I have created the process that uses sent-mail palette in Tibco BW.
I have downloaded the certificates for gmail using s_client -showcerts -connect smtp.gmail.com:587 -starttls smtp
and configure the certificates in sent mail palette
I am getting Error-
BW-MAIL-100019 Job-178001 Error in [Process/BloodRequest.process/Send
Mail] Error sending mail message. Cause:
javax.mail.MessagingException: Could not convert socket to TLS; nested
exception is: iaik.security.ssl.SSLException: Server certificate
rejected by ChainVerifier
Does anyone have an idea about a Certificate Error in Tibco BW?
Looks like you have some root certificates missing.
I suspect that you trying to replace certificates in example project https://support.tibco.com/s/article/Tibco-KnowledgeArticle-Article-37939 that have outdated certificates.
instead of
openssl s_client -showcerts -connect smtp.gmail.com:587 -starttls smtp
you can find/download google certificates from google web site https://pki.goog/.
First certificate from the list https://pki.goog/gtsr1/GTSR1.crt works for me.
Please note that after fixing certificates I got following error:
BW-MAIL-100019 Job-34000 Error in [Mail/SendMail.process/Send Mail]
Error sending mail message. Cause: javax.mail.AuthenticationFailedException: 535-5.7.8 Username and Password not accepted. Learn more at
535 5.7.8 https://support.google.com/mail/?p=BadCredentials y23sm10913598iob.28 - gsmtp
I was able to sent email only after setting "Allow less secure apps: ON"
https://myaccount.google.com/u/3/lesssecureapps?pli=1 in Google account settings
just in case here are other possible reasons for javax.mail.AuthenticationFailedException :
JavaMail with Gmail: 535-5.7.1 Username and Password not accepted
Related
today haved a issues with the conection in my mailserver, when I try to login can't access.
The error says:
IMAP Error: Login failed for user#myserver.com against host.myserver.com from IP_ADDRESS. Could not
connect to ssl://host.myserver.com:993: Unknown reason in
../lib/Roundcube/rcube_imap.php on line 200 (POST /webmail/?_task=login&_action=login)
When Try to check my ssl certificate with this command, received this response:
openssl s_client -connect xxxxxx.xxxx:993
140150541821056:error:0200206E:system library:connect:Connection timed out:../crypto/bio/b_sock2.c:110:
140150541821056:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=110
I'm not sure for what happened this. I created the certificate and actually I access to my web behind this domain.
Can you help me with this? Thanks a lot of!!!
Though this question is in the context of a particular software (Discourse forum software), it is really about SSL certificates of mail servers.
Here is my setup:
Main Website: mydomain.com (Hosted on Hostgator)
Forum Website (Discourse forum software): forum.mydomain.com (Hosted on DigitalOcean)
Mail Server (used by Discourse to send email to members): mail.mydomain.com (Hosted on Hostgator)
Discourse settings for SMTP:
DISCOURSE_SMTP_ADDRESS: mail.mydomain.com
DISCOURSE_SMTP_PORT: 587
DISCOURSE_SMTP_USER_NAME: forum-no-reply#mydomain.com
DISCOURSE_SMTP_PASSWORD: "mypassword"
DISCOURSE_SMTP_ENABLE_START_TLS: true # (optional, default true)
I have SSL certificates set up for mydomain.com and mail.mydomain.com on Hostgator (A single SSL certificate for mydomain.com as well as several subdomains (like mail.mydomain.com, webmail.mydomain.com, etc)).
When I try to send a test email from the Discourse admin interface using the above settings, it gives me an 'invalid certificate' error.
So, I tried to debug through openssl s_client with the following command:
openssl s_client -servername mail.mydomain.com -starttls smtp -crlf -connect mail.mydomain.com:587
It sends the SSL certificate of mydomain.com with CN as follows
subject=CN = mydomain.com
and establishes a SSL Session with TLS v1.2
Here are the weird results of EHLO after that:
EHLO mail.mydomain.com
250-xx-xx-xx.webhostbox.net Hello forum.mydomain.com [xx.xx.xx.xx]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250 HELP
As you can see with the second line in the above code, it responds from xx-xx-xx.webhostbox.net instead of mail.mydomain.com or mydomain.com
I think this is why I'm getting a 'invalid certificate' error.
If I change the Discourse SMTP settings as below (just changing the first line)
DISCOURSE_SMTP_ADDRESS: xx-xx-xx.webhostbox.net
DISCOURSE_SMTP_PORT: 587
DISCOURSE_SMTP_USER_NAME: forum-no-reply#mydomain.com
DISCOURSE_SMTP_PASSWORD: "mypassword"
DISCOURSE_SMTP_ENABLE_START_TLS: true # (optional, default true)
then everything works fine and all emails gets sent.
Could someone please let me know if this working solution is secure? I think it's not secure since I am using xx-xx-xx.webhostbox.net as SMTP address (which could expose the emails to risks) instead of mail.mydomain.com. If this is not secure, how should I proceed to get a secure solution to this problem?
As documented by Hostgator it is actually the correct setup to use the name of the hostgator server full.servername.com and NOT the name of your own domain example.com as the mail server. This is because the mail server is not specific to your domain but is a common mail server for multiple domains.
Note that this is very similar to Can't seem to connect to FTPS via Atom editor Remote FTP but only for SMTP not FTP. My explanation there can be applied to SMTP too.
I was able to set up the SSL in my Kafka brokers and client and I am also able to see that when we produce messages using the 9093 port that is the SSL port the messages are consumed by the consumer.
I tried to send a message via the 9093 port and the message is sent to the consumer from the producer.
Is there any way to verify if this is actually working, I mean how can I demonstrate that 9092 is not SSL and 9093 is SSL and secured?
Below two ways can verify the setup of SSL.
-Djavax.net.debug=all Add this property in
bin/kafka-run-class.sh at the same place as:
if [ -z "$KAFKA_JMX_OPTS" ]; then
KAFKA_JMX_OPTS=" <**add here**> -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false "
fi
then tail the kafka broker log file, you should see some encoded messages.
To verify if the server's keystore and truststore are setup correctly you can run the following command:
openssl s_client -debug -connect localhost:9093 -tls1
Note: TLSv1 should be listed under ssl.enabled.protocols.
In the output of this command you should see the server’s certificate:
-----BEGIN CERTIFICATE-----
{variable sized random bytes}
-----END CERTIFICATE-----
subject=/C=US/ST=CA/L=Santa Clara/O=org/OU=org/CN=Joe Smith
issuer=/C=US/ST=CA/L=Santa Clara/O=org/OU=org/CN=kafka/emailAddress=test#test.com
If the certificate does not show up or if there are any other error messages then your keystore is not setup correctly.
Reference :
http://docs.confluent.io/2.0.0/kafka/ssl.html
https://github.com/Symantec/kafka-security-0.9
We have tried setting up kafka with SSL and faced the same issue to crosscheck if its working on SSL I removed the listeners entry PLAINTEXT and kept the configuration which is required for SSL only and tested. We were able to send and receive message wirh SSL at secure port 9093 .
In logs it does gives a WARNING but it's for the client authentication so that's not an issue , once tested I added the PLAINTEXT entry again .
I know it's not the best way to test but it worked for me
When you mention security.protocol=SSL, there is no way it can use the other protocol. For more proofs, as mentioned above you can edit the kafka-run-class.sh to turn on debug all and verify the ssl handshakes happening and metadata being sent over ssl channel.
Thanks
Akash
I have recently started to develop a tiny SIP softphone application using the PJ Project and GTK+. My main goal was to create a softphone which supports both TLS and SRTP encryption (and MWI). However I have got stuck right at the part where the library registers an account because the application has failed to verify the server when I asked it for it.
I thought that I misunderstood something while I was coding as I'm a newbie but today I've just tested the library using the PJSUA application which was attached in the source code and it could register my SIP account unless I've started the program with the --tls-verify-server flag.
To make it clear I've created for Asterisk my own certificate authority, keys and certificate and I've installed the CA to my machine.
I must note that this setup works with a commercial software, it can verify the certificate without any problem.
The PJSUA flags I've used:
--use-tls
--tls-ca-file /etc/ssl/certs/ca-certificates.crt
--id=sip:u-kuklinistvan1#kingdom.info.tm;transport=tls
--registrar=sip:kingdom.info.tm;transport=tls
--realm=kingdom.info.tm
--username=u-kuklinistvan1
--password=xxxxxx
--use-srtp=2
--mwi
--tls-verify-server
It says(please follow the link for the long version):
19:21:44.728 pjsua_app.c TLS cert verification result of [94.21.11.229:5061] : The server identity does not match to any identities specified in the certificate
...which could not be true as OpenSSL itself accepts the certificate:
openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect kingdom.info.tm:5061
(click here for the rest)
Verify return code: 0 (ok)
Extra information
I connect PJSUA as endpoint to registrar by hostname kingdom.info.tm.
Is it possible that I've encountered a bug or I just don't understand something?
Thank you for your help!
... does not match to any identities specified in the certificate
... which could be not true as OpenSSL itself accepts the certificate: ... openssl s_client ...
The error messages refers to checking the identity against the certificate, i.e. the hostname you provide against the names in the certificate (subject alternative names, common name). openssl s_client does not do any identity checks but only checks for a valid trust chain.
Looking at the certificate provided by the server it actually contains contain a common name for kingdom.info.tm. But from the error message it looks that it expects the IP address: TLS cert verification result of [94.21.11.229:5061]: .... Did you specify the SIP URL of the peer with an IP address?
My current script uses this simple command:
mail -s "$my_msg" username\#mycompany.com </dev/null
When changing it to use a mailing list rather than the hardcoded username:
mail -s "$my_msg" mailing_list_1\#groups.mycompany.com </dev/null
It produces:
550 Unrouteable address
I need to be able to authenticate to the server over a secure connection.
How do I do this?
Linux version 2.6.26
msmtp is an SMTP client:
TLS/SSL both in SMTP-over-SSL mode and
in STARTTLS mode. Full certificate
trust checks can be performed. A
client certificate can be sent.