[Mail] Configuration for alert mail

alias · March 13, 2018, 2:39pm

HI all,

I’ve setup the mail configuration part for use the mail alerting.
However, it wasn’t work.

transport_email_enabled = true
transport_email_hostname = mail.domain
transport_email_port = 25
transport_email_use_auth = true
transport_email_use_tls = false
transport_email_use_ssl = false
transport_email_auth_username = mail
transport_email_auth_password = ***************
transport_email_subject_prefix = [graylog]
transport_email_from_email = graylog@domain

=> KO

transport_email_enabled = true
transport_email_hostname = mail.domain
transport_email_port = 25
transport_email_use_auth = true
transport_email_use_tls = true
transport_email_use_ssl = false
transport_email_auth_username = mail
transport_email_auth_password = ***************
transport_email_subject_prefix = [graylog]
transport_email_from_email = graylog@domain

=> KO

transport_email_enabled = true
transport_email_hostname = mail.domain
transport_email_port = 25
transport_email_use_auth = true
transport_email_use_tls = false
transport_email_use_ssl = true
transport_email_auth_username = mail
transport_email_auth_password = ***************
transport_email_subject_prefix = [graylog]
transport_email_from_email = graylog@domain

=> KO

transport_email_enabled = true
transport_email_hostname = mail.domain
transport_email_port = 587
transport_email_use_auth = true
transport_email_use_tls = true
transport_email_use_ssl = true
transport_email_auth_username = mail
transport_email_auth_password = ***************
transport_email_subject_prefix = [graylog]
transport_email_from_email = graylog@domain

=> KO

Mail account configuration into standard mail client :

SMTP 25 , normal password , STARTTLS

Do you have a solution ?

Thanks

Edit 1 : I think, it is the trust store with our self signed cert …

Edit 2 :

I use keytool to import dovecot certificat into “/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/security/cacerts”, restart graylog and retry :

Caused by: javax.mail.MessagingException: Could not convert socket to TLS
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

jan · March 14, 2018, 7:21am

please look at this page: http://docs.graylog.org/en/2.4/pages/configuration/https.html#adding-a-self-signed-certificate-to-the-jvm-trust-store

how to add your self signed certificate to the trust store.

alias · March 14, 2018, 8:01am

Hi

I not have jks file in cacert JAVA_HOME (and ${JAVA_HOME} is not define).

I try to add yesterday with:

keytool -importcert -alias startssl -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/security/cacerts -file /tmp/mail.crt -storepasswd -storepass ‘changeit’

The result is the same.

jochen · March 14, 2018, 8:16am

The results of what exactly? You’ve posted at least 4 different configuration permutations and didn’t specify anything besides “KO” next to them. That’s not enough details to guess anything…

alias · March 14, 2018, 8:49am

Hi @jochen

I use this configuration now:

transport_email_enabled = true
transport_email_hostname = mail.domain
transport_email_port = 25
transport_email_use_auth = true
transport_email_use_tls = true
transport_email_use_ssl = false
transport_email_auth_username = mail
transport_email_auth_password = ***************
transport_email_subject_prefix = [graylog]
transport_email_from_email = graylog@domain

And errors are:

Caused by: javax.mail.MessagingException: Could not convert socket to TLS
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

jochen · March 14, 2018, 9:21am

This hints to the fact that the JVM doesn’t know how to validate the certificate of mail.domain.
Make sure that you’re using valid certificates and that the CA certificate (or the certificate itself in case of a self-signed certificate) is in the JVM trust store.

alias · March 14, 2018, 9:54am

Indeed, I understand that the JVM doesn’t validate the certificat.

I try to add the dovecot cert into JVM trust store (ie previous post with keytool command) but I’ve the same result.

edit:

I try to add java argument like this :

# Default Java options for heap and garbage collection.
GRAYLOG_SERVER_JAVA_OPTS="-Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Djavax.net.ssl.trustStore=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/security/cacerts"

The issue is the same:

Caused by: javax.mail.MessagingException: Could not convert socket to TLS
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

jochen · March 14, 2018, 12:32pm

Are you sure you’ve added the correct certificate to the JVM trust store?

alias · March 14, 2018, 1:24pm

Yes I’m sure that I added the correct certificate.
However, I doesn’t know a “method” to verify that the certificate is really in the truststore.

file /etc/pki/ca-trust/extracted/java/cacerts
/etc/pki/ca-trust/extracted/java/cacerts: Java KeyStore

I search a method or tool to read the KeyStore …

question @jochen : For SMTP StartTLS, to be sure, is it this parameter : transport_email_use_tls = true ?

edit :

For others users, usefull documentation : https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html

edit 2 :

When I check the keystore, I’ve an error:

keytool -list -v -keystore /etc/pki/ca-trust/extracted/java/cacerts 
...

error keytool : java.util.IllegalFormatConversionException: d != java.lang.String
java.util.IllegalFormatConversionException: d != java.lang.String
        at java.util.Formatter$FormatSpecifier.failConversion(Formatter.java:4302)
        at java.util.Formatter$FormatSpecifier.printInteger(Formatter.java:2793)
        at java.util.Formatter$FormatSpecifier.print(Formatter.java:2747)
        at java.util.Formatter.format(Formatter.java:2520)
        at java.util.Formatter.format(Formatter.java:2455)
        at java.lang.String.format(String.java:2940)
        at sun.security.tools.keytool.Main.withWeak(Main.java:3080)
        at sun.security.tools.keytool.Main.printX509Cert(Main.java:3129)
        at sun.security.tools.keytool.Main.doPrintEntry(Main.java:1953)
        at sun.security.tools.keytool.Main.doPrintEntries(Main.java:2240)
        at sun.security.tools.keytool.Main.doCommands(Main.java:1127)
        at sun.security.tools.keytool.Main.run(Main.java:368)
        at sun.security.tools.keytool.Main.main(Main.java:361)

edit 3:

Reading the documentation on this subject, I ask myself a question when I take this documentation:

Check which certificates are in a Java keystore

keytool -list -v -keystore keystore.jks

I notice that I not have any “jks” extend file.

List Trusted CA Certs

keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

So, I think that I do add the cert in the jks and not in the cacert. But same as I not have JKS file, I pass a new file in the keytool and keytool return file doesn’t exit (logic …)

edit 4:

New try - Create a new keystore and rsa key

keytool -genkey -alias TrustCustomStore -keyalg RSA -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/security/TrustCustomStore.jks

=> Ok

Import the certificat in the new keystore

keytool -import -trustcacerts -alias mail -file /tmp/dovecot.crt -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/security/TrustCustomStore.jks
Password : ******************
error keytool : java.util.IllegalFormatConversionException: d != java.lang.String

=> KO …

edit 5 :

For the java string error, use this argument :-J-Duser.language=en

(import in the new keystore : OK)

Now I search to add the new keystore to JVM

alias · March 14, 2018, 3:00pm

You can to close this topic, it’s OK !!!

read my differents edts for the solution.

system · March 28, 2018, 3:00pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Be alerted by email Graylog Central (peer support)	4	1455	July 14, 2017
Email alert not working Graylog Central (peer support)	6	586	December 4, 2017
Unable to send emails notification Graylog Central (peer support) basic-configuration	13	3417	December 31, 2021
Email Alert Callback - SMTP Settings Graylog Central (peer support)	2	528	April 6, 2018
Alerts Not Sending Mails Graylog Central (peer support)	4	509	December 25, 2017

[Mail] Configuration for alert mail

Related topics