Bug 1020920

Summary: PRD34 - [RFE][notifier] Use STARTTLS
Product: Red Hat Enterprise Virtualization Manager Reporter: Jiri Belka <jbelka>
Component: ovirt-engine-notification-serviceAssignee: Martin Perina <mperina>
Status: CLOSED CURRENTRELEASE QA Contact: Jiri Belka <jbelka>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.3.0CC: aberezin, acathrow, bazulay, iheim, pstehlik, Rhev-m-bugs, yeylon
Target Milestone: ---Keywords: FutureFeature
Target Release: 3.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: ovirt-3.4.0-alpha1 Doc Type: Enhancement
Doc Text:
Feature: This patch enables notifier to send emails using SMTP with STARTTLS. SMTP configuration for sending email from notifier daemon is now controlled by these options: 1) MAIL_SERVER - name of IP address of SMTP server 2) MAIL_PORT - SMTP server port to connect to, usually 25 for plain SMTP, 465 for SMTP with SSL, 587 for SMTP with TLS 3) MAIL_USER - user to login to SMTP server (mandatory for SSL or TLS connections) 4) MAIL_PASSWORD - password to use for user in MAIL_USER 5) MAIL_SMTP_ENCRYPTION - defines type of SMTP server connection encryption none - plain SMTP ssl - SMTP using SSL (SMTPS) tls - SMTP with STARTTLS Configuration option MAIL_PORT_SSL is no longer valid or used!
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1045347    
Attachments:
Description Flags
notifier.log none

Description Jiri Belka 2013-10-18 14:00:54 UTC 
Description of problem:
Right now notifier probably[1] cannot use only dedicated SSL port. Be modern and use STARTTLS. Please do not force one to use AUTH for SSL/STARTTLS. For example AUTH is not required in our internal company smtp server, but it advertise STARTTLS.

Other bugs may block this: BZ1020900, BZ1020908.

1 - not 100% sure because of BZ1020900

Version-Release number of selected component (if applicable):
is19

How reproducible:
100%

Steps to Reproduce:
1. test with internal smtp server, it uses 587 with STARTTLS advertised and does not need/advertise AUTH
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Barak 2013-10-20 12:05:19 UTC 
Arthur?
Comment 2 Arthur Berezin 2013-12-01 11:34:42 UTC 
Is this the same as BZ1020908?
Comment 3 Yair Zaslavsky 2013-12-06 08:39:06 UTC 
(In reply to Arthur Berezin from comment #2)
> Is this the same as BZ1020908?

I don't think it's exactly the same.
This is about using STARTTLS in order not to use a dedicated SSL port or have one required, if i understand correctly.
Comment 4 Yair Zaslavsky 2013-12-06 08:44:11 UTC 
Actually I saw an example where authentication is required altough using STARTLS.
Comment 5 Sandro Bonazzola 2014-01-14 08:44:50 UTC 
ovirt 3.4.0 alpha has been released
Comment 6 Jiri Belka 2014-01-27 10:08:04 UTC 
Created attachment 855998 [details]
notifier.log

fail, ovirt-engine-tools-3.4.0-0.2.master.20140112020439.git9ad8529.el6.noarch

2014-01-27 09:58:07,809 ERROR [org.ovirt.engine.core.notifier.utils.sender.mail.JavaMailSender] Failed to send message  to jbelka with subject Issue Solved Notification. (jb-rh34.rhev.lab.eng.brq.redhat.com), [Host dell-r210ii-13 was activated by admin@internal.] due to to error: Could not convert socket to TLS
javax.mail.MessagingException: Could not convert socket to TLS;
  nested exception is:
        javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1880)
        at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:648)
        at javax.mail.Service.connect(Service.java:317)
        at javax.mail.Service.connect(Service.java:176)
        at javax.mail.Service.connect(Service.java:125)
        at javax.mail.Transport.send0(Transport.java:194)
        at javax.mail.Transport.send(Transport.java:124)
        at org.ovirt.engine.core.notifier.utils.sender.mail.JavaMailSender.send(JavaMailSender.java:111)
        at org.ovirt.engine.core.notifier.utils.sender.mail.EventSenderMailImpl.send(EventSenderMailImpl.java:79)
        at org.ovirt.engine.core.notifier.NotificationService.processEvents(NotificationService.java:266)
        at org.ovirt.engine.core.notifier.NotificationService.run(NotificationService.java:121)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
        at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:304)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:178)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
...
Comment 7 Jiri Belka 2014-01-27 10:09:40 UTC 
[root@jb-rh34 ~]# /usr/share/ovirt-engine/bin/java-home 
/usr/lib/jvm/jre
[root@jb-rh34 ~]# /usr/lib/jvm/jre/bin/java -version
java version "1.7.0_51"
OpenJDK Runtime Environment (rhel-2.4.4.1.el6_5-x86_64 u51-b02)
OpenJDK 64-Bit Server VM (build 24.45-b08, mixed mode)
Comment 8 Martin Perina 2014-01-27 16:41:47 UTC 
It's not the problem of the feature but it's the problem CA that signed certificate for smpt.corp.redhat.com. This Red Hat IS CA is not one of valid CA included in Java SDK cacerts file, so that's the cause of error.

I tested this with Gmail account which it's certificate signed by Equifax Secure Certificate Authority, which is included in cacerts and everything works fine.

So if you want to use SSL/TLS  with SMTP and you have self-signed certificate or certificate not signed by one of world known CA's you have to add CA's public cert into cacerts file.

Btw this behavior is not changed by adding STARTTLS feature, you have same problem with SMTPS connections certificates.
Comment 9 Martin Perina 2014-01-28 09:22:06 UTC 
If your SMTP server uses self signed certificate or certificate signed by your own CA, you have to add server certificate or your CA certificate into Java cacerts file using this command:

keytool -importcert -keystore /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/lib/security/cacerts -trustcacerts -file /tmp/your_ca.crt -alias yourca

Please adapt path to cacerts file for your environment.
Comment 10 Jiri Belka 2014-01-28 13:25:49 UTC 
ok, ovirt-engine-tools-3.4.0-0.2.master.20140112020439.git9ad8529.el6.noarch

Received: from jb-rh34.rhev.lab.eng.brq.redhat.com ([10.34.63.78])
	by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id s0SDOQWL007092
	(version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO)
Comment 11 Itamar Heim 2014-06-12 14:07:41 UTC 
Closing as part of 3.4.0