Lucee stops sending email 5.3.5.92

semseo · July 7, 2020, 11:49am

Email stops being sent after a few hours, I think some gets delayed somewhere and is eventually sent sometime after the restart but not immediately (I need to investigate this more). I thought it might be a grey listing issue but after restarting Lucee and IIS email is sent and received instantly.

The email is being sent from Lucee via Office 365.

There are no failed email Tasks in Web Admin.

I have seen other posts from 2016 & 2017 with same issue but no solutions.

Same issue on 5.3.5.92 & 5.3.4.80.

Any ideas?

Don’t forget to tell us about your stack!

OS: Win Server 2019
Java Version: 11.0.3
Tomcat Version: 9.0.20
Lucee Version: 5.3.5.92 & 5.3.4.80

Jamie_Jackson · July 8, 2020, 8:39pm

Possibly this: https://luceeserver.atlassian.net/browse/LDEV-2561

semseo · July 9, 2020, 8:58am

Thanks Jamie.

I have found the error in an unsent email Task is:
mail.protection.outlook.com Could not convert socket to TLS lucee.runtime.exp.NativeException: Could not convert socket to TLS

This has been reported before but not on 5.3.4.80. What I really don’t understand is why does this work and then stop overnight?
What could be changing?

Zackster · July 9, 2020, 10:28am

can you post the top of the stacktrace, say 10 lines?

semseo · July 10, 2020, 8:45am

I just sent an email and it has not been received and there is nothing is in the Web Admin Tasks.
Restarted Lucee, sent another email and it was sent and received instantly.

Is this what you mean?

thedomain-uk.mail.protection.outlook.com Could not convert socket to TLS lucee.runtime.exp.NativeException: Could not convert socket to TLS
at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1907)
at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:666)
at javax.mail.Service.connect(Service.java:295)
at lucee.runtime.net.smtp.SMTPSender.run(SMTPSender.java:59) Caused by: javax.mail.MessagingException: Could not convert socket to TLS; nested exception is:
javax.net.ssl.SSLHandshakeException: A potential protocol version downgrade attack
… 4 more Caused by: javax.net.ssl.SSLHandshakeException: A potential protocol version downgrade attack
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:255)
at java.base/sun.security.ssl.ServerHello$ServerHelloConsumer.onServerHello(ServerHello.java:985)
at java.base/sun.security.ssl.ServerHello$ServerHelloConsumer.consume(ServerHello.java:890)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:448)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:425)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:549)
at com.sun.mail.util.SocketFetcher.startTLS(SocketFetcher.java:486)
at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1902)

Zackster · July 10, 2020, 9:03am

thanks, that’s informative.

I have filed a bug https://luceeserver.atlassian.net/browse/LDEV-2967

@isapir was the last developer to work on these TLS issues, which was before the 5.3.4.80 release.

You could try updating to Java 11.0.7 https://adoptopenjdk.net/releases.html

kabutotx · July 11, 2020, 6:17pm

I wonder if it is trying TLSv1.0 or something. Maybe disabling in java.security?

jdk.tls.disabledAlgorithms= SSLv2Hello, SSLv3, TLSv1, TLSv1.1

or is firewall doing something to smtp port.

semseo · July 14, 2020, 8:23am

Thanks for suggestions and adding the bug, I will keep an eye on it.
I tried upgrading the jre by simply copying in the latest folders (bin, conf, legal, lib) from the link: OpenJDK11U-jre_x64_windows_hotspot_11.0.7_10. But Lucee would not restart so put the old ones back. I will try again when I get a few minutes.

I have added TLSv1, TLSv1.1 to this jdk.tls.disabledAlgorithms= in \lucee\jre\conf\security\java.security

I will update this if I anything changes or I find anything useful.

Zackster · July 14, 2020, 8:30am

you can also do that directly from cfml

<cfscript>
System = createObject("java", "java.lang.System");
System.setProperty("mail.debug", "true");
System.setProperty("mail.smtp.ssl.protocols", "TLSv1.2");
</cfscript>

https://luceeserver.atlassian.net/browse/LDEV-1933?focusedCommentId=42296

semseo · July 17, 2020, 11:03am

Where do I put that code? Application.cfc or before every email is sent?

I found that adding
jdk.tls.disabledAlgorithms= TLSv1, TLSv1.1 in \lucee\jre\conf\security\java.security
stopped the imap code below connecting. It must default to TLS 1 or 1.1 ?
Adding this line fixed it:
properties.put(“mail.imaps.ssl.protocols”,“TLSv1.2”);

So if I can set Lucee to always send emails with TLS 1.2 it might fix the issue.

properties = createObject(“Java”,“java.util.Properties”);
jsession = createObject(“Java”,“javax.mail.Session”);
store = createObject(“Java”,“javax.mail.Store”);
message = CreateObject(“Java”, “javax.mail.Message”);

	properties.init();
	properties.put("mail.store.protocol","imaps");
	properties.put("mail.from", mailSettings.username);
	properties.put("mail.imaps.port", mailSettings.port);
	properties.put("mail.imaps.connectiontimeout",mailSettings.timeout);
	properties.put("mail.imaps.timeout",mailSettings.timeout);

// add this line to make it work
properties.put(“mail.imaps.ssl.protocols”,“TLSv1.2”);

	jsession = jsession.getInstance(properties);
	store = jsession.getStore("imaps");
	store.connect(mailSettings.server, mailSettings.username, mailSettings.password);

	inbox = store.getFolder("#mailSettings.folder#");
	VARIABLES.message_count = inbox.getMessageCount();

kabutotx · July 17, 2020, 7:07pm

Looking at the JDK release notes, there have been changes to TLS 1.2 negotiation in updated JDKs.
You might have to download from adoptopenjdk.net (or Oracle if that is what you use) and get the latest 11.0.8 and install. How did you install Lucee? I haven’t tested the Lucee installer in Windows. I know in Linux you can just extract the JDK and renmae the /opt/lucee/jdk directory. Windows uses registry values sometimes and you might have to change those.

If you have a internet accessible website you also need to update Tomcat libs. There have been security updates.

semseo · July 22, 2020, 9:16am

That is interesting as I have not had the error since I have added this: properties.put(“mail.imaps.ssl.protocols”,“TLSv1.2”);

Maybe Office 365 did not like the site trying to connect with TLS 1 in some places and TLS 1.2 in others.

I will still upgrade when I get the time but it might be fixed for now…

Roger_Garpenholm · December 23, 2020, 8:53pm

Any progress on this issue?

I’m also having the same problem on my new installation on a Ubuntu 20.04.2 (Linux (5.4.0-58-generic) 64bit) system. I have Lucee version 5.3.7.47 installed.
I also tried to upgrade to the currently latest v.11 release of AdoptOpenJDK (11.0.9.1), no difference.

“ERROR”,“http-nio-8888-exec-3”,“12/23/2020”,“20:23:04”,“mail”,"Could not convert socket to TLS;Could not convert socket to TLS;lucee.runtime.
exp.NativeException: Could not convert socket to TLS
at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:2155)
at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:752)
at javax.mail.Service.connect(Service.java:366)
at lucee.runtime.net.smtp.SMTPSender.run(SMTPSender.java:59)
Caused by: javax.mail.MessagingException: Could not convert socket to TLS;
nested exception is:
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
… 4 more
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:350)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:293)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:288)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1408)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1314)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411)
at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:626)
at com.sun.mail.util.SocketFetcher.startTLS(SocketFetcher.java:553)
at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:2150)
… 3 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
… 17 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
… 23 more

kabutotx · December 23, 2020, 10:30pm

It seems to not like/trust your SSL certificate on the email server.

Zackster · December 24, 2020, 1:15pm

which params are you using with cfmail?