How to setup 17.1 maileater against Google Mail or Gmail - mail.google.com

Document ID : KB000074442
Last Modified Date : 24/04/2018
Show Technical Document Details
Introduction:
With Service Desk Manager 17.1 we are able to use IMAP over SSL directly. That means that we should be able to connect to a 3rd party Email solutions like Google Mail etc.,  This article shows a step by step approach on what needs to be done to get our Maileater to work with Google Mail.

Similar approach could be implemented for any other IMAP over SSL mail solution.
Instructions:

1) Obtain Gmail's IMAP Server's Root Certificate first. 

You can do so by opening a browser to mail.google.com and exporting the certificate there manually to base64 encoded cert file.

a) Here's an example from IE after you have logged into Gmail.com

b) click the padlock icon to view the certificate

c) Go to the Certification Path tab

d) Highlight the root certificate there (in this case its Google Trust Services GlobalSign Root)

e) It brings the properties for that root cert,  select the Details tab on that one now

f) Click Copy to File button  and save it as a Base64 encoded file.  Copy this file to the SDM Server now.

2) The thumbprint of that certificate is here below in case you want to just Save it to a file and use it on SDM Maileater  (Note, you need all the lines in the code below, including ---- BEGIN.....   all the way to -----END CERTIFICATE-----  including those lines)
NOTE: The certificate below is provided as an example, it's possible that Google may change the certificate at anytime, and then the example will no longer work.

-----BEGIN CERTIFICATE-----
MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4G
A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp
Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1
MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG
A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPL
v4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8
eoLrvozps6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklq
tTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzd
C9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pa
zq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCB
mTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IH
V2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5n
bG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG
3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4Gs
J0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO
291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavS
ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd
AfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7
TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg==
-----END CERTIFICATE-----


 

3) Now configure your SDM mailbox to something like below (of course it has to be Active, my screenprint below shows Inactive as I deactivated that mailbox now)

 

4)  When you click Save, that's when SDM maileater program attempts to import the certificate into SDM's keystore (NX.keystore)

5) If it is the first time you are creating the NX.keystore, it'll take a minute or so for SDM to install the NX_KEYSTORE option, import the cert etc., 

 

2018-03-19 07:03:24:886 DEBUG [main] c.c.S.maileater.Maileater - Setting NX_ROOT to: C:/PROGRA~2/CA/SERVIC~1
2018-03-19 07:03:24:964 DEBUG [main] c.c.S.m.c.PDMMailerUtil - Not using keystore C:/PROGRA~2/CA/SERVIC~1/pdmconf/nx.keystore. Probably not configured.
2018-03-19 07:03:24:995 INFO [main] c.c.S.maileater.Maileater - Startup of pdm_maileater Daemon with name 'pdm_maileater_nxd'; Catcher name: pdm_maileater Classpath: C:/PROGRA~2/CA/SERVIC~1/java/lib/pdm_mail_assembly.jar;C:/PROGRA~2/CA/SERVIC~1/java/lib/javax.mail-1.5.6.jar;C:/PROGRA~2/CA/SERVIC~1/java/lib/slump.jar;C:/PROGRA~2/CA/SERVIC~1/java/lib/domsrvr_utils.jar;C:/PROGRA~2/CA/SERVIC~1/java/lib/BOPIntegration.jar;C:/PROGRA~2/CA/SERVIC~1/java/lib/sd-utils.jar;C:/PROGRA~2/CA/SERVIC~1/java/lib/log4j-1.2.15.jar;C:/PROGRA~2/CA/SERVIC~1/site/cfg;C:/PROGRA~2/CA/SERVIC~1/java/lib/bc-fips-1.0.0.jar;C:/PROGRA~2/CA/SERVIC~1/java/resources
2018-03-19 07:03:25:042 INFO [main] c.c.S.maileater.Maileater - Maileater connected to domsrvr domsrvr
2018-03-19 07:03:25:058 DEBUG [main] c.c.S.m.NXMailEater - NX_SITE path is C:/PROGRA~2/CA/SERVIC~1/site
2018-03-19 07:03:25:136 INFO [Thread-3] c.c.S.m.c.PDMMailerUtil - Keystore file is not yet created, importing certificate should create the file.
2018-03-19 07:03:25:136 DEBUG [Thread-3] c.c.S.m.c.PDMMailerUtil - [pdm_perl, pdm_keystore_mgr.pl, -import, c:\gmail_root.txt]
2018-03-19 07:03:37:797 DEBUG [Thread-4] c.c.S.m.c.PDMMailerUtil - Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 36,500 days
2018-03-19 07:03:37:797 DEBUG [Thread-4] c.c.S.m.c.PDMMailerUtil - for: CN=CA, OU=CA Service Desk Manager, O=EITM, L=Islandia, ST=NY, C=US
2018-03-19 07:03:37:797 DEBUG [Thread-4] c.c.S.m.c.PDMMailerUtil - [Storing C:\PROGRA~2\CA\SERVIC~1\pdmconf\nx.keystore]
2018-03-19 07:03:44:351 DEBUG [Thread-4] c.c.S.m.c.PDMMailerUtil - Certificate was added to keystore
2018-03-19 07:03:44:351 DEBUG [Thread-4] c.c.S.m.c.PDMMailerUtil - [Storing C:\PROGRA~2\CA\SERVIC~1\pdmconf\nx.keystore]
2018-03-19 07:03:47:211 DEBUG [Thread-5] c.c.S.m.c.PDMMailerUtil - 
2018-03-19 07:03:47:211 DEBUG [Thread-5] c.c.S.m.c.PDMMailerUtil - SUCCESS!
2018-03-19 07:03:47:211 DEBUG [Thread-5] c.c.S.m.c.PDMMailerUtil - The certificate gmail_root.txt has been imported.
2018-03-19 07:03:47:211 DEBUG [Thread-5] c.c.S.m.c.PDMMailerUtil - Use -list to see the contents of the keystore.
2018-03-19 07:03:47:227 DEBUG [Thread-3] c.c.S.m.c.PDMMailerUtil - Exit value from pdm_keystore_mgr.pl: 0
2018-03-19 07:03:47:227 DEBUG [Thread-3] c.c.S.m.c.PDMMailerUtil - Keystore exists at: C:/PROGRA~2/CA/SERVIC~1/pdmconf/nx.keystore. Setting properties.
 

And then it polls.   If there was no issue, you should see that the mails got eaten fine.

2018-03-19 07:08:31:071 INFO [pool-4-thread-1] c.c.S.m.MailboxPollingRequest - Performing scheduled Mail Poll for Mailbox 400052.
2018-03-19 07:08:31:634 DEBUG [ForkJoinPool-1-worker-0] c.c.S.maileater.Mailbox - [mailbox:YourRealGmailID@gmail.com:400052] (YourRealGmailID@gmail.com@imap.gmail.com/Inbox) signalled for Mail Poll...
2018-03-19 07:08:31:634 DEBUG [ForkJoinPool-1-worker-0] c.c.S.maileater.Mailbox - [mailbox:YourRealGmailID@gmail.com:400052] (YourRealGmailID@gmail.com@imap.gmail.com/Inbox) polling for mail...
2018-03-19 07:08:31:634 DEBUG [ForkJoinPool-1-worker-0] c.c.S.m.ConnectSession - [mailbox:YourRealGmailID@gmail.com:400052] Password was already decrypted
2018-03-19 07:08:31:634 DEBUG [ForkJoinPool-1-worker-0] c.c.S.m.c.JavaMailIMAPClient - Connection properties set
2018-03-19 07:08:32:290 INFO [pool-4-thread-2] c.c.S.m.MailboxPollingRequest - Performing scheduled Mail Poll for Mailbox 400001.
2018-03-19 07:08:32:399 DEBUG [ForkJoinPool-1-worker-0] c.c.S.m.c.JavaMailIMAPClient - Connected to IMAP host
2018-03-19 07:08:32:540 INFO [ForkJoinPool-1-worker-0] c.c.S.m.ConnectSession - [mailbox:YourRealGmailID@gmail.com:400052] Received messages count : 7


NOTE:  While it was not seen in our testing, its possible that a Service Desk restart is needed here if the NX.keystore is not being read properly.
 

Additional Information:

ADDITIONAL INFO:

If you get an error like this, most likely that's because Google blocked your IMAP connection because it thought it was a non secure app:

2018-03-19 07:06:09:118 ERROR [ForkJoinPool-1-worker-1] c.c.S.m.c.JavaMailIMAPClient - Failed to make connection with STARTTLS to server imap.gmail.com, port 993, trying SSL connection
2018-03-19 07:06:10:665 ERROR [ForkJoinPool-1-worker-1] c.c.S.m.c.JavaMailIMAPClient - Failed to connect to the Store.
javax.mail.AuthenticationFailedException: [ALERT] Please log in via your web browser: https://support.google.com/mail/accounts/answer/78754 (Failure)
at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:725)
at javax.mail.Service.connect(Service.java:366)
at javax.mail.Service.connect(Service.java:246)
at com.ca.ServicePlus.mail.connection.JavaMailIMAPClient.connectToStore(JavaMailIMAPClient.java:133)
at com.ca.ServicePlus.mail.connection.JavaMailIMAPClient.connectToStore(JavaMailIMAPClient.java:144)
at com.ca.ServicePlus.mail.connection.JavaMailIMAPClient.initializeClient(JavaMailIMAPClient.java:121)
at com.ca.ServicePlus.maileater.ConnectSession.Hunny_Connect(ConnectSession.java:260)
at com.ca.ServicePlus.maileater.ConnectSession.Connect(ConnectSession.java:156)
at com.ca.ServicePlus.maileater.ConnectSession.check_mail(ConnectSession.java:178)
at com.ca.ServicePlus.maileater.IMAP4EmailClient.check_mail(IMAP4EmailClient.java:138)
at com.ca.ServicePlus.maileater.Mailbox.lambda$new$1(Mailbox.java:821)
at java.util.concurrent.ForkJoinTask$AdaptedCallable.exec(Unknown Source)
at java.util.concurrent.ForkJoinTask.doExec(Unknown Source)
at java.util.concurrent.ForkJoinPool$WorkQueue.runTask(Unknown Source)
at java.util.concurrent.ForkJoinPool.runWorker(Unknown Source)
at java.util.concurrent.ForkJoinWorkerThread.run(Unknown Source)

 

You may even get an email from Google about it:

Monday, March 19, 2018 7:01 AM (PT) 
Santa Clara, CA, USA*Don't recognize this activity? 
If you didn't recently receive an error while trying to access a Google service, like Gmail, from a non-Google application, someone may have your password.

SECURE YOUR ACCOUNT

Are you the one who tried signing in? 
Google will continue to block sign-in attempts from the app you're using because it has known security problems or is out of date. You can continue to use this app by allowing access to less secure apps, but this may leave your account vulnerable.

The Google Accounts team *The location is approximate and determined by the IP address it was coming from. 
This email can't receive replies. For more information, visit the Google Accounts Help Center. You received this mandatory email service announcement to update you about important changes to your Google product or account. © 2018 Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA et:27

Some apps and devices use less secure sign-in technology, which could leave your account vulnerable. You can turn off access for these apps (which we recommend) or choose to use them despite the risks.

 

 

To resolve this, you may need to change your security in Google to allow the SDM connection:

1) With in your "My Account"  settings of Gmail account

2) select  Sign-in & Security

3) Click on Apps with account access

4) Turn ON the option   "Allow less secure apps"

5) Retest your maileater again

 




Another way to test is to test this directly using OpenSSL against the IMAP/POP ports in question. This lets you test a basic connection to see the certificate chain that the port is using: 

Example: 

a)   openssl s_client -starttls pop3 -connect Outlook.com:110 -showcerts

(You may see an error like this:  because we did not provide a certificate for the above test yet:         Verify return code: 21 (unable to verify the first certificate)  )

Note: for IMAP, it would be:     openssl s_client -starttls imap -connect Outlook.com:143 -showcerts

b)   You should now see some output, showing the certificate chain that the server knows about.  In this case its just Cert Authority issuing server cert. 

---

Certificate chain

0 s:/CN=casupport.local

   i:/DC=local/DC=casupport/CN=casupport- DC1-CA

 


c) You can save the text for the mentioned server certificate to a file 
 

-----BEGIN CERTIFICATE-----

..

..blahblah Real Cert...

..

-----END CERTIFICATE-----

d) You can now open this certificate and check the Certificate Chain.  All we need is the Root CA cert, so follow the steps like you did in the Instructions section to export Root Cert.  Resulting file is what we need in SDM