ejbca-ce icon indicating copy to clipboard operation
ejbca-ce copied to clipboard

Published 20 hours ago verified publisher icon Keyfactor

Failed to send e-mail using STARTTLS starting from 7.11.0 release

Open Pinkbyte opened this issue 2 years ago • 0 comments

After updating docker container to keyfactor/ejbca-ce:7.11.0 i am having troubles to send e-mails on STARTTLS enabled server. Here is part of logs:

2023-01-18 11:19:58,271+0300 ERROR [org.ejbca.util.mail.MailSender] (EJB default - 5) Unable to send email: : javax.mail.MessagingException: Could not connect to SMTP host: mail.dstu.local, port: 25;
  nested exception is:
        javax.net.ssl.SSLException: Unsupported or unrecognized SSL message

<skipped>

However, checking via openssl works:

pinkbyte@oas1 ~ $ openssl s_client -host mail.dstu.local -port 25 -starttls smtp
CONNECTED(00000003)
depth=1 C = RU, ST = Rostov Region, L = Rostov-on-Don, O = Don State Technical University, OU = CIT, CN = DSTU CA
verify return:1
depth=0 C = RU, ST = Rostov Region, L = Rostov-on-Don, O = Don State Technical University, OU = CIT, CN = mail.dstu.local
verify return:1
---
Certificate chain
 0 s:C = RU, ST = Rostov Region, L = Rostov-on-Don, O = Don State Technical University, OU = CIT, CN = mail.dstu.local
   i:C = RU, ST = Rostov Region, L = Rostov-on-Don, O = Don State Technical University, OU = CIT, CN = DSTU CA
 1 s:C = RU, ST = Rostov Region, L = Rostov-on-Don, O = Don State Technical University, OU = CIT, CN = DSTU CA
   i:C = RU, ST = Rostov Region, L = Rostov-on-Don, O = Don State Technical University, OU = CIT, CN = DSTU CA
---

<skipped>

Docker container started like this(sensetive data hidden):

        docker run -d --name=ejbca --restart=always \
                --hostname ejbca \
                --network ejbca \
                -e TZ="Europe/Moscow" \
                -e DATABASE_JDBC_URL="jdbc:mysql://mariadb:3306/ejbca?characterEncoding=UTF-8" \
                -e DATABASE_USER="<sql_user>" \
                -e DATABASE_PASSWORD="<sql_password>" \
                -e JAVA_OPTS_CUSTOM="-Djavax.net.ssl.trustStore=/mnt/persistent/secrets/tls/ejbca/server.jks -Djavax.net.ssl.trustStorePassword=<truststore_password>" \
                -e LOG_AUDIT_TO_DB="true" \
                -e SMTP_DESTINATION="mail.dstu.local" \
                -e SMTP_DESTINATION_PORT="25" \
                -e SMTP_TLS_ENABLED="true" \
                -e SMTP_FROM="<email_address>" \
                -e SMTP_USERNAME="<email_address>" \
                -e SMTP_PASSWORD="<smtp_password>" \
                -p 8080:8080 \
                -p 8443:8443 \
                -v /docker/data/ejbca/persistent:/mnt/persistent \
                -v /docker/data/ejbca/config/web.properties:/opt/primekey/ejbca/conf/web.properties \
                keyfactor/ejbca-ce:7.11.0

Test telnet session to mail.dstu.local, port 25:

pinkbyte@oas1 ~ $ telnet mail.dstu.local 25
Trying 10.1.0.21...
Connected to mail.dstu.local.
Escape character is '^]'.
220 mail.dstu.edu.ru ESMTP Postfix
EHLO oas1
250-mail.dstu.edu.ru
250-PIPELINING
250-SIZE 62914560
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

As a workaround i switched to explicit SSL, available on that server(SMTP_DESTINATION_PORT to 465; SMTP_TLS_ENABLED=true to SMTP_SSL_ENABLED=true)

Pinkbyte avatar Jan 18 '23 08:01 Pinkbyte