Lucee stops sending email 5.3.5.92

Email stops being sent after a few hours, I think some gets delayed somewhere and is eventually sent sometime after the restart but not immediately (I need to investigate this more). I thought it might be a grey listing issue but after restarting Lucee and IIS email is sent and received instantly.

The email is being sent from Lucee via Office 365.

There are no failed email Tasks in Web Admin.

I have seen other posts from 2016 & 2017 with same issue but no solutions.

Same issue on 5.3.5.92 & 5.3.4.80.

Any ideas?

Don’t forget to tell us about your stack!

OS: Win Server 2019
Java Version: 11.0.3
Tomcat Version: 9.0.20
Lucee Version: 5.3.5.92 & 5.3.4.80

Possibly this: https://luceeserver.atlassian.net/browse/LDEV-2561

Thanks Jamie.

I have found the error in an unsent email Task is:
mail.protection.outlook.com Could not convert socket to TLS lucee.runtime.exp.NativeException: Could not convert socket to TLS

This has been reported before but not on 5.3.4.80. What I really don’t understand is why does this work and then stop overnight?
What could be changing?

can you post the top of the stacktrace, say 10 lines?

I just sent an email and it has not been received and there is nothing is in the Web Admin Tasks.
Restarted Lucee, sent another email and it was sent and received instantly.

Is this what you mean?

thedomain-uk.mail.protection.outlook.com Could not convert socket to TLS lucee.runtime.exp.NativeException: Could not convert socket to TLS
at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1907)
at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:666)
at javax.mail.Service.connect(Service.java:295)
at lucee.runtime.net.smtp.SMTPSender.run(SMTPSender.java:59) Caused by: javax.mail.MessagingException: Could not convert socket to TLS; nested exception is:
javax.net.ssl.SSLHandshakeException: A potential protocol version downgrade attack
… 4 more Caused by: javax.net.ssl.SSLHandshakeException: A potential protocol version downgrade attack
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:255)
at java.base/sun.security.ssl.ServerHello$ServerHelloConsumer.onServerHello(ServerHello.java:985)
at java.base/sun.security.ssl.ServerHello$ServerHelloConsumer.consume(ServerHello.java:890)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:448)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:425)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:549)
at com.sun.mail.util.SocketFetcher.startTLS(SocketFetcher.java:486)
at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1902)

thanks, that’s informative.

I have filed a bug https://luceeserver.atlassian.net/browse/LDEV-2967

@isapir was the last developer to work on these TLS issues, which was before the 5.3.4.80 release.

You could try updating to Java 11.0.7 https://adoptopenjdk.net/releases.html

1 Like

I wonder if it is trying TLSv1.0 or something. Maybe disabling in java.security?

jdk.tls.disabledAlgorithms= SSLv2Hello, SSLv3, TLSv1, TLSv1.1

or is firewall doing something to smtp port.

Thanks for suggestions and adding the bug, I will keep an eye on it.
I tried upgrading the jre by simply copying in the latest folders (bin, conf, legal, lib) from the link: OpenJDK11U-jre_x64_windows_hotspot_11.0.7_10. But Lucee would not restart so put the old ones back. I will try again when I get a few minutes.

I have added TLSv1, TLSv1.1 to this jdk.tls.disabledAlgorithms= in \lucee\jre\conf\security\java.security

I will update this if I anything changes or I find anything useful.

you can also do that directly from cfml

<cfscript>
System = createObject("java", "java.lang.System");
System.setProperty("mail.debug", "true");
System.setProperty("mail.smtp.ssl.protocols", "TLSv1.2");
</cfscript>

https://luceeserver.atlassian.net/browse/LDEV-1933?focusedCommentId=42296

Where do I put that code? Application.cfc or before every email is sent?

I found that adding
jdk.tls.disabledAlgorithms= TLSv1, TLSv1.1 in \lucee\jre\conf\security\java.security
stopped the imap code below connecting. It must default to TLS 1 or 1.1 ?
Adding this line fixed it:
properties.put(“mail.imaps.ssl.protocols”,“TLSv1.2”);

So if I can set Lucee to always send emails with TLS 1.2 it might fix the issue.

properties = createObject(“Java”,“java.util.Properties”);
jsession = createObject(“Java”,“javax.mail.Session”);
store = createObject(“Java”,“javax.mail.Store”);
message = CreateObject(“Java”, “javax.mail.Message”);

	properties.init();
	properties.put("mail.store.protocol","imaps");
	properties.put("mail.from", mailSettings.username);
	properties.put("mail.imaps.port", mailSettings.port);
	properties.put("mail.imaps.connectiontimeout",mailSettings.timeout);
	properties.put("mail.imaps.timeout",mailSettings.timeout);

// add this line to make it work
properties.put(“mail.imaps.ssl.protocols”,“TLSv1.2”);

	jsession = jsession.getInstance(properties);
	store = jsession.getStore("imaps");
	store.connect(mailSettings.server, mailSettings.username, mailSettings.password);

	inbox = store.getFolder("#mailSettings.folder#");
	VARIABLES.message_count = inbox.getMessageCount();

Looking at the JDK release notes, there have been changes to TLS 1.2 negotiation in updated JDKs.
You might have to download from adoptopenjdk.net (or Oracle if that is what you use) and get the latest 11.0.8 and install. How did you install Lucee? I haven’t tested the Lucee installer in Windows. I know in Linux you can just extract the JDK and renmae the /opt/lucee/jdk directory. Windows uses registry values sometimes and you might have to change those.

If you have a internet accessible website you also need to update Tomcat libs. There have been security updates.

That is interesting as I have not had the error since I have added this: properties.put(“mail.imaps.ssl.protocols”,“TLSv1.2”);

Maybe Office 365 did not like the site trying to connect with TLS 1 in some places and TLS 1.2 in others.

I will still upgrade when I get the time but it might be fixed for now…

1 Like