Emails cannot be sent via mail server due to wrong TLS connection

Marvin1 · September 4, 2023, 12:31pm

Hey friends, I want to create Email notifications. In the server conf I added everything necessary.

# Email transport
transport_email_enabled = true
transport_email_hostname = mail.exempel.intern
transport_email_port = 587
transport_email_use_auth = true
transport_email_auth_username = greylog@exemple.intern
transport_email_auth_password = ***
transport_email_from_email = greylog.notification@exemple.de
transport_email_socket_connection_timeout = 30s
transport_email_socket_timeout = 30s

# Encryption settings
#
# ATTENTION:
#    Using SMTP with STARTTLS *and* SMTPS at the same time is *not* possible.

# Use SMTP with STARTTLS, see https://en.wikipedia.org/wiki/Opportunistic_TLS
transport_email_use_tls = true

# Use SMTP over SSL (SMTPS), see https://en.wikipedia.org/wiki/SMTPS
# This is deprecated on most SMTP services!
#transport_email_use_ssl = true

*I had to censor the real mail and auth

The firewall is “open” for the port on udp and tcp
a ping to the mail-server is successfully
the password and all names and mails are correct

The logs from graylog say:

**Error:** Notification has email recipients and is triggered, but sending emails failed. Sending the email to the following server failed : mail.exemple.intern:587

and the logs from the mail-server

Eine TLS 1.2-Verbindungsanforderung wurde von einer Remoteclientanwendung empfangen, aber keine der Verschlüsselungssammlungen, die von der Clientanwendung unterstützt werden, wird vom Server unterstützt. Fehler bei der TLS-Verbindungsanforderung.

in english

A TLS 1.2 connection request was received from a remote client application, but none of the encryption collections supported by the client application are supported by the server. TLS connection request error

I tried to change

# The allowed TLS protocols for system wide TLS enabled servers. (e.g. message inputs, http interface)
# Setting this to an empty value, leaves it up to system libraries and the used JDK to chose a default.
# Default: TLSv1.2,TLSv1.3  (might be automatically adjusted to protocols supported by the JDK)
enabled_tls_protocols = TLSv1.2,TLSv1.3

to

# The allowed TLS protocols for system wide TLS enabled servers. (e.g. message inputs, http interface)
# Setting this to an empty value, leaves it up to system libraries and the used JDK to chose a default.
# Default: TLSv1.2,TLSv1.3  (might be automatically adjusted to protocols supported by the JDK)
enabled_tls_protocols = TLSv1.2

but nothing changed .
After every new config change i restarted Graylog

Greetings
and Thanks for your Help
Marvin

gsmith · September 12, 2023, 4:49am

Hey @Marvin1

Does this look something like your issue?

github.com/Graylog2/graylog2-server

Allowed TLS Cipher Suites too tight

opened 10:55AM - 28 Jun 21 UTC

closed 11:21AM - 06 Jul 21 UTC

HenryTheSir

bug security triaged

## Expected Behavior Configurable TLS Cipher Suites or a 'common' list of a…llowed cipher suites ## Current Behavior Only some TLS Ciphers are active since: https://github.com/Graylog2/graylog2-server/pull/10653 ``` * TLS 1.0 Cipher suites: Attempted to connect using 80 cipher suites; the server rejected all cipher suites. * SSL 2.0 Cipher suites: Attempted to connect using 7 cipher suites; the server rejected all cipher suites. * TLS 1.2 Cipher suites: Attempted to connect using 158 cipher suites. The server accepted the following 6 cipher suites: TLS_RSA_WITH_AES_256_GCM_SHA384 256 TLS_RSA_WITH_AES_128_GCM_SHA256 128 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 ECDH: prime256v1 (256 bits) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128 ECDH: prime256v1 (256 bits) TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 256 DH (2048 bits) TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 128 DH (2048 bits) The group of cipher suites supported by the server has the following properties: Forward Secrecy OK - Supported Legacy RC4 Algorithm OK - Not Supported The server has no preferred cipher suite. * TLS 1.1 Cipher suites: Attempted to connect using 80 cipher suites; the server rejected all cipher suites. * OpenSSL CCS Injection: OK - Not vulnerable to OpenSSL CCS injection * TLS 1.3 Cipher suites: Attempted to connect using 5 cipher suites. The server accepted the following 2 cipher suites: TLS_AES_256_GCM_SHA384 256 ECDH: x25519 (253 bits) TLS_AES_128_GCM_SHA256 128 ECDH: x25519 (253 bits) The group of cipher suites supported by the server has the following properties: Forward Secrecy OK - Supported Legacy RC4 Algorithm OK - Not Supported The server is configured to prefer the following cipher suite: TLS_AES_256_GCM_SHA384 256 ECDH: x25519 (253 bits) ``` ## Possible Solution ## Steps to Reproduce (for bugs) 1. 2. 3. 4. ## Context Communication to LDAP or ES is interrupted because of strict TLS Ciphers. ## Your Environment * Graylog Version: 4.1.0 * Java Version: JDK 11 Adopt Open JDK * Elasticsearch Version: * MongoDB Version: * Operating System: * Browser version:

system · September 26, 2023, 4:49am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cannot figure out email settings Graylog Central (peer support)	4	2882	October 27, 2020
Sending the email to the server failed Graylog Central (peer support)	25	5563	March 24, 2021
Unable to send emails notification Graylog Central (peer support) basic-configuration	13	3416	December 31, 2021
SMTP Issues Using Graylog Graylog Central (peer support)	5	2467	November 8, 2019
Alerts Not Sending Mails Graylog Central (peer support)	4	509	December 25, 2017

Emails cannot be sent via mail server due to wrong TLS connection

Related topics