Could not connect to SMTP host using STARTTLS

[izenk]

ISSUE TYPE

Other

COMPONENT NAME

Management Node

CLOUDSTACK VERSION

4.11.0.0

CONFIGURATION

• Advanced Networking
• KVM

OS / ENVIRONMENT

CentOS Linux release 7.4.1708

Summary

Goal: integrate CloudStack with external SMTP relay.
SMTP relay is Office365 relay from Office365 subscription.
Parameters to connect: smtp.office365.com:587

In general there are two cases for secure connection:

• SSL (First SSL handshake, then SMTP HELO)
• TLS (First SMTP HELO, then STARTLS)

CS does not allow to specify method to use and by default use SSL, what leads to errors:

2018-04-25 14:26:15,723 WARN  [c.c.p.ProjectManagerImpl] (API-Job-Executor-5:ctx-0242c153 job-423 ctx-8109c588) (logid:13177452) Failed
 to send project id=Project[2|name=test_project|domainid=2] invitation to the email <removed>; removing the invitation record from the db
javax.mail.MessagingException: Could not connect to SMTP host: smtp.office365.com, port: 587;
  nested exception is:
        javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
        at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1961)
        at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:654)
        at javax.mail.Service.connect(Service.java:295)
        at javax.mail.Service.connect(Service.java:176)
        at javax.mail.Service.connect(Service.java:125)
        at com.cloud.projects.ProjectManagerImpl$EmailInvite.sendInvite(ProjectManagerImpl.java:990)
        at com.cloud.projects.ProjectManagerImpl.generateTokenBasedInvitation(ProjectManagerImpl.java:708)
        at com.cloud.projects.ProjectManagerImpl.inviteAccountToProject(ProjectManagerImpl.java:590)
        at com.cloud.projects.ProjectManagerImpl.addAccountToProject(ProjectManagerImpl.java:563)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:338)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:197)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
        at org.apache.cloudstack.network.contrail.management.EventUtils$EventInterceptor.invoke(EventUtils.java:107)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:174)
        at com.cloud.event.ActionEventInterceptor.invoke(ActionEventInterceptor.java:51)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:174)
        at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:92)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:185)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
        at com.sun.proxy.$Proxy140.addAccountToProject(Unknown Source)
        at org.apache.cloudstack.api.command.user.account.AddAccountToProjectCmd.execute(AddAccountToProjectCmd.java:91)
        at com.cloud.api.ApiDispatcher.dispatch(ApiDispatcher.java:150)
        at com.cloud.api.ApiAsyncJobDispatcher.runJob(ApiAsyncJobDispatcher.java:108)
        at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.runInContext(AsyncJobManagerImpl.java:581)
        at org.apache.cloudstack.managed.context.ManagedContextRunnable$1.run(ManagedContextRunnable.java:49)
        at org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:56)
        at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:103)
        at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:53)
        at org.apache.cloudstack.managed.context.ManagedContextRunnable.run(ManagedContextRunnable.java:46)
        at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.run(AsyncJobManagerImpl.java:529)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
        at sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:710)
        at sun.security.ssl.InputRecord.read(InputRecord.java:527)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:983)
        ... 45 more
2018-04-25 14:26:15,741 WARN  [c.c.p.ProjectManagerImpl] (API-Job-Executor-5:ctx-0242c153 job-423 ctx-8109c588) (logid:13177452) Failed to generate invitation for email <removed> to project id=Project[2|name=test_project|domainid=2]

Option is described here (mail.smtp.starttls.enable): Java Mail

[rohityadavcloud]

@izenk depending on your STMP provider's setting if you want SSL enabled transport set project.smtp.useAuth to true in global settings, restart mgmt server and try again. I'll close this but feel free to open if the advised solution does not work for you.

[izenk]

@rhtyd
project.smtp.useAuth was already enabled
Issue is related to SSL or STARTTLS.
In general there are two cases for secure SMTP connection:
SSL (First SSL handshake, then SMTP HELO)
TLS (First SMTP HELO, then STARTLS)

CloudStack by default use SSL and only it. When it should be possible to choose: SSL or STARTTLS

[rohityadavcloud]

@izenk I tested this against a server where it worked for me, let me re-open this. After enabling the global setting (i.e. set to true) was the management server restarted? Please also check iptables rules on the management server blocking egress traffic.

[izenk]

@rhtyd
yes, management server was restarted. What is your SMTP server?
My is office365 SMTP on 587 port
SSL is disabled on SMTP side, only STARTTLS is supported.
This means, that first simple non-secure connection is established and only then its upgraded to TLS.

You can try it on your server: smtp host = smtp.office365.com:587
Pick any random user and password. If you get auth error, means that you creds are incorrect - its working.
If you get "Unrecognized SSL message, plaintext connection" - this is my issue.

[s-seitz]

@izenk I'ld suggest to setup a local mailrelay or MTA for this purpose. Nowadays, SSL is a moving target when it comes to "safe" cipher lists. I wouldn't rely on the java cipher lists, also it's way more convenient having mails dealt by an MTA or relay on your own. Just my 2 cents :)

[izenk]

@s-seitz
Already done as workaround.
But local SMTP is one more layer with own efforts and requirements for maintenance and HA.

[PaulAngus]

@izenk I assume that you've looked tried the options suggested by Microsoft.

https://support.office.com/en-us/article/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-office-365-69f58e99-c550-4274-ad18-c805d654b4c4

I'll mark this ticket as a feature request/enhancement for now as it is additional functionality that you are requiring.

[izenk]

@PaulAngus if you assumes local mail relay option - yes I implemented it.

[nvazquez]

Hi @izenk can you confirm if the issue is fixed in the main branch?

[rohityadavcloud]

PR claiming to fix this issue has been merged #4573
@izenk please test and re-open if not satisfied, thanks.