Problem

The JS7 can be configured to send JS7 - Notifications by mail in the event of either successful or failed execution of jobs and workflows. In addition, the JS7 - JITL Mail Jobs can be used to send mail. A number of errors can indicate that the mail server connection does not work:

Example for connection error
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
javax.mail.MessagingException: Could not connect to SMTP host: mail.example.com, port: 587
Example for connection error
javax.net.ssl.SSLException: Unsupported or unrecognized SSL message
javax.mail.MessagingException: Could not connect to SMTP host: mail.example.com, port: 587
Example for authentication error
javax.mail.AuthenticationFailedException: 535 5.7.3 Authentication unsuccessful


Error messages for notifications are raised by the JOC Cockpit JS7 - Monitor Service when trying to send mail. They can be found in the service-monitor.log file, see JS7 - Log Files and Locations.

In the event of problems when using one of the JS7 - JITL Mail Jobs, error messages can be found in the order log or task log and in the joc.log file.

Analysis

For mail configuration there are a number of screws that users can turn. It is recommended that the problem is narrowed down in a systematic way:

  • Follow the below steps in the given sequence.
  • Do not turn too many screws at the same time. Instead, change one setting then check results by sending mail.
  • Do not use mixed settings for different protocols. Instead, choose one protocol and apply settings recommended for that protocol only.

A larger number of e-mail settings is available, see https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html, however, in most cases they are not related to problems connecting to a mail server.

Step 1: Determine Protocol and Port Usage

Mail servers frequently use specific ports per protocol used with a connection. However, technically, any port can be used. Your system administrator should provide the information about available protocols and ports:

PortProtocolPurposeCertificate
25SMTPPlain Text no
465SMTPS (Implicit SSL)SMTP over SSLyes
587 / 2525SMTP (Explicit SSL)SMTP over TLS (StartTLS)yes


The examples below check availability of TLS port 587, examples can be similarly applied to SSL port 465:

Test connection with common tools (Unix, Windows)
# should telnet be available
telnet mail.example.com 587

# should nc or ncat be available
ncat -v -u mail.example.com 587

# should curl be available
curl --ssl --url mail.example.com:587


Output of the above commands has to be considered in detail if it indicates availability of a port:

Test connection with curl (Unix, Windows)
# test plain text port
curl --url mail.example.com:25

# output returned
#   can indicate that the port is not available:
#     curl: (7) Failed to connect to mail.example.com port 25 after 2186 ms: Connection refused
#   can indicate that the port is available: 
#     220 mail.example.com ESMTP Postfix (Debian/GNU)
#     221 2.7.0 Error: I can break rules, too. Goodbye.

# test SMTP over SSL
curl --ssl --url mail.example.com:465
# output returned can indicate that the port is available:
#   curl: (56) Recv failure: Connection reset by peer

# test SMTP over TLS
curl --ssl --url mail.example.com:587
# output returned can indicate that the port is not available:
#   curl: (7) Failed connect to mail.example.com:587; Connection refused


PowerShell can be used to check port availability like this:

Test Connection with PowerShell (Windows, Unix)
Test-NetConnection -ComputerName mail.example.com -Port 587

# output returned includes the TcpTestSucceeded property that indicates availability of the port
ComputerName     : mail.example.com
RemoteAddress    : x.x.x.x
RemotePort       : 465
InterfaceAlias   : Ethernet
SourceAddress    : y.y.y.y
TcpTestSucceeded : True

Recommended E-Mail Settings for SMTP over SSL (Port 465)

Depending on the Java version in use, different defaults might be in place. Users should therefore allow/deny use of SSL/TLS:

Setting
mail.smtp.starttls.enablefalse
mail.smtp.ssl.enabletrue

Recommended E-Mail Settings for SMTP over TLS (Port 587)

Depending on the Java version in use different defaults might be in place. Users should therefore allow/deny use of SSL/TLS:

Setting
mail.smtp.starttls.enabletrue
mail.smtp.ssl.enablefalse

Step 2: Check Certificates

A server certificate is used to establish a secure connection with a TLS port or SSL port. The mail server presents its server certificate and the client (JOC Cockpit or command line client) verifies the certificate.
  

Check server certificate
# display server certificates
openssl s_client -showcerts -connect mail.example.com:587


The above command returns the server certificate or certificate chain. To verify the certificate the client requires access to the Root CA Certificate that has been used to sign the server certificate.

  • For use with OpenSSL certificates are available from /etc/ssl/certs or similar locations.
  • For JOC Cockpit operated with Java the certificates are available from the Java cacerts file which can be found in different locations depending on the Java version and distribution.
    • For a JDK 1.8 including a JRE provided by OpenJDK, for example, the jdk8u202-b08/jre/lib/security/cacerts file is used.
    • For a JDK 17 provided by OpenJDK, for example, the jdk-17.0.1+12/lib/security/cacerts file is used.

Usually mail servers use certificates signed by well known certificate authorities whose Root CA Certificates are included in distributions of OpenSSL and Java.

Should the Root CA Certificate not be available from the above location then it can be specified like this:

Check server certificate from locally available certificate file
# verify server certificate from Root CA Certificate
openssl s_client -showcerts -connect mail.example.com:587 -CAfile /home/sos/certs/root-ca.crt


The OpenSSL command returns output like this for certificate verification:

Output of openSSL command
CONNECTED(00000003)
depth=3 C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = mail.sos-berlin.com
verify return:1
---
Certificate chain
 0 s:/CN=mail.sos-berlin.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
-----BEGIN CERTIFICATE-----
MIIGRzCCBS+gAwIBAgIQGf/S3tkPzbWFMbmLKdmsADANBgkqhkiG9w0BAQsFADCB
jzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQD
Ey5TZWN0aWdvIFJTQSBEb21haW4gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENB
MB4XDTIxMTAwNDAwMDAwMFoXDTIyMTEwNDIzNTk1OVowHjEcMBoGA1UEAxMTbWFp
bC5zb3MtYmVybGluLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AK9OGVKYO1vZvOnk2NsipJ5j4RSy97I08QTCvtG7J36mPZVD3sutZodTtvle2U48
U481vYgbayUMSdtSa0HNU/rnQMaiv6xKbRh6/4fjL1gzV8FQT6El4dNql8eJt7TH
J3SMW2HhP3SjqSYKeOlCWe/4rzoyICwIk4zUAZPQgs+j2gB9vhQD7jQy4g6EciQc
0xhTwXJuDdmLsO9UYZAhf+hpQ0Ro9tZomIr6l5IBvPhAz8YvlvhNbccHvC3IqkeG
nuyVxvkCPNTeUhNiVQ7Xs4pJ84sd2ZDPXH9ZujxWzFzZjOnR2hsyWeX/MMpWOGOn
KBD4S0qZseDs/pYmS9AE/fMCAwEAAaOCAw0wggMJMB8GA1UdIwQYMBaAFI2MXsRU
rYrhd+mb+ZsF4bgBjWHhMB0GA1UdDgQWBBQbI/gntJPpV9zIQ1wYQvct73OpITAO
BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICBzAlMCMGCCsGAQUF
BwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgEwgYQGCCsGAQUF
BwEBBHgwdjBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0
aWdvUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAjBggrBgEF
BQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wNwYDVR0RBDAwLoITbWFpbC5z
b3MtYmVybGluLmNvbYIXd3d3Lm1haWwuc29zLWJlcmxpbi5jb20wggF9BgorBgEE
AdZ5AgQCBIIBbQSCAWkBZwB3AEalVet1+pEgMLWiiWn0830RLEF0vv1JuIWr8vxw
/m1HAAABfEnWZ2QAAAQDAEgwRgIhAMcAxoBm45jy9UCk80pLIleTjnp6dz3t4Fvm
MrFiZuQZAiEAlqRjJITOA7NOof2QwqkfQ329djiK9Kqlf7OpsjMuSScAdQBByMqx
3yJGShDGoToJQodeTjGLGwPr60vHaPCQYpYG9gAAAXxJ1mcxAAAEAwBGMEQCIG6F
16aRC2t7ZNV4Uy4itq7XdGFr/IHpHxmrQ+8ZsGKnAiBLtGeHZuojaYw8cUCAYBuh
b04b/wXbgoTcsYFxxnztsAB1ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4+U1dJlwl
XceEAAABfEnWZvkAAAQDAEYwRAIgGx0/BE0quLQ9FVdHyu+vueMwg2TEMB1jSN5B
ZdRKzN4CIEU+ikzI7fpNM6jdnhDXBFvwKLq+QhMiXD9b3m+73GBpMA0GCSqGSIb3
DQEBCwUAA4IBAQCAnx8ib+z1W1/ohK5TnYogiNK1GtnCHLH5TYTBNYYLwnMcZdKi
NxrLNl0HGKV5B67mAcaWtrTjU0RaACpXibFXMG4dleEEhWxyTOAmXRTL1BeyNOlh
6A2Xl6eZOwxy56/eOFbQLmC3oOtCHGFDY241xSkStT9rpffFPc/lorqapZANx4WW
XIAVhKjfCFwFUX8CdvCYm5cUtBsLIpbuuEWwFsp1IZRHcHjmL1mqS81pX59IG9JZ
CX7yiSCwYzcTJV3BwJ6TByGNXtLsHB9VGoxVqFcKdRZtzFVR0tQNVts4sp4tl/X1
o6JYpahE4zH6GfLXoisLTY1CMwE8tviOFB2q
-----END CERTIFICATE-----
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
-----BEGIN CERTIFICATE-----
MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow
GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj
YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM
GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua
BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe
3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4
YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR
rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm
ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU
oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF
MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v
QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t
b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF
AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q
GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz
Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2
G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi
l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3
smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==
-----END CERTIFICATE-----
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
-----BEGIN CERTIFICATE-----
MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7
MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sI
s9CsVw127c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnG
vDoZtF+mvX2do2NCtnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQ
Ijy8/hPwhxR79uQfjtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfb
IWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0
tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97E
xwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNV
icQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5
D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ
WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ
5lhCLkMaTLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzG
KAgEJTm4Diup8kyXHAc/DVL17e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSg
EQojPpbxB+zirynvgqV/0DCktDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rID
ZsswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAG
BgRVHSAAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29t
L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr
BgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUA
A4IBAQAYh1HcdCE9nIrgJ7cz0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+
rvSNb3I8QzvAP+u431yqqcau8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+
/czSAaF9ffgZGclCKxO/WIu6pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gA
CiIDEOUMsfnNkjcZ7Tvx5Dq2+UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1F
zZOFli9d31kWTz9RvdVFGD/tSo7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyA
vGp4z7h/jnZymQyd/teRCBaho1+V
-----END CERTIFICATE-----
 3 s:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
-----BEGIN CERTIFICATE-----
MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBjzELMAkGA1UEBhMCR0IxGzAZBgNV
BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
ChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFJTQSBEb21haW4g
VmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA1nMz1tc8INAA0hdFuNY+B6I/x0HuMjDJsGz99J/LEpgPLT+N
TQEMgg8Xf2Iu6bhIefsWg06t1zIlk7cHv7lQP6lMw0Aq6Tn/2YHKHxYyQdqAJrkj
eocgHuP/IJo8lURvh3UGkEC0MpMWCRAIIz7S3YcPb11RFGoKacVPAXJpz9OTTG0E
oKMbgn6xmrntxZ7FN3ifmgg0+1YuWMQJDgZkW7w33PGfKGioVrCSo1yfu4iYCBsk
Haswha6vsC6eep3BwEIc4gLw6uBK0u+QDrTBQBbwb4VCSmT3pDCg/r8uoydajotY
uK3DGReEY+1vVv2Dy2A0xHS+5p3b4eTlygxfFQIDAQABo4IBbjCCAWowHwYDVR0j
BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFI2MXsRUrYrhd+mb
+ZsF4bgBjWHhMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYGBFUdIAAw
CAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0
LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2Bggr
BgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNv
bS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDov
L29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMr9hvQ5Iw0/H
ukdN+Jx4GQHcEx2Ab/zDcLRSmjEzmldS+zGea6TvVKqJjUAXaPgREHzSyrHxVYbH
7rM2kYb2OVG/Rr8PoLq0935JxCo2F57kaDl6r5ROVm+yezu/Coa9zcV3HAO4OLGi
H19+24rcRki2aArPsrW04jTkZ6k4Zgle0rj8nSg6F0AnwnJOKf0hPHzPE/uWLMUx
RP0T7dWbqWlod3zu4f+k+TY4CFM5ooQ0nBnzvg6s1SQ36yOoeNDT5++SR2RiOSLv
xvcRviKFxmZEJCaOEDKNyJOuB56DPi/Z+fVGjmO+wea03KbNIaiGCpXZLoUmGv38
sbZXQm2V0TP2ORQGgkE49Y9Y3IBbpNV9lXj9p5v//cWoaasm56ekBYdbqbe4oyAL
l6lFhd2zi+WJN44pDfwGF/Y4QA5C5BIG+3vzxhFoYt/jmPQT2BVPi7Fp2RBgvGQq
6jG35LWjOhSbJuMLe/0CjraZwTiXWTb2qHSihrZe68Zk6s+go/lunrotEbaGmAhY
LcmsJWTyXnW0OMGuf1pGg+pRyrbxmRE1a6Vqe8YAsOf4vmSyrcjC8azjUeqkk+B5
yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K
00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=mail.sos-berlin.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6329 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: E596340D0C9BA55CF385ECDD1556E54E472DF22D6A7F9EAB73019C6953FAEBEE
    Session-ID-ctx:
    Master-Key: 24E753A7D67F91B56920D38302B5F7193A3E28BAE9F4F85B56C05F379B79C9D2187FC7C006527720D2A09B0E60832DD0
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 3600 (seconds)
    TLS session ticket:
    0000 - b5 ac ba fe 95 1a da d8-5f 1c 35 62 f3 ff 44 21   ........_.5b..D!
    0010 - b3 6e 61 c5 b1 96 41 37-a8 bb 01 a5 0c 3b df e6   .na...A7.....;..
    0020 - c4 2c 83 c3 cc e6 8f 56-4c 1f a5 de a7 41 db a9   .,.....VL....A..
    0030 - d4 03 92 b2 3f 2b 73 11-45 fe 5b 69 32 15 6f 19   ....?+s.E.[i2.o.
    0040 - 33 6c 14 1c 71 87 e1 b2-a5 11 3a 19 34 78 a5 21   3l..q.....:.4x.!
    0050 - 8a a6 69 4e a0 1a 83 8e-ae 6b 4f e5 d2 f5 4c 22   ..iN.....kO...L"
    0060 - 0c de 9e 1e cc 53 7e 61-0d d9 9a 33 c4 7a 2b 7c   .....S~a...3.z+|
    0070 - df b6 1f 32 2b df ee 93-8e 13 0f 00 2c a5 4c da   ...2+.......,.L.
    0080 - ef 8d 87 59 b8 a8 2e c0-ca 8a ab 60 46 21 c7 00   ...Y.......`F!..
    0090 - b4 dd 51 a1 75 d7 a4 15-83 ac 38 17 67 05 4e 0e   ..Q.u.....8.g.N.

    Start Time: 1656756203
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
220 mail.sos-berlin.com ESMTP Postfix (Debian/GNU)


In addition to verifying certificates the above output provides information about the SSL protocol version in use and the cipher used for SSL handshake:

xx
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

Recommended E-Mail Settings

Typically, no settings are required as the mail server's Root CA Certificate can be assumed to be in place.

Should verification of the mail server certificate fail, for example in the case of Private CA-signed certificates, then users can:

  • copy the certificate displayed with above output to their clipboard and paste it to a file,
  • import the certificate to the JOC Cockpit truststore, see JS7 - JOC Cockpit HTTPS Connections.

Step 3: Specify SSL Protocol Version

We frequently find the following SSL protocol versions in place:

Protocol VersionConsidered Secure
TLSv1no
TLSv1.1no
TLSv1.2yes
TLSv1.3yes
SSLv3no


The JOC Cockpit, when acting as a client, and the mail server, have to identify a common SSL protocol version:

  • JOC Cockpit: The protocol version is determined by the Java version and by the java.security file in place:
    • An older Java version, 1.8 for example, can allow TLSv1 and TLSv1.1 SSL protocol versions which are considered outdated or insecure with the jdk8u202-b08/jre/lib/security/java.security file:
      • jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
        • TLSv1 and TLSv1.1 protocol versions are not disabled.
      • jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, \
            EC keySize < 224, 3DES_EDE_CBC, anon
        • A larger number of SSL protocol versions are disabled.
    • A newer Java version, 17 for example, can disable SSL protocol versions that are considered outdated or insecure with the jdk-11.0.12+7/conf/security/java.security file.
      • jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
            DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
            include jdk.disabled.namedCurves
    • It is common practice that the Java versions available in an organization include adjusted copies of the java.security file that limit the use of SSL protocol versions.
  • Mail Server: For compatibility reasons mail servers tend to support outdated or insecure protocol versions for a longer time.
    • There is not a simple way to determine all protocol versions supported by a mail server. Typically this requires SSL debugging: see Logging. The SSL debug log states the list of protocol versions offered by the client and by the mail server. If in doubt, then your system administrator should know the mail server's supported protocol versions.

Should JOC Cockpit and the mail server not identify a common SSL protocol version then the handshake in communication will fail. In this situation the Java version in use can be updated and/or the java.security file can be adjusted to allow matching SSL protocol versions.

Recommended E-Mail Settings

A frequent problem is the requirement that the mail server and client should negotiate the protocol version. This does not work perfectly for a number of mail servers, particularly not for Microsoft Exchange® servers.

Users should therefore specify a single protocol version to be used. The Check Certificates section above explains the commands that help to determine the SSL protocol version supported by the mail server.

SettingValue
mail.smtp.ssl.protocolsTLSv1.2


Note: Use of the following settings is discouraged:

SettingValueComment
mail.smtp.ssl.protocolsTLSv1Do not specify an outdated protocol version
mail.smtp.ssl.protocolsTLSv1.1,TLSv.1.2Do not specify more than one protocol version

Step 4: Verify Ciphers

Wrong use or mismatch of ciphers is not a frequent issue in mail server connections. However, consider the following explanation if there is a good reason to assume mismatch of ciphers:

For handshake in SSL connections, the JOC Cockpit, when acting as a client, and the mail server require a common protocol version (see step 3) and a common cipher.

  • The SSL protocol version in use determines available ciphers.
  • The same ciphers have to be in place with the Java version used by the JOC Cockpit and with the mail server.
    • JOC Cockpit: Ciphers are determined by the Java version and the java.security file in place:
      • Older Java versions, for example 1.8, tend to allow ciphers that are considered outdated or insecure. If no recent updates to Java have been applied then newer ciphers might not be available.
      • Newer Java versions, for example 17, tend to disallow a number of ciphers that are considered outdated or insecure. 
    • Mail Server: There is not a simple way to determine all the ciphers available with a mail server. Typically this requires SSL debugging: see Logging. The SSL debug log states the list of ciphers offered by the client and by the mail server.
    • Cipher mismatch is a possible source of error - for example in the following situations:
      • An older Java version 1.8 (not recently updated) is used to connect to a mail server that is up-to-date when it comes to use of secure ciphers.
        • The mail server denies use of outdated ciphers offered by Java. The Java does not know of newer ciphers offered by the mail server.
      • A newer Java version 17 is used to connect to a mail server that is operated with older ciphers.
        • The Java denies use of outdated ciphers offered by the mail server. The mail server does not know of newer ciphers offered by Java.

Should JOC Cockpit and the mail server not identify a common cipher then the handshake in communication will fail. In this situation the Java version in use can be updated and/or the java.security file can be adjusted to allow a matching cipher.

Step 5: Specify Authentication

Mail servers can be configured to require authentication. Your system administrator will provide this information.

Users can setup an e-mail client to verify credentials and check that credentials work.

Recommended E-Mail Settings

SettingValue
mail.smtp.authtrue
mail.smtp.user<account>@<domain>
mail.smtp.password<password>

OAuth2 Authentication E-Mail Settings

OAuth2 authentication with mail servers allows to use an access token instead of a password:

  • FEATURE AVAILABILITY STARTING FROM RELEASE 2.5.2
  • For earlier versions of JS7 see the section Workaround of the following change for instructions how to update to a newer version of JavaMail that allows OAuth2 authentication:
    JOC-1456 - Getting issue details... STATUS

The following settings can be used:

SettingValueHint
mail.smtp.authtrue
mail.smtp.auth.mechanismsXOAUTH2
mail.smtp.user<account>@<domain>
mail.smtp.password<oauth2-access-token>
mail.smtp.sasl.mechanisms.oauth2.oauthToken<oauth2-access-token>

some mail servers such as smtp.office365.com might force the older SASL mechanism to be used

  • This setting is assigned the OAuth2 access token.
  • The mail.smtp.password setting is not specified.

Logging

Error messages are raised by the JOC Cockpit JS7 - Monitor Service when sending mail. They can be found in the service-monitor.log file, see JS7 - Log Files and Locations.

For SSL debugging with JOC Cockpit see JS7 - Log Levels and Debug Options

  • The JAVA_OPTIONS value -Djavax.net.debug=ssl can be used
  • For newer Java versions the JAVA_OPTIONS value -Djavax.net.debug=all can be used that will create more detailed output.
  • SSL debug output becomes available from the jetty.log file:
    • Consider that SSL debug output is logged for any SSL activity in JOC Cockpit, including access by clients from browsers using HTTPS connections, authentication with an LDAP server using SSL/TLS etc.
    • Users should be trained to identify the SSL debug output related to sending mail.

Examples

Example for use of plain text connection (Port 25)

AreaSettingValueComment
Connectionmail.smtp.host<mail server host or IP address>

mail.smtp.port25

mail.smtp.starttls.enablefalseDeny SMTP over TLS

mail.smtp.ssl.enablefalseDeny SMTP over SSL
Authenticationmail.smtp.authtrueUse if mail server requires authentication

mail.smtp.user<account@domain>

mail.smtp.password<password>

Example for use of SMTP over SSL connection (Port 465)

AreaSettingValueComment
Connectionmail.smtp.host<mail server host or IP address>

mail.smtp.port465

mail.smtp.starttls.enablefalseDeny SMTP over TLS

mail.smtp.ssl.enabletrueAllow SMTP over SSL
Protocol Versionmail.smtp.ssl.protocolsTLSv1.2Specify the agreed-on protocol version
Authenticationmail.smtp.authtrueUse if mail server requires authentication

mail.smtp.user<account@domain>

mail.smtp.password<password>

Example for use of SMTP over TLS connection (Port 587)

AreaSettingValueComment
Connectionmail.smtp.host<mail server host or IP address>

mail.smtp.port587

mail.smtp.starttls.enabletrueAllow SMTP over TLS

mail.smtp.ssl.enablefalseDeny SMTP over SSL
Protocol Versionmail.smtp.ssl.protocolsTLSv1.2Specify the agreed-on protocol version
Authenticationmail.smtp.authtrueUse if mail server requires authentication

mail.smtp.user<account@domain>

mail.smtp.password<password>