Unable to Send Emails after Password Change

[Paul Bierton]

We've had to change the password on the SMTP mailbox (Gmail) that we are using to send out Service Manager email.

Im using an application specific password due to it being a 'Less Secure Application' in Googles eyes.

When you initially test the account with the ASP, it sends the email is is received via the tested emails account. Press Save to accept the changed credentials, then Retest and we get the following error.

Unable to send test message to the specified recipient
ChilkatLog:
  SendEmail:
    DllDate: Feb  9 2021
    ChilkatVersion: 9.5.0.86
    UnlockPrefix: HRNBLL.CBX102021
    Architecture: Little Endian; 64-bit
    Language: Visual C++ 2019 / x64
    VerboseLogging: 0
    Component successfully unlocked using purchased unlock code.
    sendEmailInner:
      renderToMime_pt1:
        createEmailForSending:
          Auto-generating Message-ID
        --createEmailForSending
      --renderToMime_pt1
      sendMimeInner:
        ensureSmtpSession:
          ensureSmtpConnection:
            smtpParams:
              SmtpHost: smtp.gmail.com
              SmtpPort: 587
              SmtpUsername: <REDACTED>
              SmtpSsl: 0
              StartTLS: 1
            --smtpParams
            smtpConnect:
              smtpHostname: smtp.gmail.com
              smtpPort: 587
              connectionIsReady:
                Using existing/open SMTP connection to send email.
              --connectionIsReady
              Reconnecting because the connection has been idle for too long.
              smtpSocketConnect:
                socketOptions:
                  SO_SNDBUF: 262144
                  SO_RCVBUF: 4194304
                  TCP_NODELAY: 1
                  SO_KEEPALIVE: 1
                --socketOptions
              --smtpSocketConnect
              smtpGreeting:
                readSmtpResponse:
                  SmtpCmdResp: 220 smtp.gmail.com ESMTP f13-20020adff8cd000000b001f03439743fsm1047731wrq.75 - gsmtp
                --readSmtpResponse
              --smtpGreeting
              startTLS:
                sendCmdToSmtp:
                  SmtpCmdSent: EHLO live.hornbill.com<CRLF>
                --sendCmdToSmtp
                readSmtpResponse:
                  SmtpCmdResp: 250-smtp.gmail.com at your service, [87.117.243.10]
                  SmtpCmdResp: 250-SIZE 35882577
                  SmtpCmdResp: 250-8BITMIME
                  SmtpCmdResp: 250-STARTTLS
                  SmtpCmdResp: 250-ENHANCEDSTATUSCODES
                  SmtpCmdResp: 250-PIPELINING
                  SmtpCmdResp: 250-CHUNKING
                  SmtpCmdResp: 250 SMTPUTF8
                --readSmtpResponse
                sendCmdToSmtp:
                  SmtpCmdSent: STARTTLS<CRLF>
                --sendCmdToSmtp
                readSmtpResponse:
                  SmtpCmdResp: 220 2.0.0 Ready to start TLS
                --readSmtpResponse
                TLS connection established.
              --startTLS
              ehloCommand:
                sendCmdToSmtp:
                  SmtpCmdSent: EHLO live.hornbill.com<CRLF>
                --sendCmdToSmtp
                readSmtpResponse:
                  SmtpCmdResp: 250-smtp.gmail.com at your service, [87.117.243.10]
                  SmtpCmdResp: 250-SIZE 35882577
                  SmtpCmdResp: 250-8BITMIME
                  SmtpCmdResp: 250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH
                  SmtpCmdResp: 250-ENHANCEDSTATUSCODES
                  SmtpCmdResp: 250-PIPELINING
                  SmtpCmdResp: 250-CHUNKING
                  SmtpCmdResp: 250 SMTPUTF8
                --readSmtpResponse
              --ehloCommand
            --smtpConnect
          --ensureSmtpConnection
          ensureSmtpAuthenticated:
            smtpAuthenticate:
              No SMTP password or OAuth2 access token provided.
              Skipping SMTP authentication because no login/password provided.
              smtp_host: smtp.gmail.com
              smtp_port: 587
              smtp_user: <REDACTED>
              auth-method: NONE
              smtpAuthMethod: NONE
              smtpAuthenticate:
                login_method: NONE or already authenticated
              --smtpAuthenticate
              ConnectionType: SSL/TLS
            --smtpAuthenticate
          --ensureSmtpAuthenticated
        --ensureSmtpSession
        sendSmtpEmail:
          sendWithPipelining:
            sendMailFrom:
              mailFrom: do-not-reply@live.hornbill.com
              sendCmdToSmtp:
                SmtpCmdSent: MAIL FROM:<do-not-reply@live.hornbill.com><CRLF>
              --sendCmdToSmtp
            --sendMailFrom
            sendRcptTo:
              sendCmdToSmtp:
                SmtpCmdSent: RCPT TO:<REDACTED><CRLF>
              --sendCmdToSmtp
            --sendRcptTo
            sendCmdToSmtp:
              SmtpCmdSent: DATA<CRLF>
            --sendCmdToSmtp
            readSmtpResponse:
              SmtpCmdResp: 530-5.7.0 Authentication Required. Learn more at
              SmtpCmdResp: 530 5.7.0  https://support.google.com/mail/?p=WantAuthError f13-20020adff8cd000000b001f03439743fsm1047731wrq.75 - gsmtp
            --readSmtpResponse
            readRcptTo:
              readSmtpResponse:
                SmtpCmdResp: 530-5.7.0 Authentication Required. Learn more at
                SmtpCmdResp: 530 5.7.0  https://support.google.com/mail/?p=WantAuthError f13-20020adff8cd000000b001f03439743fsm1047731wrq.75 - gsmtp
              --readSmtpResponse
              bad_address: <REDACTED>
            --readRcptTo
            readSmtpResponse:
              SmtpCmdResp: 530-5.7.0 Authentication Required. Learn more at
              SmtpCmdResp: 530 5.7.0  https://support.google.com/mail/?p=WantAuthError f13-20020adff8cd000000b001f03439743fsm1047731wrq.75 - gsmtp
            --readSmtpResponse
            smtpRset:
              Sending RSET command.
              smtpSendGet2:
                sendCmdToSmtp:
                  SmtpCmdSent: RSET<CRLF>
                --sendCmdToSmtp
                readSmtpResponse:
                  SmtpCmdResp: 250 2.1.5 Flushed f13-20020adff8cd000000b001f03439743fsm1047731wrq.75 - gsmtp
                --readSmtpResponse
              --smtpSendGet2
            --smtpRset
          --sendWithPipelining
        --sendSmtpEmail
      --sendMimeInner
    --sendEmailInner
    Failed.
  --SendEmail
--ChilkatLog

We have access to the account and can send normally through that email. Just not hornbill.

Please Advise

[Paul Bierton]

This is now Urgent  - We have spent 3 days being unable to send emails from Hornbill due to this issue - the ability to send emails is a CRITICAL core component of Hornbill and how we service ours users.

We can receive the emails but cannot send to our end users.

I have tried multiple times to add the password here:

Each test is successful, you press SAVE CHANGES and then exit the page. Go back into the Page and press Test, the test fails.

Something isnt right.

[Keith Stevenson]

Paul,
Thanks for the post. Sadly this is a known issue. Once you make the change and it works (First time) do not go back in and retest as this will cause the password to be lost. The email will flow as expected after the initial save. 

Kind Regards

Keith Stevenson 

[Keith Stevenson]

@Paul Bierton
The above is correct for the admin.hornbill.com/xxxx site (which is being deprecated) and wont get fixes

IF you use live.hornbill.com/XXXX and the admin functionality from within that it will function as expected (You also dont get the option to re-test after going back in)

Kind Regards

[Paul Bierton]

@Keith Stevenson I open live.hornbill.com > Administration (which takes me to admin.hornbill.com) System > Email >Domains > Add Password > Press Save

Raised a New Ticket, Go No email for Raising a Ticket, The email to say its been raised is sat in the outbox. So Emails are not flowing as expected. 

(Ignore the Sent error thats a user with a missing email)

Whether admin.hornbill is being deprecated or not, the current ability to edit these credentials isnt available in live.hornbill and as a result, we even with a single submission (not a retest) able to send mail.

 

 

[Keith Stevenson]

@Paul Bierton
Administration in live is via the cog at the bottom Left , which should have the New button next to it. 

Kind Regards

[Paul Bierton]

Well who knew, I thought that was just user preferences. I dont recall seeing any patch notes relating to the change, we normally get a Hornbill notification of such new features.

Ill have a look in there.

[Paul Bierton]

@Keith Stevenson Ive now set the password in the new section, But still no emails are going out - just sat in the Outbox still.

Edit: Looks like there might be a resend delay on fail, Ill check back shortly.

[Paul Bierton]

@Keith Stevenson  were getting this error now - We use 2 Factor Authentication, so This option is no longer available.

SmtpCmdResp: 535-5.7.8 Username and Password not accepted. Learn more at SmtpCmdResp: 535 5.7.8 https://support.google.com/mail/?p=BadCredentials m9-20020a05600c4f4900b00389e8184edcsm351494wmq.35

- gsmtp gmail_hints: To send email via GMail using login/password authentication, your GMail account must be configured to allow for "less secure apps". See https://support.google.com/accounts/answer/6010255 Otherwise you need to use OAuth2 authentication. Examples for GMail SMTP OAuth2 authentication are available on example-code.com under the SMTP category.

Is there any documentation for OAuth and Gmail? We already use SSO with Google.

[Paul Bierton]

@Keith Stevenson

Further investigation shows that Gmail doesnt support OAuth for email. Going to contact Google to see what options we have also.

 

[Steve Giller]

53 minutes ago, Paul Bierton said:

I dont recall seeing any patch notes relating to the change

This will be the announcement you missed, there may be other information you're not yet aware of in there.

[Paul Bierton]

14 minutes ago, Steve Giller said:

This will be the announcement you missed, there may be other information you're not yet aware of in there.

Yeah We are usually reliant on the Hornbill notification for such things, shouldve checked 

[Paul Bierton]

So, ive just spent the morning going through a whole host of things with Google and also testing the settings that @Keith Stevenson Pointed out.

We still have errors and are unable to send. 

In google we disabled 2factor on the account in question. Tried signing in with the username and password but it was rejected as we werent using an application password, so we tried with the application password with 2fa enabled, this also failed.

This brought us on to this @Steve Giller https://support.google.com/accounts/answer/6010255?authuser=4&p=less-secure-apps

 

Quote

To help keep your account secure, starting May 30, 2022, Google will no longer support the use of third-party apps or devices which ask you to sign in to your Google Account using only your username and password.

Please note this deadline does not apply to Google Workspace or Google Cloud Identity customers. The enforcement date for these customers will be announced on the Workspace blog at a later date

Whilst this doesn't immediately affect us it soon will.

Google are discontinuing their support for less secure applications in May, which meant we lookgin into enabling OAuth for sending, only to find out that using your Google Connector you can only connect to calendars as Hornbill is not verified with Google.

If I click Advanced and Continue I can only share the Calendar with Google.

and cos of this its not viisble within the OAth Settings of Send Mail.

So currently STILL as it stands we cannot send emails and its causing no amount of issues, just by changing a password

We declined as customer success call as we were more than happy with Hornbill but currently Im inclined to have a conversation just to raise this issue.

@Keith Stevenson You were correct in forming me that it will test once, to which this does and successfully sends the email, but doesnt send on the scheduled sender.

[Keith Stevenson]

@Paul Bierton
The error on sending we get is (which looks like you are set to use UID\PWD not OAuth2. 


                    readSmtpResponse:
                        SmtpCmdResp: 535-5.7.8 Username and Password not accepted. Learn more at
                        SmtpCmdResp: 535 5.7.8 https://support.google.com/mail/?p=BadCredentials 10-20020adf808a000000b001edd413a952sm4188185wrl.95 - gsmtp
                        gmail_hints:
                            To send email via GMail using login/password authentication, your GMail account must be configured to
                            allow for "less secure apps".  See https://support.google.com/accounts/answer/6010255
                            Otherwise you need to use OAuth2 authentication.  Examples for GMail SMTP OAuth2 authentication are available
                            on example-code.com under the SMTP category.
                            (leaveContext)
                        (leaveContext)
                    SMTP authentication failed after sending password.
                    Check your username/password or your SMTP server's auth settings

So it looks like its not configured for Old or new. (Sort of half of each) 

For OAuth2 you first need to create a KeySafe Entry (which is where it the Credentials will then be populated from. 

https://wiki.hornbill.com/index.php?title=Hornbill_KeySafe

If you goot Keysafe in New Admin, Create new , Enter Google as typle click connect and follow on screen prompts. Once done go back to mail connector and choose OAuth2 and drop down list should not allow credentails to be populated. 

Kind Regards

 

[Paul Bierton]

@Keith Stevenson If you re-read my post I point out

Quote

Google are discontinuing their support for less secure applications in May, which meant we looking into enabling OAuth for sending, only to find out that using your Google Connector you can only connect to calendars as Hornbill is not verified with Google.

Which in turn mean I did exactly that, however the Google Connector is not verified with Google, thus get an error and can only access the Calendar.

I appreciate the assistance and apologise if my replies sound short and exasperated.

[Keith Stevenson]

@Paul Bierton
Have just tried the OAuth and do appear to get the same error\problem and have escalated that internally. In the meantime what do you get if you try Classic Auth (UserName and Password) which should be good whilst we investigate this.  (You will need to goto the link and enable "Less Secure app"  - its still encrypted ) 

Kind Regards

[Paul Bierton]

We have resolved this by using the DNS routing and adding a valid SPF Record, However the downside of this is that the outgoing emails are no longer within our mailbox.

Its not fixed by any means, but for now we are up and running and would much rather send via OAuth2 if Hornbill can get verified to use it.

Thanks for your help @Keith Stevenson

[Keith Stevenson]

@Paul Bierton
You may have missed the post above. If you can enable Less Secure app for now and use UID\PWD that should work whilst we investigate internally.  

Kind Regards

[Paul Bierton]

4 minutes ago, Keith Stevenson said:

@Paul Bierton
Have just tried the OAuth and do appear to get the same error\problem and have escalated that internally. In the meantime what do you get if you try Classic Auth (UserName and Password) which should be good whilst we investigate this.  (You will need to goto the link and enable "Less Secure app"  - its still encrypted ) 

Kind Regards

Classic Auth rejects the send as well and points you towards the App Specific Password

Edit: saw the post as I posted this one

[Keith Stevenson]

@Paul Bierton
Thats strange as my test for that worked. Sadly as you are now using Direct DNS I cant see the actual error in your logs. If its sending now, I suggest leaving this for today and once I get clarification from Development we can look again tomorrow. 

Kind Regards

[Paul Bierton]

7 minutes ago, Keith Stevenson said:

@Paul Bierton
Thats strange as my test for that worked. Sadly as you are now using Direct DNS I cant see the actual error in your logs. If its sending now, I suggest leaving this for today and once I get clarification from Development we can look again tomorrow. 

Kind Regards

Im happy to revisit, for now we are glad to have the emails sending. I will run a test tomorrow to get the required error messages and provide 

[Paul Bierton]

@Keith Stevenson

I tried to add the account this morning using just the password (with 2Factor enabled). 

[Keith Stevenson]

We now understand the issue. The Hornbill App (OAuth Service Account) for Google does not request permissions for email. This account\app was originally for other Google intergrations. To ensure we dont cause issues with that functionality we will look to create a new Hornbill Email App Google OAuth Service account today and once done add this to the list in KeySafe. This may take a few days as the App\Service needs to be verified by google.  We will keep this post updated. 

Kind Regards