Bug 1020920
Summary: | PRD34 - [RFE][notifier] Use STARTTLS | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Jiri Belka <jbelka> | ||||
Component: | ovirt-engine-notification-service | Assignee: | Martin Perina <mperina> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Jiri Belka <jbelka> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 3.3.0 | CC: | aberezin, acathrow, bazulay, iheim, pstehlik, Rhev-m-bugs, yeylon | ||||
Target Milestone: | --- | Keywords: | FutureFeature | ||||
Target Release: | 3.4.0 | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | infra | ||||||
Fixed In Version: | ovirt-3.4.0-alpha1 | Doc Type: | Enhancement | ||||
Doc Text: |
Feature:
This patch enables notifier to send emails using SMTP with STARTTLS. SMTP configuration for sending email from notifier daemon is now controlled by these options:
1) MAIL_SERVER - name of IP address of SMTP server
2) MAIL_PORT - SMTP server port to connect to, usually 25 for plain SMTP, 465 for SMTP with SSL, 587 for SMTP with TLS
3) MAIL_USER - user to login to SMTP server (mandatory for SSL or TLS connections)
4) MAIL_PASSWORD - password to use for user in MAIL_USER
5) MAIL_SMTP_ENCRYPTION - defines type of SMTP server connection encryption
none - plain SMTP
ssl - SMTP using SSL (SMTPS)
tls - SMTP with STARTTLS
Configuration option MAIL_PORT_SSL is no longer valid or used!
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | Type: | Bug | |||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1045347 | ||||||
Attachments: |
|
Description
Jiri Belka
2013-10-18 14:00:54 UTC
Arthur? (In reply to Arthur Berezin from comment #2) > Is this the same as BZ1020908? I don't think it's exactly the same. This is about using STARTTLS in order not to use a dedicated SSL port or have one required, if i understand correctly. Actually I saw an example where authentication is required altough using STARTLS. ovirt 3.4.0 alpha has been released Created attachment 855998 [details]
notifier.log
fail, ovirt-engine-tools-3.4.0-0.2.master.20140112020439.git9ad8529.el6.noarch
2014-01-27 09:58:07,809 ERROR [org.ovirt.engine.core.notifier.utils.sender.mail.JavaMailSender] Failed to send message to jbelka with subject Issue Solved Notification. (jb-rh34.rhev.lab.eng.brq.redhat.com), [Host dell-r210ii-13 was activated by admin@internal.] due to to error: Could not convert socket to TLS
javax.mail.MessagingException: Could not convert socket to TLS;
nested exception is:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1880)
at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:648)
at javax.mail.Service.connect(Service.java:317)
at javax.mail.Service.connect(Service.java:176)
at javax.mail.Service.connect(Service.java:125)
at javax.mail.Transport.send0(Transport.java:194)
at javax.mail.Transport.send(Transport.java:124)
at org.ovirt.engine.core.notifier.utils.sender.mail.JavaMailSender.send(JavaMailSender.java:111)
at org.ovirt.engine.core.notifier.utils.sender.mail.EventSenderMailImpl.send(EventSenderMailImpl.java:79)
at org.ovirt.engine.core.notifier.NotificationService.processEvents(NotificationService.java:266)
at org.ovirt.engine.core.notifier.NotificationService.run(NotificationService.java:121)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:304)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:178)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
...
[root@jb-rh34 ~]# /usr/share/ovirt-engine/bin/java-home /usr/lib/jvm/jre [root@jb-rh34 ~]# /usr/lib/jvm/jre/bin/java -version java version "1.7.0_51" OpenJDK Runtime Environment (rhel-2.4.4.1.el6_5-x86_64 u51-b02) OpenJDK 64-Bit Server VM (build 24.45-b08, mixed mode) It's not the problem of the feature but it's the problem CA that signed certificate for smpt.corp.redhat.com. This Red Hat IS CA is not one of valid CA included in Java SDK cacerts file, so that's the cause of error. I tested this with Gmail account which it's certificate signed by Equifax Secure Certificate Authority, which is included in cacerts and everything works fine. So if you want to use SSL/TLS with SMTP and you have self-signed certificate or certificate not signed by one of world known CA's you have to add CA's public cert into cacerts file. Btw this behavior is not changed by adding STARTTLS feature, you have same problem with SMTPS connections certificates. If your SMTP server uses self signed certificate or certificate signed by your own CA, you have to add server certificate or your CA certificate into Java cacerts file using this command: keytool -importcert -keystore /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/lib/security/cacerts -trustcacerts -file /tmp/your_ca.crt -alias yourca Please adapt path to cacerts file for your environment. ok, ovirt-engine-tools-3.4.0-0.2.master.20140112020439.git9ad8529.el6.noarch Received: from jb-rh34.rhev.lab.eng.brq.redhat.com ([10.34.63.78]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id s0SDOQWL007092 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO) Closing as part of 3.4.0 |