[Mail] Configuration for alert mail


(alias) #1

HI all,

I’ve setup the mail configuration part for use the mail alerting.
However, it wasn’t work.

transport_email_enabled = true
transport_email_hostname = mail.domain
transport_email_port = 25
transport_email_use_auth = true
transport_email_use_tls = false
transport_email_use_ssl = false
transport_email_auth_username = mail
transport_email_auth_password = ***************
transport_email_subject_prefix = [graylog]
transport_email_from_email = graylog@domain

=> KO

transport_email_enabled = true
transport_email_hostname = mail.domain
transport_email_port = 25
transport_email_use_auth = true
transport_email_use_tls = true
transport_email_use_ssl = false
transport_email_auth_username = mail
transport_email_auth_password = ***************
transport_email_subject_prefix = [graylog]
transport_email_from_email = graylog@domain

=> KO

transport_email_enabled = true
transport_email_hostname = mail.domain
transport_email_port = 25
transport_email_use_auth = true
transport_email_use_tls = false
transport_email_use_ssl = true
transport_email_auth_username = mail
transport_email_auth_password = ***************
transport_email_subject_prefix = [graylog]
transport_email_from_email = graylog@domain

=> KO

transport_email_enabled = true
transport_email_hostname = mail.domain
transport_email_port = 587
transport_email_use_auth = true
transport_email_use_tls = true
transport_email_use_ssl = true
transport_email_auth_username = mail
transport_email_auth_password = ***************
transport_email_subject_prefix = [graylog]
transport_email_from_email = graylog@domain

=> KO

Mail account configuration into standard mail client :

  • SMTP 25 , normal password , STARTTLS

Do you have a solution ?

Thanks

Edit 1 : I think, it is the trust store with our self signed cert …

Edit 2 :

I use keytool to import dovecot certificat into “/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/security/cacerts”, restart graylog and retry :

Caused by: javax.mail.MessagingException: Could not convert socket to TLS
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


(Jan Doberstein) #2

please look at this page: http://docs.graylog.org/en/2.4/pages/configuration/https.html#adding-a-self-signed-certificate-to-the-jvm-trust-store

how to add your self signed certificate to the trust store.


(alias) #3

Hi

I not have jks file in cacert JAVA_HOME (and ${JAVA_HOME} is not define).

I try to add yesterday with:

keytool -importcert -alias startssl -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/security/cacerts -file /tmp/mail.crt -storepasswd -storepass ‘changeit’

The result is the same.


(Jochen) #4

The results of what exactly? You’ve posted at least 4 different configuration permutations and didn’t specify anything besides “KO” next to them. That’s not enough details to guess anything…


(alias) #5

Hi @jochen

I use this configuration now:

transport_email_enabled = true
transport_email_hostname = mail.domain
transport_email_port = 25
transport_email_use_auth = true
transport_email_use_tls = true
transport_email_use_ssl = false
transport_email_auth_username = mail
transport_email_auth_password = ***************
transport_email_subject_prefix = [graylog]
transport_email_from_email = graylog@domain

And errors are:

Caused by: javax.mail.MessagingException: Could not convert socket to TLS
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


(Jochen) #6

This hints to the fact that the JVM doesn’t know how to validate the certificate of mail.domain.
Make sure that you’re using valid certificates and that the CA certificate (or the certificate itself in case of a self-signed certificate) is in the JVM trust store.


(alias) #7

Indeed, I understand that the JVM doesn’t validate the certificat.

I try to add the dovecot cert into JVM trust store (ie previous post with keytool command) but I’ve the same result.

edit:

I try to add java argument like this :

# Default Java options for heap and garbage collection.
GRAYLOG_SERVER_JAVA_OPTS="-Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Djavax.net.ssl.trustStore=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/security/cacerts"

The issue is the same:

Caused by: javax.mail.MessagingException: Could not convert socket to TLS
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 

(Jochen) #8

Are you sure you’ve added the correct certificate to the JVM trust store?


(alias) #9

Yes I’m sure that I added the correct certificate.
However, I doesn’t know a “method” to verify that the certificate is really in the truststore.

file /etc/pki/ca-trust/extracted/java/cacerts
/etc/pki/ca-trust/extracted/java/cacerts: Java KeyStore

I search a method or tool to read the KeyStore …

question @jochen : For SMTP StartTLS, to be sure, is it this parameter : transport_email_use_tls = true ?

edit :

For others users, usefull documentation : https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html

edit 2 :

When I check the keystore, I’ve an error:

keytool -list -v -keystore /etc/pki/ca-trust/extracted/java/cacerts 
...

error keytool : java.util.IllegalFormatConversionException: d != java.lang.String
java.util.IllegalFormatConversionException: d != java.lang.String
        at java.util.Formatter$FormatSpecifier.failConversion(Formatter.java:4302)
        at java.util.Formatter$FormatSpecifier.printInteger(Formatter.java:2793)
        at java.util.Formatter$FormatSpecifier.print(Formatter.java:2747)
        at java.util.Formatter.format(Formatter.java:2520)
        at java.util.Formatter.format(Formatter.java:2455)
        at java.lang.String.format(String.java:2940)
        at sun.security.tools.keytool.Main.withWeak(Main.java:3080)
        at sun.security.tools.keytool.Main.printX509Cert(Main.java:3129)
        at sun.security.tools.keytool.Main.doPrintEntry(Main.java:1953)
        at sun.security.tools.keytool.Main.doPrintEntries(Main.java:2240)
        at sun.security.tools.keytool.Main.doCommands(Main.java:1127)
        at sun.security.tools.keytool.Main.run(Main.java:368)
        at sun.security.tools.keytool.Main.main(Main.java:361)

edit 3:

Reading the documentation on this subject, I ask myself a question when I take this documentation:

Check which certificates are in a Java keystore

keytool -list -v -keystore keystore.jks

I notice that I not have any “jks” extend file.

List Trusted CA Certs

keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

So, I think that I do add the cert in the jks and not in the cacert. But same as I not have JKS file, I pass a new file in the keytool and keytool return file doesn’t exit (logic …)

edit 4:

New try - Create a new keystore and rsa key

keytool -genkey -alias TrustCustomStore -keyalg RSA -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/security/TrustCustomStore.jks

=> Ok

Import the certificat in the new keystore

keytool -import -trustcacerts -alias mail -file /tmp/dovecot.crt -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/security/TrustCustomStore.jks
Password : ******************
error keytool : java.util.IllegalFormatConversionException: d != java.lang.String

=> KO …

edit 5 :

For the java string error, use this argument :-J-Duser.language=en

(import in the new keystore : OK)

Now I search to add the new keystore to JVM


(alias) #10

You can to close this topic, it’s OK !!!

read my differents edts for the solution.


(system) #11

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.