Test notification fails using STARTTLS over SMTP

Kar0l · October 24, 2022, 12:47pm

Problem:
Sending a test notification from SonarQube using STARTTLS over SMTP is failing.

Configuration used in SonarQube:

SMTP host: 1X.XXX.XX.X1
SMTP port: 587
Secure connection: starttls

Destination e-mail address is provided. Client with SonarQube is Debian 11. SMTP host is a MS Exchange server. Self signed certificates. Certificates are installed in the truststore.

Relevant:
Sending a test notification using SMTP but without STARTTLS is delivered succesfully.

Log:
Bellow are relevant fragments from the client web.log from one such failed attempt sending a notification using SMTP and STARTTLS:

2022.10.24 09:36:57 INFO  web[AYPp5oPhM9pKCPrzAA6Z][javax.mail] JavaMail version 1.6.2
2022.10.24 09:36:57 INFO  web[AYPp5oPhM9pKCPrzAA6Z][javax.mail] successfully loaded resource: /META-INF/javamail.default.address.map
2022.10.24 09:36:57 DEBUG web[AYPp5oPhM9pKCPrzAA6Z][javax.activation] MailcapCommandMap: createDataContentHandler for text/plain
2022.10.24 09:36:57 DEBUG web[AYPp5oPhM9pKCPrzAA6Z][javax.activation]   search DB #1
2022.10.24 09:36:57 DEBUG web[AYPp5oPhM9pKCPrzAA6Z][javax.activation]     got content-handler
2022.10.24 09:36:57 DEBUG web[AYPp5oPhM9pKCPrzAA6Z][javax.activation]       class com.sun.mail.handlers.text_plain
2022.10.24 09:36:57 DEBUG web[AYPp5oPhM9pKCPrzAA6Z][javax.mail] getProvider() returning javax.mail.Provider[TRANSPORT,smtp,com.sun.mail.smtp.SMTPTransport,Oracle]
2022.10.24 09:36:57 DEBUG web[AYPp5oPhM9pKCPrzAA6Z][com.sun.mail.smtp] useEhlo true, useAuth false
2022.10.24 09:36:57 DEBUG web[AYPp5oPhM9pKCPrzAA6Z][com.sun.mail.smtp] trying to connect to host "1X.XXX.XX.X1", port 587, isSSL false
2022.10.24 09:36:57 DEBUG web[AYPp5oPhM9pKCPrzAA6Z][com.sun.mail.smtp] connected to host "1X.XXX.XX.X1", port: 587
2022.10.24 09:36:57 DEBUG web[AYPp5oPhM9pKCPrzAA6Z][com.sun.mail.smtp] Found extension "SIZE", arg "26214400"
2022.10.24 09:36:58 DEBUG web[AYPp5oPhM9pKCPrzAA6Z][com.sun.mail.smtp] Found extension "PIPELINING", arg ""
2022.10.24 09:36:58 DEBUG web[AYPp5oPhM9pKCPrzAA6Z][com.sun.mail.smtp] Found extension "DSN", arg ""
2022.10.24 09:36:58 DEBUG web[AYPp5oPhM9pKCPrzAA6Z][com.sun.mail.smtp] Found extension "ENHANCEDSTATUSCODES", arg ""
2022.10.24 09:36:58 DEBUG web[AYPp5oPhM9pKCPrzAA6Z][com.sun.mail.smtp] Found extension "STARTTLS", arg ""
2022.10.24 09:36:58 DEBUG web[AYPp5oPhM9pKCPrzAA6Z][com.sun.mail.smtp] Found extension "AUTH", arg "NTLM"
2022.10.24 09:36:58 DEBUG web[AYPp5oPhM9pKCPrzAA6Z][com.sun.mail.smtp] Found extension "8BITMIME", arg ""
2022.10.24 09:36:58 DEBUG web[AYPp5oPhM9pKCPrzAA6Z][com.sun.mail.smtp] Found extension "BINARYMIME", arg ""
2022.10.24 09:36:58 DEBUG web[AYPp5oPhM9pKCPrzAA6Z][com.sun.mail.smtp] Found extension "CHUNKING", arg ""
2022.10.24 09:36:58 DEBUG web[AYPp5oPhM9pKCPrzAA6Z][o.s.s.n.e.EmailNotificationChannel] Fail to send test email to xxxxxxx@xxxxx.xxx: {}
org.apache.commons.mail.EmailException: Sending the email to the following server failed : 1X.XXX.XX.X1:587
...
Caused by: javax.mail.MessagingException: Could not convert socket to TLS
...
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Running command: $ echo | openssl s_client -connect 1X.XXX.XX.X1:587

returns:

CONNECTED(00000003)
140269928117568:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 283 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Question:
What do I need to do, for SonarQube notifications be delivered successfully using STARTTLS over SMTP?

Kar0l · October 26, 2022, 7:21am

Edit:

Running command: $ echo | openssl s_client -connect 1X.XXX.XX.X1:587 -starttls smtp

returns:

CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 CN = CA-ROOT
verify return:1
depth=1 DC = local, DC = regulator, CN = CA-SUB
verify return:1
depth=0 C = PL, ST = Aaa, L = Bbb, O = Ccc, OU = Ddd, CN = [DOMAIN.NAME]
verify return:1
---
Certificate chain
 0 s:C = PL, ST = Aaa, L = Bbb, O = Ccc, OU = Ddd, CN = [DOMAIN.NAME]
   i:DC = local, DC = regulator, CN = CA-SUB
 1 s:DC = local, DC = regulator, CN = CA-SUB
   i:CN = CA-ROOT
---
Server certificate
-----BEGIN CERTIFICATE-----
[...CERTIFICATE...]
-----END CERTIFICATE-----
subject=C = PL, ST = Aaa, L = Bbb, O = Ccc, OU = Ddd, CN = [DOMAIN.NAME]

issuer=DC = local, DC = regulator, CN = CA-SUB

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3596 bytes and written 498 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: [...SESSION ID...]
    Session-ID-ctx:
    Master-Key: [...MASTER ID...]
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1666767236
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
250 CHUNKING
DONE