CFMAIL Error sending with ssl external smtp server

dev support
1

Hi, after some time I have noticed a problem.
Since I updated to version 6.2.1.122 I have noticed a problem with cfmail.
When I send via localhost everything works fine, while sending via external SMTP server gives me a SASL login authentication error
The authentication parameters in cfmail are ignored, in particular the user ID that appears in the SASL error is not the one passed in CFMAIL.

With previous versions this did not happen and the Postfix server settings were not changed.

Example

<cfmail to="#therecipient#" from="myemail@example.com" replyto="myemail@example.com" failto="myemail@example.com" subject="My Subject" type="HTML" server="out.postassl.it" port="465" username="myemail@example.com" password="#password#">
<cfoutput>Test mail</cfoutput>
</cfmail>

in the postfix log I see:

postfix/smtpd 
	warning: unknown[*ipaddress*]: SASL LOGIN authentication failed: authentication failure, sasl_username=**brterbrtyvtr@arubabiz.net**

Before 6.2.1.122 and older loader (5.3. 4.80) all wortks fine

Version Lucee 6.2.1.122
Version Name Gelert
Loader Version 6.2.1.122
Servlet Container Apache Tomcat/11.0.6
Java 21.0.7 (Eclipse Adoptium) 64bit
OS Almalinux 9.6 64bit (on plesk server)

Mail Settings on lucee administrator SPOOL ENABLED : True

2

Can you try raising the log level on the remote-client log to see if that sheds any further clues?

as in 6.2.0.321 ?

3

sasl had nothing to do with it, I was looking in the wrong place

With 6.1.0.243 I’m sure it worked, and I think also with 6.1.1.118

This is the mail log and remoteclient log with 6.2.1.122

mail.logERROR 22:28:08, 18 Jun, 2025Thread-1143116

"javax.mail.MessagingException: Could not connect to SMTP host: out.postassl.it, port: 465; nested exception is:

javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate);javax.mail.MessagingException: Could not connect to SMTP host: out.postassl.it, port: 465;
nested exception is:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate);javax.mail.MessagingException: Could not connect to SMTP host: out.postassl.it, port: 465;
nested exception is:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate);Could not connect to SMTP host: out.postassl.it, port: 465;No appropriate protocol (protocol is disabled or cipher suites are inappropriate);lucee.runtime.exp.NativeException: javax.mail.MessagingException: Could not connect to SMTP host: out.postassl.it, port: 465;
nested exception is:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at lucee.runtime.net.smtp.SMTPClient._send(SMTPClient.java:877)
at lucee.runtime.spooler.mail.MailSpoolerTask.execute(MailSpoolerTask.java:139)
at lucee.runtime.spooler.SpoolerTaskSupport._execute(SpoolerTaskSupport.java:107)
at lucee.runtime.spooler.SpoolerEngineImpl.execute(SpoolerEngineImpl.java:619)
at lucee.runtime.spooler.SpoolerEngineImpl.execute(SpoolerEngineImpl.java:612)
at lucee.runtime.spooler.SpoolerEngineImpl$TaskThread.run(SpoolerEngineImpl.java:548)
Caused by: java.lang.Exception: javax.mail.MessagingException: Could not connect to SMTP host: out.postassl.it, port: 465;
nested exception is:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
… 6 more
Caused by: javax.mail.MessagingException: Could not connect to SMTP host: out.postassl.it, port: 465;
nested exception is:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1962)
at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:654)
at javax.mail.Service.connect(Service.java:295)
at lucee.runtime.net.smtp.SMTPSender.run(SMTPSender.java:60)
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at java.base/sun.security.ssl.HandshakeContext.(Unknown Source)
at java.base/sun.security.ssl.ClientHandshakeContext.(Unknown Source)
at java.base/sun.security.ssl.TransportContext.kickstart(Unknown Source)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:549)
at com.sun.mail.util.SocketFetcher.createSocket(SocketFetcher.java:354)
at com.sun.mail.util.SocketFetcher.getSocket(SocketFetcher.java:211)
at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1928)
… 3 more
"

remoteclient.logERROR 22:28:08, 18 Jun, 2025Thread-1143116

"failed to execute: Registrazione EBT Catania;out.postassl.it javax.mail.MessagingException: Could not connect to SMTP host: out.postassl.it, port: 465; nested exception is:

javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate):0;out.postassl.it javax.mail.MessagingException: Could not connect to SMTP host: out.postassl.it, port: 465;
nested exception is:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate):0;javax.mail.MessagingException: Could not connect to SMTP host: out.postassl.it, port: 465;
nested exception is:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate);Could not connect to SMTP host: out.postassl.it, port: 465;No appropriate protocol (protocol is disabled or cipher suites are inappropriate);lucee.runtime.exp.NativeException: out.postassl.it javax.mail.MessagingException: Could not connect to SMTP host: out.postassl.it, port: 465;
nested exception is:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate):0
at lucee.runtime.net.smtp.SMTPClient._send(SMTPClient.java:907)
at lucee.runtime.spooler.mail.MailSpoolerTask.execute(MailSpoolerTask.java:139)
at lucee.runtime.spooler.SpoolerTaskSupport._execute(SpoolerTaskSupport.java:107)
at lucee.runtime.spooler.SpoolerEngineImpl.execute(SpoolerEngineImpl.java:619)
at lucee.runtime.spooler.SpoolerEngineImpl.execute(SpoolerEngineImpl.java:612)
at lucee.runtime.spooler.SpoolerEngineImpl$TaskThread.run(SpoolerEngineImpl.java:548)
Caused by: lucee.runtime.net.mail.MailException: out.postassl.it javax.mail.MessagingException: Could not connect to SMTP host: out.postassl.it, port: 465;
nested exception is:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate):0
… 6 more
Caused by: java.lang.Exception: javax.mail.MessagingException: Could not connect to SMTP host: out.postassl.it, port: 465;
nested exception is:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at lucee.runtime.net.smtp.SMTPClient._send(SMTPClient.java:877)
… 5 more
Caused by: javax.mail.MessagingException: Could not connect to SMTP host: out.postassl.it, port: 465;
nested exception is:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1962)
at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:654)
at javax.mail.Service.connect(Service.java:295)
at lucee.runtime.net.smtp.SMTPSender.run(SMTPSender.java:60)
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at java.base/sun.security.ssl.HandshakeContext.(Unknown Source)
at java.base/sun.security.ssl.ClientHandshakeContext.(Unknown Source)
at java.base/sun.security.ssl.TransportContext.kickstart(Unknown Source)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:549)
at com.sun.mail.util.SocketFetcher.createSocket(SocketFetcher.java:354)
at com.sun.mail.util.SocketFetcher.getSocket(SocketFetcher.java:211)
at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1928)
… 3 more
"

4

Are you sure this mail server is online and working?

Just tried a few of those online smtp checkers and they all had problems?

Please confirm with one of the older versions of lucee you think works

5

Yes. The mail server out.postassl.it is used by all Arubabusiness customers.
I also tried a different smtp (pro.turbo-smtp.com) and I encountered the same problem. (See the log below).

On a non-production server I updated to 6.2.2.54RC and it works.
I analyzed the
java.security file on both machines and they are identical.

In particular, on both machines the tls versions disabled

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES,
MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL,
ECDH

The only difference is that on the other server there is tomcat 9.0.102.

Gemini says:
you may need to adjust your code to use Jakarta EE Mail ?

remoteclient.logERROR 16:31:10, 19 Jun, 2025Thread-1291056

"failed to execute: Invio da nuovo server turbo 465;pro.turbo-smtp.com javax.mail.MessagingException: Could not connect to SMTP host: pro.turbo-smtp.com, port: 465; nested exception is:

javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate):0;pro.turbo-smtp.com javax.mail.MessagingException: Could not connect to SMTP host: pro.turbo-smtp.com, port: 465;
nested exception is:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate):0;javax.mail.MessagingException: Could not connect to SMTP host: pro.turbo-smtp.com, port: 465;
nested exception is:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate);Could not connect to SMTP host: pro.turbo-smtp.com, port: 465;No appropriate protocol (protocol is disabled or cipher suites are inappropriate);lucee.runtime.exp.NativeException: pro.turbo-smtp.com javax.mail.MessagingException: Could not connect to SMTP host: pro.turbo-smtp.com, port: 465;
nested exception is:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate):0
at lucee.runtime.net.smtp.SMTPClient._send(SMTPClient.java:907)
at lucee.runtime.spooler.mail.MailSpoolerTask.execute(MailSpoolerTask.java:139)
at lucee.runtime.spooler.SpoolerTaskSupport._execute(SpoolerTaskSupport.java:107)
at lucee.runtime.spooler.SpoolerEngineImpl.execute(SpoolerEngineImpl.java:619)
at lucee.runtime.spooler.SpoolerEngineImpl.execute(SpoolerEngineImpl.java:612)
at lucee.runtime.spooler.SpoolerEngineImpl$TaskThread.run(SpoolerEngineImpl.java:548)
Caused by: lucee.runtime.net.mail.MailException: pro.turbo-smtp.com javax.mail.MessagingException: Could not connect to SMTP host: pro.turbo-smtp.com, port: 465;
nested exception is:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate):0
… 6 more
Caused by: java.lang.Exception: javax.mail.MessagingException: Could not connect to SMTP host: pro.turbo-smtp.com, port: 465;
nested exception is:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at lucee.runtime.net.smtp.SMTPClient._send(SMTPClient.java:877)
… 5 more
Caused by: javax.mail.MessagingException: Could not connect to SMTP host: pro.turbo-smtp.com, port: 465;
nested exception is:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1962)
at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:654)
at javax.mail.Service.connect(Service.java:295)
at lucee.runtime.net.smtp.SMTPSender.run(SMTPSender.java:60)
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at java.base/sun.security.ssl.HandshakeContext.(Unknown Source)
at java.base/sun.security.ssl.ClientHandshakeContext.(Unknown Source)
at java.base/sun.security.ssl.TransportContext.kickstart(Unknown Source)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:549)
at com.sun.mail.util.SocketFetcher.createSocket(SocketFetcher.java:354)
at com.sun.mail.util.SocketFetcher.getSocket(SocketFetcher.java:211)
at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1928)
… 3 more
"

6

P.S.
On the non-production machine I tried to revert to 6.2.1.122 (the loader is the same) and it gives me the following error, so I had to restore the lucee folder from a backup and reboot the machine

Lucee 6.2.1.122 Error (application)
you cannot instantiate the interface [zip:///opt/lucee/tomcat/lucee-server/context/context/lucee-admin.lar!/Application.cfc] as a component (application_cfc$cffalse)
AI (Experimental) For AI-driven exception analysis setup, see AI Setup Guide.
Java Stacktrace lucee.runtime.exp.ApplicationException: you cannot instantiate the interface [zip:///opt/lucee/tomcat/lucee-server/context/context/lucee-admin.lar!/Application.cfc] as a component (application_cfc$cffalse)
at lucee.runtime.component.ComponentLoader.initComponent(ComponentLoader.java:697)
at lucee.runtime.component.ComponentLoader._loadComponent(ComponentLoader.java:639)
at lucee.runtime.component.ComponentLoader.loadComponent(ComponentLoader.java:512)
at lucee.runtime.component.ComponentLoader.loadComponent(ComponentLoader.java:496)
at lucee.runtime.listener.ModernAppListener._onRequest(ModernAppListener.java:109)
at lucee.runtime.listener.ModernAppListener.onRequest(ModernAppListener.java:100)
at lucee.runtime.PageContextImpl.execute(PageContextImpl.java:2810)
at lucee.runtime.PageContextImpl._execute(PageContextImpl.java:2797)
at lucee.runtime.PageContextImpl.executeCFML(PageContextImpl.java:2768)
at lucee.runtime.engine.Request.exe(Request.java:45)
at lucee.runtime.engine.CFMLEngineImpl._service(CFMLEngineImpl.java:1109)
at lucee.runtime.engine.CFMLEngineImpl.serviceCFML(CFMLEngineImpl.java:1066)
at lucee.loader.engine.CFMLEngineWrapper.serviceCFML(CFMLEngineWrapper.java:97)
at lucee.loader.servlet.CFMLServlet.service(CFMLServlet.java:42)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:199)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
at mod_cfml.core.invoke(core.java:180)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:660)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:761)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:396)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:937)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1793)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
at java.base/java.lang.Thread.run(Thread.java:1583)

7

hmmm, you could try running tomcat in a console, using catalina run in the tomcat/bin folder and try sending an email using

<cfmail ... async=false debug=true>

which will attempt to send the email immediately and also log out the mail server interaction to the console

DEBUG: setDebug: Jakarta Mail version 1.6.7
DEBUG: getProvider() returning javax.mail.Provider[TRANSPORT,smtp,com.sun.mail.smtp.SMTPTransport,Oracle]
DEBUG SMTP: useEhlo true, useAuth false
DEBUG SMTP: trying to connect to host "localhost", port 30250, isSSL false
220 /127.0.0.1 GreenMail SMTP Service v1.6.15 ready
DEBUG SMTP: connected to host "localhost", port: 30250
EHLO zac-dell.fritz.box
250-/127.0.0.1
250 AUTH PLAIN LOGIN
DEBUG SMTP: Found extension "AUTH", arg "PLAIN LOGIN"
NOOP
250 Is that all?
QUIT
221 /127.0.0.1 Service closing transmission channel

re the downgrade, did you try just restarting tomcat rather than restoring and rebooting, that often solves such problems?

8

As for the downgrade I tried to restart tomcat, but the error persisted, so I recovered the folder from the server’s cloud backup and restarted apache and tomcat, then lucee asked me to import a password from the password.txt file
Usually downgrades worked. This time I had the same problem twice.

I have a doubt: on the non-production machine the problem was solved after the restore of 6.2.1.122 from backup. But restoring the folder from the cloud does not overwrite any files added by version 6.2.2.54RC so is it possible that after returning to 6.2.1.122 there is some file (some class) that was originally missing?

9

In production machine (where i receive the error):
[root@production bundles]# ls | grep mail
bouncycastle.mail-1.38.0.jar
javax.mail-1.4.6.jar
org.lucee.commons-email-all-1.6.0.jar
org.subethamail-3.1.7.0.jar

in non production machine after restore of 6.2.1.122 from backup (where allworks fine):
[root@nonproduction bundles]# ls | grep mail
bouncycastle.mail-1.38.0.jar
org.lucee.commons-email-all-1.6.0.jar

But In cloud copy of non production yesterday there was javax.mail-1.4.6.jar

Can i remove javax.mail-1.4.6.jar to solve the problem ?

10

yeah, definitely it’s worth trying. Lucee doesn’t remove old bundles, which might be indeed the cause

If Lucee needs it, it will automatically download it again

11

Solved (by chatgpt)

JavaMail (used by Lucee for cfmail) does not handle port 465 with implicit SSL well if not configured correctly. Starting from Java 11+ and even more restrictively with Java 21, many protocols and ciphers are disabled by default.

In fact the error arose after the update to Java 21. And it did not depend on the Lucee version

cd /opt/lucee/tomcat/bin
nano setenv.sh

add this row
export JAVA_OPTS="$JAVA_OPTS -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2"

chmod +x setenv.sh

restart lucee

in cfmail:
use port 587 (STARTTLS) instead of 465 (SMTPS)
use useTLS="true". instead of useSSL="true"

eg

<cfmail 
  username="tuo@email.com"
  password="tuapassword"
  server="pro.turbo-smtp.com"
  port="587"
  useTLS="true"
  type="html"
  from="tuo@email.com"
  to="destinatario@email.com"
  subject="Test">
Contenuto di test
</cfmail>
1 Like