Re: Javamail connection

Mon, 21 Dec 2020 12:47:22 -0800 


On Mon, December 21, 2020 15:22, Wietse Venema wrote:
> James B. Byrne:
> [ Charset ISO-8859-1 converted... ]
>>
>>
>> On Mon, December 21, 2020 13:46, Wietse Venema wrote:
>> > James B. Byrne:
>> >> > Dec 21 12:25:21 mx32 postfix-p25/smtpd[62565]: warning: TLS library
>> >> problem:
>> >> > error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
>> >> > unknown:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert
>> >> number
>> >> > 46:
>> >> > Dec 21 12:25:21 mx32 postfix-p25/smtpd[62565]: lost connection after
>> >> STARTTLS
>> >> > from accounting-2.internal.harte-lyne.ca[192.168.216.88]
>> >
>> > Results from A web search suggest that this may be a certificate
>> > verification problem.
>>
>> That is what I have been trying to confirm.  And after a lot of poking around
>> with Java's keystore/cacrets implementation I think that I have ruled that
>> out:
>>
>> JAVA_VERSION="12" java
>> -Djavax.net.ssl.trustStore=/opt/idempiere/idempiere-server/jettyhome/etc/keystore
>>  -Djavax.net.ssl.trustStorePassword=idempiere-2020-ksadmin  SSLPoke
>> 192.168.216.32 465
>> Successfully connected
>
> That proves nothing. This test uses port 465, but your Javamail is
> connecting to port 25.
>

I disagree.  What it shows is that Java, using the keystore belonging to the
application, can connect and verify an SSL connection to postfix on the target
host.  The port is immaterial as that does not affect whether or not the
client/server certificates are acceptable to the Trust Store.

I have just spent two weeks getting to this point.  Up until this morning I
could not get SSLPoke to successfully connect to the mail service at all.  And
the error was always to do with the certificate chain.

SSLPoke cannot do STARTTLS and thus it will always fail on ports 25 and 587
whether or not the certificate chain was acceptable because it gets an
unexpected SSL message.

openssl s_client -starttls smtp from the application host has always been able
to successfully connect to TCP25 on the target, but openssl does not use the
keystore file.



-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
   Unencrypted messages have no legal claim to privacy
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:byrn...@harte-lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3
























					Reply via email to