Skip to Content
0

SMTP Configuration for Gmail in Sap HANA

Jan 04 at 11:11 AM

371

avatar image
Former Member

Hi all,

I am trying to send mail from Hana XSJS by configuring the SMTP and getting the following error.

error connection denied

PFB the SMTP Configuration and XSJS please let me know the error.

SMTP Configuration:

XSJS Code

var smtpConnection = new $.net.SMTPConnection();
try{
var mail = new $.net.Mail({
        sender: {address: "**********@gmail.com"},
        to: [{ address: "***********@gmail.com"}],
        subject: "XSJS Email Test",
        subjectEncoding: "UTF-8",
        parts: [ new $.net.Mail.Part({
        type: $.net.Mail.Part.TYPE_TEXT,
        text: "The body of the mail.",
        contentType: "text/html",       
        encoding:"UTF-8"
        })]
        });
        var returnValue = mail.send();
        var response = "MessageId = " + returnValue.messageId +
        ", final reply = " + returnValue.finalReply;
        $.response.status = 200;
	$.response.status = $.net.http.OK;
	$.response.setBody(response);        
}catch(err){
    	$.response.status = $.net.http.BAD_REQUEST;
		$.response.setBody(err.message);
}

Thanks in Advance

smtp-config.png (93.2 kB)
10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

1 Answer

Ivan Mirisola
Jan 04 at 01:28 PM
0

Hi Mayank,

Could you also share the Trust Store configuration named here as "gmail_new"?
I suspect you haven't imported all the certificates required for TLS/SSL handshake with Google.

I also see that you are using proxy configuration "proxy:8080". Does your HANA system sits behind such proxy? And it is configured to support outbound SMTP protocol? Usually SAP docs state that you need to use proxy and port 8080, but that's in case your HANA box is sitting inside SAP's LAN. Check that as well.

Regards,
Ivan

Show 6 Share
10 |10000 characters needed characters left characters exceeded
Former Member

Hi Ivan,

I am tried using two certificate one which I fetched using OPENSSL

s_client -connect smtp.gmail.com:587 -starttls smtp

and another fetching the certificate in .p7c and converted it to .pem using open SSL . In both the cases i am getting the same error

The screenshot of the trust store

gmail_new(using the first method)

Gmail: (uploaded after conversion)

Regarding proxy I tried to remove the proxy the xsjs went for timeout.

Thanks in advance

gmail-new.jpg (178.7 kB)
gmail.jpg (260.6 kB)
0

Hi Mayank,

I believe your certification chain is incorrect. I have ran the same openssl command here and this is the chain I got:

C=US ST=California L=Mountain View O=Google Inc CN=smtp.gmail.com
C=US O=Google Trust Services CN=Google Internet Authority G3

However, Goolge's G3 CA is signed by "GlobalSign Root CA R2" - which I don't see on your Trust Store:

CN = GlobalSign O = GlobalSign OU = GlobalSign Root CA - R2

You can download this certificate directly from Global Sign (here).
Pay attention to the thumbprint for this certificate. If it is not the following, it will not work:

‎75:e0:ab:b6:13:85:12:27:1c:04:f8:5f:dd:de:38:e4:b7:24:2e:fe

NOTE: To make sure you have the right certificates involved on a certification path, I use Windows. First I download the BASE64 (CRT) certificate to my windows machine and import it as a trusted CA. Then, I can open it with the certificate viewer (double click) and then I select the "Certification Path" tab. By having imported it into Windows, it means that the certificate will be "validated" by Windows. If I don't do it, the viewer will tell me it is unable to very the certificate. Once the certificate is "trusted" you will be able to see the certificate chain (hierarchy). The certificate you have downloaded should be at the bottom and the root is at the top most level. Any certificates in between are called "Intermediate Certificates". When you used the openssl command line, it told you only "half" the answer - it was not able to "display" the root certificate simply because it is not stored at google's servers and it is expected to be found on all browsers - which is not the case for a HANA box.

Regards,
Ivan

0

BTW:

1) You don't actually need Google's G2 certificate. So it would be safe to delete it from your Trust Store.

2) I believe your Trust Store contains a space in its name instead or an underscore character. If I am not mistaken, it would be safer if you'd used an underscore to avoid "escaping" this space character on your code. Disregard this comment if that's not an "space char" I see there.

Regards,
Ivan

0
Former Member

Hi Ivan,

Thanks for the reply .

I have just one more query should we use the Gmail password in smtp configuration or should I use the APP password from Gmail

Thanks in advance

0

I believe you should use the gmail account password - the same you use for any SMTP client you configure (i.e:Thunderbird, OE, etc). I am not really familiar with the SMTP configuration for GMail. However, from what I've seen, STARTTLS authentication uses your email as USER_ID and the password would be the same as POP/IMAP password. You could try both and see which one works.

0

Hi Mayank,

I have recently tested the smtp example in Java on my acocunt and I can safely say it uses the email address for authentication. You may need to create an app password for your integration scenario if your google account is configured for 2-step-verification. Since this is a feature that is implemented on each google product, SCI doesn't know how to deal with this type of security mechanism. So Google provides other means to authenticate against SMTP. All you need to do is create the app password in Google and use it instead of your regular e-mail password. Your user id is still your e-mail and the app password name is used only to identify where you use that particular app password.

Regards,
Ivan

0