cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SMTP Configuration for Gmail in Sap HANA

mayankgera
Explorer

on ‎01-04-2018 11:11 AM

0 Kudos

Hi all,

I am trying to send mail from Hana XSJS by configuring the SMTP and getting the following error.

error connection denied

PFB the SMTP Configuration and XSJS please let me know the error.

SMTP Configuration:

XSJS Code

var smtpConnection = new $.net.SMTPConnection();
try{
var mail = new $.net.Mail({
        sender: {address: "**********@gmail.com"},
        to: [{ address: "***********@gmail.com"}],
        subject: "XSJS Email Test",
        subjectEncoding: "UTF-8",
        parts: [ new $.net.Mail.Part({
        type: $.net.Mail.Part.TYPE_TEXT,
        text: "The body of the mail.",
        contentType: "text/html",       
        encoding:"UTF-8"
        })]
        });
        var returnValue = mail.send();
        var response = "MessageId = " + returnValue.messageId +
        ", final reply = " + returnValue.finalReply;
        $.response.status = 200;
	$.response.status = $.net.http.OK;
	$.response.setBody(response);        
}catch(err){
    	$.response.status = $.net.http.BAD_REQUEST;
		$.response.setBody(err.message);
}

Thanks in Advance

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎01-04-2018 1:28 PM
0 Kudos

Hi Mayank,

Could you also share the Trust Store configuration named here as "gmail_new"?
I suspect you haven't imported all the certificates required for TLS/SSL handshake with Google.

I also see that you are using proxy configuration "proxy:8080". Does your HANA system sits behind such proxy? And it is configured to support outbound SMTP protocol? Usually SAP docs state that you need to use proxy and port 8080, but that's in case your HANA box is sitting inside SAP's LAN. Check that as well.

Regards,
Ivan

Show replies
Show replies
mayankgera
Explorer
‎01-05-2018 6:48 AM
0 Kudos

Hi Ivan,

I am tried using two certificate one which I fetched using OPENSSL

s_client -connect smtp.gmail.com:587 -starttls smtp

and another fetching the certificate in .p7c and converted it to .pem using open SSL . In both the cases i am getting the same error

The screenshot of the trust store

gmail_new(using the first method)

Gmail: (uploaded after conversion)

Regarding proxy I tried to remove the proxy the xsjs went for timeout.

Thanks in advance

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎01-05-2018 3:32 PM
0 Kudos

Hi Mayank,

I believe your certification chain is incorrect. I have ran the same openssl command here and this is the chain I got:

C=US ST=California L=Mountain View O=Google Inc CN=smtp.gmail.com
C=US O=Google Trust Services CN=Google Internet Authority G3

However, Goolge's G3 CA is signed by "GlobalSign Root CA R2" - which I don't see on your Trust Store:

CN = GlobalSign O = GlobalSign OU = GlobalSign Root CA - R2

You can download this certificate directly from Global Sign (here).
Pay attention to the thumbprint for this certificate. If it is not the following, it will not work:

‎75:e0:ab:b6:13:85:12:27:1c:04:f8:5f:dd:de:38:e4:b7:24:2e:fe

NOTE: To make sure you have the right certificates involved on a certification path, I use Windows. First I download the BASE64 (CRT) certificate to my windows machine and import it as a trusted CA. Then, I can open it with the certificate viewer (double click) and then I select the "Certification Path" tab. By having imported it into Windows, it means that the certificate will be "validated" by Windows. If I don't do it, the viewer will tell me it is unable to very the certificate. Once the certificate is "trusted" you will be able to see the certificate chain (hierarchy). The certificate you have downloaded should be at the bottom and the root is at the top most level. Any certificates in between are called "Intermediate Certificates". When you used the openssl command line, it told you only "half" the answer - it was not able to "display" the root certificate simply because it is not stored at google's servers and it is expected to be found on all browsers - which is not the case for a HANA box.

Regards,
Ivan

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎01-05-2018 3:37 PM
0 Kudos

BTW:

1) You don't actually need Google's G2 certificate. So it would be safe to delete it from your Trust Store.

2) I believe your Trust Store contains a space in its name instead or an underscore character. If I am not mistaken, it would be safer if you'd used an underscore to avoid "escaping" this space character on your code. Disregard this comment if that's not an "space char" I see there.

Regards,
Ivan

mayankgera
Explorer
‎01-05-2018 7:31 PM
0 Kudos

Hi Ivan,

Thanks for the reply .

I have just one more query should we use the Gmail password in smtp configuration or should I use the APP password from Gmail

Thanks in advance

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎01-05-2018 8:05 PM
0 Kudos

I believe you should use the gmail account password - the same you use for any SMTP client you configure (i.e:Thunderbird, OE, etc). I am not really familiar with the SMTP configuration for GMail. However, from what I've seen, STARTTLS authentication uses your email as USER_ID and the password would be the same as POP/IMAP password. You could try both and see which one works.

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎01-11-2018 1:16 PM
0 Kudos

Hi Mayank,

I have recently tested the smtp example in Java on my acocunt and I can safely say it uses the email address for authentication. You may need to create an app password for your integration scenario if your google account is configured for 2-step-verification. Since this is a feature that is implemented on each google product, SCI doesn't know how to deal with this type of security mechanism. So Google provides other means to authenticate against SMTP. All you need to do is create the app password in Google and use it instead of your regular e-mail password. Your user id is still your e-mail and the app password name is used only to identify where you use that particular app password.

Regards,
Ivan

Ask a Question