea PTR 22.214.171.124.in-addr.arpa
6391 472.955850000 126.96.36.199 188.8.131.52 DNS 147 Standard query response 0x6eea No such name
I've replace the printer ip (184.108.40.206) and even tried to use the google dns servers (220.127.116.11) to no avail. If you do a test gateway from the control panel or the web interface the printer properly does a lookup of smtp.gmail.com or if using the IP, it connects properly. As soon as you hit the Email button on the control panel it attempts to lookup the PTR record of the last ip from the test and when it fails, since it doesn't exists, it removes the email button.
Tried with the latest version as well to no avail. I am downgrading to a different version to check if that perhaps solves it.
As an aside, hp really ought to add some debugging codes to the panel --- It simply states that it can't find the gateway but yet the web console and the test smtp gateway from the initial setup menu on the panel works. I tire of having to mirror the port to a desktop to get any kind of clues from the device.
2 weeks ago - last edited 2 weeks ago
I've got it working by using the reverse lookup address of the IPs returned by smtp.gmail.com. This is using the latest firmware 48.306.1 and it also worked with earlier releases as I was testing a few things. All in all, I don't recommend using these printers with the smtp.gmail.com servers as there are too many things which can do wrong and hp doesn't seem to be keen on getting it properly implemented.
I've switched the printers to using mandrillapp.com as we use them internally but they also have a free account that permits you to send 12,000 messages per month for free. It also gives you more visibility to your email as you can actually see if it hits their server and what happens to the mail after they receive it.
You could also use sendgrid.net which offers 200 messages per month for free... Setup is pretty straightforward with either of them but I've actually tested mandrillapp.com so I can attest that it works perfectly.
For mandrillapp.com, enter smtp.mandrillapp.com as the Device SMTP Gateway, deselect Enable SSL Support for SMTP if checked, use 587 for the Port, select Enable SMTP Authentication, type in your credentials and Apply.
Only caveat is that Google Mail classifies most of the emails from mail relays as "Updates" in your inbox. So if you are using Google Mail with their new Inbox, check Updates for your digital documents.
2 weeks ago - last edited 2 weeks ago
There is only one screen where you input these settings from the web interface,
Digital Sending > E-mail Settings
The configuration for E-Mail Server under Settings is for alerts and/or autosend. If you use mandrillapp.com then you ought to be able to also use these panels to configure to receive alerts and/or the autosend functionality. It won't work however with Google unless you are using Google For Work as a paid subscriber to bypass the SSL/TLS requirements for email.