Email Configuration with TLS 1.2

Bharath Kumar shared this question 29 days ago
Answered

Hello,

Does yellowfin support SSL SMTP Configuration?

I am trying to configure SMTP server with TLS/SSL, both ways the test email fails with error:

Connection Failed

SSL Certificate error occurred while connecting to the mail server. The server may have an expired or invalid SSL Certificate, may be misconfigured, or an attacker may be trying to intercept the connection. If you want to connect anyway, use the Allow Invalid Certificate option. javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

Non SSL SMTP configuration works fine and test email is received.

With both SSL and TLS, the connection is failing. I imported the Yellowfin signed Cert to SMTP server cacerts and similarly SMTP server certificate to yellowfin keystore.

The certificates are valid and we are using latest build of chrome(85)/firefox(81).

Security team has confirmed there is no issue from anti-virus or other communication issues.

I have screenshot and email log attached.

Can you please confirm if YF supports TLSSTART email configuration, we are 8.0.6 version.

Comments (17)

photo
1

Hi Bharatt,

Thank you for reaching out to us. I will test on 8.0.6, but I have been able to use this in the past. What is the mail server you are connecting to? Are there any limits on the TLS versions being used?

Cheers,

Neal

photo
1

Hi Neal,

We are using SMTP server for outlook and there are no limits on the TLS version. Please test and let us know if it works for you.

Regards,

Bharath

photo
1

Hi Bharath,

Currently I don't have access to an outlook server, but I have been able to successfully use Google's SMTP with STARTTLS (port 587). I have attached images of the difference between No encryption and STARTTLS so you can confirm it is working.

This leads us to a trust issue between your certificate and the mail server, which if you are using a self-signed cert may be the issue, but this is outside of our scope of support to really dig into.

If you have any questions please let me know.

Cheers,

Neal

photo
1

Hi Neal,

Thanks for trying that. Ok, I understand this is out of your support scope.

Can you help me understand - do we need to import certs both on Yellowfin server java trust store and SMTP server as well?

How did the TLS work for you? Did you import any certificates on YF server? So we can also follow the same thing.

Regards,

Bharath

photo
1

Hi Bharath,

I did not import any certificates, but because it is a Google server, their certificate will already be trusted. TLS only requires the SMTP server to have a valid certificate and be trusted, so I would expect the SMTP server's CA would need to be trusted by java on the Yellowfin server.

If this is a self signed certificate on the SMTP server, then you would need to add that certificate to the java trustsore on the Yellowfin server.

One way to test that TLS does work and that the issue only lies with the trust relationship is to turn on Allow Invalid Certificate, which should ignore the validity of the certificate and allow the mail to be sent. I would not recommend using this as an ongoing setting (though it is possible), but it would at least confirm the root cause of the issue.

I will mark this as complete, but please do let me know how you go and if you have any further questions.

Cheers,

Neal

photo
1

Hi Neal,

We are struggling to make this configuration work. We imported the SMTP servers signed certificate to the yellowfin java trust store. We also enabled TLS 1, 1.2 in the tomcat server.xml file. We still get the same error.

SSL Certificate error occurred while connecting to the mail server. The server may have an expired or invalid SSL Certificate, may be misconfigured, or an attacker may be trying to intercept the connection. If you want to connect anyway, use the Allow Invalid Certificate option. javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

Allow invalid certificate option also results in same error.

In your last update you mentioned, TLS only requires the SMTP server to have a valid certificate and be trusted - SMTP server has valid certificate and it is trusted. This has been confirmed by the SMTP admins today.

We also enabled logging on the SMTP side and we found the error for our email configuratin:

TLS negotiation failed with algorithm mismatch

We need to know if we can let yellowfin to use specific TLS version? I know we define TLS at tomcat server.xml, but in yellowfin is there a place where we can make it use TLS 1.x for email configuration?

Is it required to have Yellowfin certificate to import on the SMTP server?

We are stuck with the Email configuration and we need your assistance for the same.

Regards,

Bharath

photo
1

Hi Bharath,

Looking into the javamail docs, you should be able to add the following lines to you catalina.bat or catalina.sh:

set JAVA_OPTS=%JAVA_OPTS% -Dmail.smtp.ssl.protocols=TLSv1.2
set JAVA_OPTS=%JAVA_OPTS% -Dmail.smtp.ssl.trust=mail.yellowfin.com
where mail.yellowfin.com is the name of the mailserver as per the certificate. This allows Yellowfin to accept certificates from that server specifically (without doing additional checks). This would force TLS to 1.2, I have seen this used once in the past, so hopefully this helps.

I do not think you would need to add the Yellowfin certificate to the SMTP server store, but from what you have said previously you have already done this. A lot of this depends on the security in place at the client end, what they allow. In general, you do not need to make any modifications unless there are specific security requirements at the client side.

Hopefully the above helps, otherwise we will need to look at the version of javamail in use on the client system for any know issues or additional configurations to work around their security settings.

Cheers,

Neal

photo
1

Hi Neal,

Thanks, I will try that out. One thing is we were able to connect to smtp server and send test email(with TLS) using powershell from the yellowfin machine. But we are struggling to make it work from the application.

I will let you know how it goes.

Regards,

Bharath

photo
1

Hi Bharath,

Thank you for the update, and let me know how you go with the additional config options.

Cheers,

Neal

photo
1

Hi Neal,

We added the configuration in catalina.bat and still getting same error javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake.

Regards,

Bharath

photo
1

Hi Bharath,

Sorry for the delay, I've just remembered you guys run YF as a Windows service, so those options need to go into the Windows Service. To do this, open a command prompt and navigate to the SmartReporting/appserver/bin folder. Then run the following command, replacing X with the tomcat number on the machine (most likely 8 or 9):

tomcat8w.exe //ES/BMCSmartReporting
Then move to the Java tab and add in the following into the Java Options section (again putting the mailserver name in there):

-Dmail.smtp.ssl.protocols=TLSv1.2
-Dmail.smtp.ssl.trust=mail.yellowfin.com
It will look something like this:

8666ce777e8c3ce67fc3ff72047dd215

Sorry Bharath, this really sits outside of our general scope of support as it requires full knowledge of the customers SMTP setup to really dig into this. Hopefully this helps.

Cheers,

Neal

photo
1

Hi Neal,

We already did this, added TLSv and smtp server details in tomcat configuration and catalina.bat. My question is how can we let yellowfin use TLSv 1.2, the configuration we are adding is on the Tomcat side. Does YF uses the same to make SMTP server call?

Regards,

Bharath

photo
1

Hi Bharath,

Can you please confirm the version of javamail in the /WEB-INF/lib directory is as follows:

javax.mail-1.6.2.jar
If not, please let me know which version of javax.mail you have there. Can you also try the following configurations in place of the ones sent previously:

set JAVA_OPTS=%JAVA_OPTS% -Dmail.smtps.ssl.protocols=TLSv1.2
set JAVA_OPTS=%JAVA_OPTS% -Dmail.smtps.ssl.trust=*

If these do not work we will need to reach out to your CSM and arrange some time with a consultant to assist with this implementation.

Yellowfin uses the javamail extension through tomcat to connect to the SMTP server.

Cheers,

Neal

photo
1

Hi Neal,

javax.mail-1.5.2.jar is the one I have in web-inf\lib location. This came with 8.0.6 installation. Do you have any latest file that I can try with?

Regards,

Bharath

photo
1

Hi Bharath,

Please find attached the 1.6.2 version, if you replace the existing one with this and see how that goes (do take a copy of the old one, just to be safe).

Cheers,

Neal

photo
1

Hi Neal,

The configuration went successful with the new javax.mail-1.6.2.jar. Thanks a lot for your help. I think its worth to have this documented somewhere.

Regards,

Bharath

photo
1

Hi Bharath,

That's great news, I am glad we worked it out in the end and I will write up a post on including those flags, with the caveat that the system must have java mail 1.6.2 minimum to force TLS1.2.

On a side note, looking at our upgrades and full installers, I can see that javax.mail-1.6.2 is the version shipped with 8.0.5 and above, so this should not have needed to be changed if this system is on 8.0.6. I would ask that you check one of your other environments running 8.0.6 as well to see if this has the 1.6.2 package and if not, please let me know.

Cheers,

Neal