Page History
...
The JS7 can be configured to send JS7 - NotificationNotifications by mail in case the event of either successful or failed execution of jobs and workflows. In addition, the JS7 - JITL Mail Jobs can be used to send mail. A number of errors can indicate that this the mail server connection does not work:
Code Block | ||
---|---|---|
| ||
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) javax.mail.MessagingException: Could not connect to SMTP host: mail.example.com, port: 587 |
Code Block | ||
---|---|---|
| ||
javax.net.ssl.SSLException: Unsupported or unrecognized SSL message javax.mail.MessagingException: Could not connect to SMTP host: mail.example.com, port: 587 |
Code Block | ||
---|---|---|
| ||
javax.mail.AuthenticationFailedException: 535 5.7.3 Authentication unsuccessful |
Error messages for notifications The error messages are raised by the JOC Cockpit Cockpit JS7 - Monitor Service when trying to send mail. They can be found in the service-monitor.log
file, see JS7 - Log Files and Locations.
Analysis
In the event of problems when using one of the JS7 - JITL Mail Jobs, error messages can be found in the order log or task log and in the joc.log
file.
Analysis
For mail configuration there are a number of screws that users can turn. It is important to narrow down recommended that the problem is narrowed down in a systematic way:
- Follow the below steps in the given sequence.
- Do not turn too many screws at the same time. Instead, change one setting then check results by sending mail.
- Do not use mixed settings for different protocols. Instead, choose a one protocol and apply settings recommended for that protocol only.
A larger number of e-mail settings is available, see https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html, however, in most cases they are not related to problems connecting to the a mail server.
Anchor | ||||
---|---|---|---|---|
|
Mail servers frequently use specific ports per type of connection, however, technically protocol used with a connection. However, technically, any port can be used. Your system administrator should provide the information about available protocols and ports:
Port | Protocol | Purpose | Certificate |
---|---|---|---|
25 | SMTP | Plain Text | no |
465 | SMTPS (Implicit SSL) | SMTP over SSL | yes |
587 / 2525 | SMTP (Explicit SSL) | SMTP over TLS (StartTLS) | yes |
Below The examples below check availability of TLS port 587, examples can be similarly be applied with to SSL port 465:
Code Block | ||||
---|---|---|---|---|
| ||||
# should telnet be available telnet mail.example.com 587 # should nc or ncat be available ncat -v -u mail.example.com 587 # should curl be available curl --ssl --url mail.example.com:587 |
...
Output of the above commands has to be closely considered in detail if it indicates availability of the respective a port:
Code Block | ||||
---|---|---|---|---|
| ||||
# test plain text port
curl --ssl --url mail.example.com:25
# output returned
# can indicate that the port is not available:
# curl: (7) Failed to connect to mail.example.com port 25 after 2186 ms: Connection refused
# can indicate that the port is available:
# 220 mail.example.com ESMTP Postfix (Debian/GNU)
# 221 2.7.0 Error: I can break rules, too. Goodbye.
# test SMTP over SSL
curl --ssl --url mail.example.com:465
# output returned can indicate that the port is available:
# curl: (56) Recv failure: Connection reset by peer
# test SMTP over TLS
curl --ssl --url mail.example.com:587
# output returned can indicate that the port is not available:
# curl: (7) Failed connect to mail.example.com:587; Connection refused |
...
Depending on the Java version in use, different defaults might be in place, . Users should therefore users should allow/deny use of SSL and /TLS:
Setting | |
---|---|
mail.smtp.starttls.enable | false |
mail.smtp.ssl.enable | true |
...
Depending on the Java version in use different defaults might be in place, . Users should therefore users should allow/deny use of SSL and /TLS:
Setting | |
---|---|
mail.smtp.starttls.enable | true |
mail.smtp.ssl.enable | false |
Anchor | ||||
---|---|---|---|---|
|
To A server certificate is used to establish a secure connection with a TLS port or SSL port a server certificate is used. The mail server presents its server certificate and the client (JOC Cockpit or command line client) has to verify verifies the certificate.
Code Block | ||
---|---|---|
| ||
# display server certificates openssl s_client -showcerts -connect mail.example.com:587 |
...
The above command returns the server certificate or certificate chain. To verify the certificate the client requires access to the Root CA Certificate that was has been used to sign the server certificate.
- For use of with OpenSSL certificates are available from
/etc/ssl/certs
or similar locations. - For JOC Cockpit operated with Java the certificates are available from the Java
cacerts
file that which can be found from in different locations depending on the Java version and distribution.- For a JDK 1.8 including a JRE provided by OpenJDK this can be , for example, the
jdk8u202-b08/jre/lib/security/cacerts
file is used. - For a JDK 17 provided by OpenJDK this can be , for example, the
jdk-17.0.1+12/lib/security/cacerts
file is used.
- For a JDK 1.8 including a JRE provided by OpenJDK this can be , for example, the
Usually mail servers use certificates signed by some well known certificate authority who's root certificate is authorities whose Root CA Certificates are included in distributions of OpenSSL and Java.
Should the Root CA Certificate not be available from the above locations location then it can be specified like this:
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
CONNECTED(00000003) depth=3 C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services verify return:1 depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA verify return:1 depth=0 CN = mail.sos-berlin.com verify return:1 --- Certificate chain 0 s:/CN=mail.sos-berlin.com i:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA -----BEGIN CERTIFICATE----- MIIGRzCCBS+gAwIBAgIQGf/S3tkPzbWFMbmLKdmsADANBgkqhkiG9w0BAQsFADCB jzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQD Ey5TZWN0aWdvIFJTQSBEb21haW4gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENB MB4XDTIxMTAwNDAwMDAwMFoXDTIyMTEwNDIzNTk1OVowHjEcMBoGA1UEAxMTbWFp bC5zb3MtYmVybGluLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AK9OGVKYO1vZvOnk2NsipJ5j4RSy97I08QTCvtG7J36mPZVD3sutZodTtvle2U48 U481vYgbayUMSdtSa0HNU/rnQMaiv6xKbRh6/4fjL1gzV8FQT6El4dNql8eJt7TH J3SMW2HhP3SjqSYKeOlCWe/4rzoyICwIk4zUAZPQgs+j2gB9vhQD7jQy4g6EciQc 0xhTwXJuDdmLsO9UYZAhf+hpQ0Ro9tZomIr6l5IBvPhAz8YvlvhNbccHvC3IqkeG nuyVxvkCPNTeUhNiVQ7Xs4pJ84sd2ZDPXH9ZujxWzFzZjOnR2hsyWeX/MMpWOGOn KBD4S0qZseDs/pYmS9AE/fMCAwEAAaOCAw0wggMJMB8GA1UdIwQYMBaAFI2MXsRU rYrhd+mb+ZsF4bgBjWHhMB0GA1UdDgQWBBQbI/gntJPpV9zIQ1wYQvct73OpITAO BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcD AQYIKwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICBzAlMCMGCCsGAQUF BwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgEwgYQGCCsGAQUF BwEBBHgwdjBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0 aWdvUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAjBggrBgEF BQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wNwYDVR0RBDAwLoITbWFpbC5z b3MtYmVybGluLmNvbYIXd3d3Lm1haWwuc29zLWJlcmxpbi5jb20wggF9BgorBgEE AdZ5AgQCBIIBbQSCAWkBZwB3AEalVet1+pEgMLWiiWn0830RLEF0vv1JuIWr8vxw /m1HAAABfEnWZ2QAAAQDAEgwRgIhAMcAxoBm45jy9UCk80pLIleTjnp6dz3t4Fvm MrFiZuQZAiEAlqRjJITOA7NOof2QwqkfQ329djiK9Kqlf7OpsjMuSScAdQBByMqx 3yJGShDGoToJQodeTjGLGwPr60vHaPCQYpYG9gAAAXxJ1mcxAAAEAwBGMEQCIG6F 16aRC2t7ZNV4Uy4itq7XdGFr/IHpHxmrQ+8ZsGKnAiBLtGeHZuojaYw8cUCAYBuh b04b/wXbgoTcsYFxxnztsAB1ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4+U1dJlwl XceEAAABfEnWZvkAAAQDAEYwRAIgGx0/BE0quLQ9FVdHyu+vueMwg2TEMB1jSN5B ZdRKzN4CIEU+ikzI7fpNM6jdnhDXBFvwKLq+QhMiXD9b3m+73GBpMA0GCSqGSIb3 DQEBCwUAA4IBAQCAnx8ib+z1W1/ohK5TnYogiNK1GtnCHLH5TYTBNYYLwnMcZdKi NxrLNl0HGKV5B67mAcaWtrTjU0RaACpXibFXMG4dleEEhWxyTOAmXRTL1BeyNOlh 6A2Xl6eZOwxy56/eOFbQLmC3oOtCHGFDY241xSkStT9rpffFPc/lorqapZANx4WW XIAVhKjfCFwFUX8CdvCYm5cUtBsLIpbuuEWwFsp1IZRHcHjmL1mqS81pX59IG9JZ CX7yiSCwYzcTJV3BwJ6TByGNXtLsHB9VGoxVqFcKdRZtzFVR0tQNVts4sp4tl/X1 o6JYpahE4zH6GfLXoisLTY1CMwE8tviOFB2q -----END CERTIFICATE----- 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services -----BEGIN CERTIFICATE----- MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe 3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4 YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2 G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3 smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg== -----END CERTIFICATE----- 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services -----BEGIN CERTIFICATE----- MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7 MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4 MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5 MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0 aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sI s9CsVw127c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnG vDoZtF+mvX2do2NCtnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQ Ijy8/hPwhxR79uQfjtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfb IWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0 tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97E xwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNV icQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5 D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ 5lhCLkMaTLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzG KAgEJTm4Diup8kyXHAc/DVL17e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSg EQojPpbxB+zirynvgqV/0DCktDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rID ZsswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAG BgRVHSAAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29t L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr BgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUA A4IBAQAYh1HcdCE9nIrgJ7cz0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+ rvSNb3I8QzvAP+u431yqqcau8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+ /czSAaF9ffgZGclCKxO/WIu6pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gA CiIDEOUMsfnNkjcZ7Tvx5Dq2+UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1F zZOFli9d31kWTz9RvdVFGD/tSo7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyA vGp4z7h/jnZymQyd/teRCBaho1+V -----END CERTIFICATE----- 3 s:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority -----BEGIN CERTIFICATE----- MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBjzELMAkGA1UEBhMCR0IxGzAZBgNV BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE ChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFJTQSBEb21haW4g VmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEA1nMz1tc8INAA0hdFuNY+B6I/x0HuMjDJsGz99J/LEpgPLT+N TQEMgg8Xf2Iu6bhIefsWg06t1zIlk7cHv7lQP6lMw0Aq6Tn/2YHKHxYyQdqAJrkj eocgHuP/IJo8lURvh3UGkEC0MpMWCRAIIz7S3YcPb11RFGoKacVPAXJpz9OTTG0E oKMbgn6xmrntxZ7FN3ifmgg0+1YuWMQJDgZkW7w33PGfKGioVrCSo1yfu4iYCBsk Haswha6vsC6eep3BwEIc4gLw6uBK0u+QDrTBQBbwb4VCSmT3pDCg/r8uoydajotY uK3DGReEY+1vVv2Dy2A0xHS+5p3b4eTlygxfFQIDAQABo4IBbjCCAWowHwYDVR0j BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFI2MXsRUrYrhd+mb +ZsF4bgBjWHhMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYGBFUdIAAw CAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0 LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2Bggr BgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNv bS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDov L29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMr9hvQ5Iw0/H ukdN+Jx4GQHcEx2Ab/zDcLRSmjEzmldS+zGea6TvVKqJjUAXaPgREHzSyrHxVYbH 7rM2kYb2OVG/Rr8PoLq0935JxCo2F57kaDl6r5ROVm+yezu/Coa9zcV3HAO4OLGi H19+24rcRki2aArPsrW04jTkZ6k4Zgle0rj8nSg6F0AnwnJOKf0hPHzPE/uWLMUx RP0T7dWbqWlod3zu4f+k+TY4CFM5ooQ0nBnzvg6s1SQ36yOoeNDT5++SR2RiOSLv xvcRviKFxmZEJCaOEDKNyJOuB56DPi/Z+fVGjmO+wea03KbNIaiGCpXZLoUmGv38 sbZXQm2V0TP2ORQGgkE49Y9Y3IBbpNV9lXj9p5v//cWoaasm56ekBYdbqbe4oyAL l6lFhd2zi+WJN44pDfwGF/Y4QA5C5BIG+3vzxhFoYt/jmPQT2BVPi7Fp2RBgvGQq 6jG35LWjOhSbJuMLe/0CjraZwTiXWTb2qHSihrZe68Zk6s+go/lunrotEbaGmAhY LcmsJWTyXnW0OMGuf1pGg+pRyrbxmRE1a6Vqe8YAsOf4vmSyrcjC8azjUeqkk+B5 yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K 00u/I5sUKUErmgQfky3xxzlIPK1aEn8= -----END CERTIFICATE----- --- Server certificate subject=/CN=mail.sos-berlin.com issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 6329 bytes and written 415 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: E596340D0C9BA55CF385ECDD1556E54E472DF22D6A7F9EAB73019C6953FAEBEE Session-ID-ctx: Master-Key: 24E753A7D67F91B56920D38302B5F7193A3E28BAE9F4F85B56C05F379B79C9D2187FC7C006527720D2A09B0E60832DD0 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 3600 (seconds) TLS session ticket: 0000 - b5 ac ba fe 95 1a da d8-5f 1c 35 62 f3 ff 44 21 ........_.5b..D! 0010 - b3 6e 61 c5 b1 96 41 37-a8 bb 01 a5 0c 3b df e6 .na...A7.....;.. 0020 - c4 2c 83 c3 cc e6 8f 56-4c 1f a5 de a7 41 db a9 .,.....VL....A.. 0030 - d4 03 92 b2 3f 2b 73 11-45 fe 5b 69 32 15 6f 19 ....?+s.E.[i2.o. 0040 - 33 6c 14 1c 71 87 e1 b2-a5 11 3a 19 34 78 a5 21 3l..q.....:.4x.! 0050 - 8a a6 69 4e a0 1a 83 8e-ae 6b 4f e5 d2 f5 4c 22 ..iN.....kO...L" 0060 - 0c de 9e 1e cc 53 7e 61-0d d9 9a 33 c4 7a 2b 7c .....S~a...3.z+| 0070 - df b6 1f 32 2b df ee 93-8e 13 0f 00 2c a5 4c da ...2+.......,.L. 0080 - ef 8d 87 59 b8 a8 2e c0-ca 8a ab 60 46 21 c7 00 ...Y.......`F!.. 0090 - b4 dd 51 a1 75 d7 a4 15-83 ac 38 17 67 05 4e 0e ..Q.u.....8.g.N. Start Time: 1656756203 Timeout : 300 (sec) Verify return code: 0 (ok) --- 220 mail.sos-berlin.com ESMTP Postfix (Debian/GNU) |
In addition to checking certificate verifying certificates the above output provides information about the SSL protocol version in use and the cipher used for SSL handshake:
...
Recommended E-Mail Settings
Typically, no settings are required as the mail server's Root CA Certificate can be assumed to be in place.
Should verification of the mail server certificate fail, for example in the case of selfPrivate CA-signed certificates, then users can:
- copy the certificate displayed with above output to their clipboard and paste it to a file,
- import the certificate to the JOC Cockpit truststore, see JS7 - JOC Cockpit HTTPS Connections.
...
Protocol Version | Considered Secure |
---|---|
TLSv1 | no |
TLSv1.1 | no |
TLSv1.2 | yes |
TLSv1.3 | yes |
SSLv3 | no |
The JOC Cockpit, when acting as a client, and the mail server, have to identify a common SSL protocol version:
- JOC Cockpit: The protocol version is determined by the Java version and by the
java.security
file in place:- An older Java version, 1.8 for example, can allow TLSv1 and TLSv1.1 SSL protocol versions that which are considered outdated or insecure with the
jdk8u202-b08/jre/lib/security/java.security
file:jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
- TLSv1 and TLSv1.1 protocol versions are not disabled.
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, 3DES_EDE_CBC, anon
- A larger number of SSL protocol versions are disabled.
- A newer Java version, 17 for example, can disable SSL protocol versions that are considered outdated or insecure with the
jdk-11.0.12+7/conf/security/java.security
file.jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
- It is common practice that the Java versions available in an organization include adjusted copies of the
java.security
file that limit the use of SSL protocol versions.
- An older Java version, 1.8 for example, can allow TLSv1 and TLSv1.1 SSL protocol versions that which are considered outdated or insecure with the
- Mail Server: For compatibility reasons they mail servers tend to support outdated or insecure protocol versions for a longer time.
- There is not a simple way to determine all protocol versions supported by a mail server. Typically this requires SSL debugging, : see Logging. The SSL debug log states the list of protocol versions offered by the client and by the mail server. If in doubt, then your system administrator should know the mail server's supported protocol versions.
...
A frequent problem is the requirement that the mail server and client should negotiate the protocol version. This does not work perfectly work for a number of mail servers, particularly not for Microsoft Exchange® servers.
Users should therefore specify a single protocol version to be used. The above chapter Check Certificates section above explains the commands that help to determine the SSL protocol version supported by the mail server.
...
Wrong use or mismatch of ciphers is not a frequent issue in mail server connections. However, if users have consider the following explanation if there is a good reason to assume mismatch of ciphers then consider the following explanation.:
For handshake in SSL connections, the JOC Cockpit, when acting as a client, and the mail server require a common protocol version (see step 3) and a common cipher.
- The SSL protocol version in use determines available ciphers.
- The same ciphers have to be in place with the Java version used by the JOC Cockpit and with the mail server.
- JOC Cockpit: Ciphers are determined by the Java version and the
java.security
file in place:- Older Java versions, for example 1.8, tend to allow ciphers that are considered outdated or insecure. If no recent updates to Java have been applied then newer ciphers might not be available.
- Newer Java versions, for example 17, tend to disallow a number of ciphers that are considered outdated or insecure.
- Mail Server: There is not a simple way to determine all the ciphers available with a mail server. Typically this requires SSL debugging, : see Logging. The SSL debug log states the list of ciphers offered by the client and by the mail server.
- Cipher mismatch is a possible source of error - for example in the following situations:
- An older Java version 1.8 (not recently updated) is used to connect to a mail server that is up-to-date when it comes to use of secure ciphers.
- The mail server denies use of outdated ciphers offered by Java. The Java does not know of newer ciphers offered by the mail server.
- A newer Java version 17 is used to connect to a mail server that is operated with older ciphers.
- The Java denies use of outdated ciphers offered by the mail server. The mail server does not know of newer ciphers offered by Java.
- An older Java version 1.8 (not recently updated) is used to connect to a mail server that is up-to-date when it comes to use of secure ciphers.
- JOC Cockpit: Ciphers are determined by the Java version and the
...
Mail servers can be configured to require authentication. Your system administrator provides will provide this information.
To verify the credentials users Users can setup an e-mail client to verify credentials and check that credentials work.
Recommended E-Mail Settings
...
work.
Recommended E-Mail Settings
Setting | Value |
---|---|
mail.smtp.auth | true |
mail.smtp.user | <account>@<domain> |
mail.smtp.password | <password> |
OAuth2 Authentication E-Mail Settings
OAuth2 authentication with mail servers allows to use an access token instead of a password:
Display feature availability StartingFromRelease 2.5.2 - For earlier versions of JS7 see the section Workaround of the following change for instructions how to update to a newer version of JavaMail that allows OAuth2 authentication:
Jira server SOS JIRA columnIds issuekey,summary,issuetype,created,updated,duedate,assignee,reporter,priority,status,resolution columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key JOC-1456
The following settings can be used:
Setting | Value | Hint |
---|---|---|
mail.smtp.auth | true | |
mail.smtp.auth.mechanisms | XOAUTH2 | |
mail.smtp.user | <account>@<domain> | |
mail.smtp.password | <oauth2-access-token> | |
mail.smtp.sasl.mechanisms.oauth2.oauthToken | <oauth2-access-token> | some mail servers such as smtp.office365.com might force the older SASL mechanism to be used
|
Anchor | ||||
---|---|---|---|---|
|
When sending mail then error Error messages are raised by the JOC Cockpit JS7 - Monitor Service when sending mail. They can be found in the service-monitor.log
file, see JS7 - Log Files and Locations.
...
Area | Setting | Value | Comment |
---|---|---|---|
Connection | mail.smtp.host | <mail server host or IP address> | |
mail.smtp.port | 25 587 | ||
mail.smtp.starttls.enable | true | Allow SMTP over TLS | |
mail.smtp.ssl.enable | false | Deny SMTP over SSL | |
Protocol Version | mail.smtp.ssl.protocols | TLSv1.2 | Specify the agreed-on protocol version |
Authentication | mail.smtp.auth | true | Use if mail server requires authentication |
mail.smtp.user | <account@domain> | ||
mail.smtp.password | <password> |
...