Page History
...
The error messages are raised by the JOC Cockpit JS7 - Monitor Service when trying to send mail. They can be found in the service-monitor.log
file, see JS7 - Log Files and Locations.
...
Depending on the Java version in use different defaults might be in place, therefore users should allow/deny use of SSL and TLS:
Setting | |
---|---|
mail.smtp.starttls.enable | false |
mail.smtp.ssl.enable | true |
Recommended E-Mail Settings for SMTP over TLS (Port 587)
Depending on the Java version in use different defaults might be in place, therefore users should allow/deny use of SSL and TLS:
Setting | |
---|---|
mail.smtp.starttls.enable | true |
mail.smtp.ssl.enable | false |
Anchor | ||||
---|---|---|---|---|
|
...
We frequently find the following SSL protocol versions in place:
Protocol Version | Considered Secure |
---|---|
TLSv1 | no |
TLSv1.1 | no |
TLSv1.2 | yes |
TLSv1.3 | yes |
SSLv3 | no |
Recommended E-Mail Settings
A frequent problem is the requirement that the mail server and client should negotiate the protocol version. This does not perfectly work for a number of mail servers, particularly not for Microsoft Exchange servers.
...
The JOC Cockpit acting as a client and the mail server have to identify a common SSL protocol version:
- JOC Cockpit: The protocol version is determined by the Java version and the
java.security
file in place:- An older Java version 1.8 for example, can allow TLSv1 and TLSv1.1 SSL protocol versions that are considered outdated or insecure with the
jdk8u202-b08/jre/lib/security/java.security
file:jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
- TLSv1 and TLSv1.1 protocol versions are not disabled.
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, 3DES_EDE_CBC, anon
- A larger number of SSL protocol versions are disabled.
- A newer Java version 17 for example, can disable SSL protocol versions that are considered outdated or insecure with the
jdk-11.0.12+7/conf/security/java.security
file.jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
- It is common practice that the Java versions available in an organization include adjusted copies of the
java.security
file that limit use of SSL protocol versions.
- An older Java version 1.8 for example, can allow TLSv1 and TLSv1.1 SSL protocol versions that are considered outdated or insecure with the
- Mail Server: For compatibility reasons they tend to support outdated or insecure protocol versions for a longer time.
- There is not a simple way to determine all protocol versions supported by a mail server. Typically this requires SSL debugging, see Logging. The SSL debug log states the list of protocol versions offered by the client and by the mail server. If in doubt then your system administrator should know the mail server's supported protocol versions.
Should JOC Cockpit and the mail server not identify a common SSL protocol version then the handshake in communication will fail. In this situation the Java version in use can be updated and/or the java.security
file can be adjusted to allow matching SSL protocol versions.
Recommended E-Mail Settings
A frequent problem is the requirement that the mail server and client should negotiate the protocol version. This does not perfectly work for a number of mail servers, particularly not for Microsoft Exchange® servers.
Users should therefore specify a single protocol version to be used. The above chapter Check Certificates explains the commands that help to determine the SSL protocol version supported by the mail server.
Setting | Value |
---|---|
mail.smtp.ssl.protocols | TLSv1.2 |
Note: Use of the following settings is discouraged:
Setting | Value | Comment |
---|---|---|
mail.smtp.ssl.protocols | TLSv1 | Do not specify an outdated protocol version |
mail.smtp.ssl.protocols | TLSv1.1,TLSv.1.2 | Do not specify more than one protocol version |
Anchor | ||||
---|---|---|---|---|
|
Wrong use or mismatch of ciphers is not a frequent issue in mail server connections. However, if users have good reason to assume mismatch of ciphers then consider the following explanation.
For handshake in SSL connections the JOC Cockpit acting as a client and the mail server require a common protocol (see step 3) and a common cipher.
- The SSL protocol version in use determines available ciphers.
- The same ciphers have to be in place with the Java version used by the JOC Cockpit and with the mail server.
- JOC Cockpit: Ciphers are determined by the Java version and the
java.security
file in place:- Older Java versions, for example 1.8, tend to allow ciphers that are considered outdated or insecure. If no recent updates to Java have been applied then newer ciphers might not be available.
- Newer Java versions, for example 17, tend to disallow a number of ciphers that are considered outdated or insecure.
- Mail Server: There is not a simple way to determine all ciphers available with a mail server. Typically this requires SSL debugging, see Logging. The SSL debug log states the list of ciphers offered by the client and the mail server.
- Cipher mismatch is a possible source of error for example in the following situations:
- An older Java version 1.8 (not recently updated) is used to connect to a mail server that is up-to-date when it comes to use of secure ciphers.
- The mail server denies use of outdated ciphers offered by Java. The Java does not know of newer ciphers offered by the mail server.
- A newer Java version 17 is used to connect to a mail server that is operated with older ciphers.
- The Java denies use of outdated ciphers offered by the mail server. The mail server does not know of newer ciphers offered by Java.
- An older Java version 1.8 (not recently updated) is used to connect to a mail server that is up-to-date when it comes to use of secure ciphers.
- JOC Cockpit: Ciphers are determined by the Java version and the
Should JOC Cockpit and the mail server not identify a common cipher then the handshake in communication will fail. In this situation the Java version in use can be updated and/or the java.security
file can be adjusted to allow a matching cipher.
Anchor | ||||
---|---|---|---|---|
|
Mail servers can be configured to require authentication. Your system administrator provides this information.
To verify the credentials users can setup an e-mail client and check that credentials work.
Recommended E-Mail Settings
Setting | Value |
---|---|
mail.smtp.auth | true |
mail.smtp.user | <account@domain> |
mail.smtp.password | <password> |
Anchor | ||||
---|---|---|---|---|
|
When sending mail then error messages are raised by the JOC Cockpit JS7 - Monitor Service. They can be found in the service-monitor.log
file, see JS7 - Log Files and Locations.
For SSL debugging with JOC Cockpit see JS7 - Log Levels and Debug Options
- The
JAVA_OPTIONS
value-Djavax.net.debug=ssl
can be used - For newer Java versions the
JAVA_OPTIONS
value-Djavax.net.debug=all
can be used that will create more detailed output. - SSL debug output becomes available from the
jetty.log
file:- Consider that SSL debug output is logged for any SSL activity in JOC Cockpit, including access by clients from browsers using HTTPS connections, authentication with an LDAP server using SSL/TLS etc.
- Users should be trained to identify the SSL debug output related to sending mail.
...
x
...
Mail servers can be configured to require authentication. Your system administrator provides this information.
To verify the credentials users can setup an e-mail client and check that credentials work.
Recommended E-Mail Settings
...
Examples
Example for use of plain text connection (Port 25)
Area | Setting | Value | Comment |
---|---|---|---|
Connection | mail.smtp.host | <mail server host or IP address> | |
mail.smtp.port | 25 | ||
mail.smtp.starttls.enable | false | Deny SMTP over TLS | |
mail.smtp.ssl.enable | false | Deny SMTP over SSL | |
Authentication | mail.smtp.auth | true | Use if mail server requires authentication |
mail.smtp.user | <account@domain> | ||
mail.smtp.password | <password> |
Example for use of SMTP over SSL connection (Port 465)
Area | Setting | Value | Comment |
---|---|---|---|
Connection | mail.smtp.host | <mail server host or IP address> | |
mail.smtp.port | 465 | ||
mail.smtp.starttls.enable | false | Deny SMTP over TLS | |
mail.smtp.ssl.enable | true | Allow SMTP over SSL | |
Protocol Version | mail.smtp.ssl.protocols | TLSv1.2 | Specify the agreed-on protocol version |
Authentication | mail.smtp.auth | true | Use if mail server requires authentication |
mail.smtp.user | <account@domain> | ||
mail.smtp.password | <password> |
Example for use of SMTP over TLS connection (Port 587)
Area | Setting | Value | Comment |
---|---|---|---|
Connection | mail.smtp.host | <mail server host or IP address> | |
mail.smtp.port | 25 | ||
mail.smtp.starttls.enable | true | Allow SMTP over TLS | |
mail.smtp.ssl.enable | false | Deny SMTP over SSL | |
Protocol Version | mail.smtp.ssl.protocols | TLSv1.2 | Specify the agreed-on protocol version |
Authentication | mail.smtp.auth | true | Use if mail server requires authentication |
mail.smtp.user | <account@domain> | ||
mail.smtp.password | <password> |