Bug 1020920 - PRD34 - [RFE][notifier] Use STARTTLS
PRD34 - [RFE][notifier] Use STARTTLS
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-notification-service (Show other bugs)
Unspecified Unspecified
unspecified Severity medium
: ---
: 3.4.0
Assigned To: Martin Perina
Jiri Belka
: FutureFeature
Depends On:
Blocks: 1045347
  Show dependency treegraph
Reported: 2013-10-18 10:00 EDT by Jiri Belka
Modified: 2016-02-10 14:07 EST (History)
7 users (show)

See Also:
Fixed In Version: ovirt-3.4.0-alpha1
Doc Type: Enhancement
Doc Text:
Feature: This patch enables notifier to send emails using SMTP with STARTTLS. SMTP configuration for sending email from notifier daemon is now controlled by these options: 1) MAIL_SERVER - name of IP address of SMTP server 2) MAIL_PORT - SMTP server port to connect to, usually 25 for plain SMTP, 465 for SMTP with SSL, 587 for SMTP with TLS 3) MAIL_USER - user to login to SMTP server (mandatory for SSL or TLS connections) 4) MAIL_PASSWORD - password to use for user in MAIL_USER 5) MAIL_SMTP_ENCRYPTION - defines type of SMTP server connection encryption none - plain SMTP ssl - SMTP using SSL (SMTPS) tls - SMTP with STARTTLS Configuration option MAIL_PORT_SSL is no longer valid or used!
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
notifier.log (114.89 KB, text/x-log)
2014-01-27 05:08 EST, Jiri Belka
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 22295 None None None Never
oVirt gerrit 22296 None None None Never
oVirt gerrit 22297 None None None Never

  None (edit)
Description Jiri Belka 2013-10-18 10:00:54 EDT
Description of problem:
Right now notifier probably[1] cannot use only dedicated SSL port. Be modern and use STARTTLS. Please do not force one to use AUTH for SSL/STARTTLS. For example AUTH is not required in our internal company smtp server, but it advertise STARTTLS.

Other bugs may block this: BZ1020900, BZ1020908.

1 - not 100% sure because of BZ1020900

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. test with internal smtp server, it uses 587 with STARTTLS advertised and does not need/advertise AUTH

Actual results:

Expected results:

Additional info:
Comment 1 Barak 2013-10-20 08:05:19 EDT
Comment 2 Arthur Berezin 2013-12-01 06:34:42 EST
Is this the same as BZ1020908?
Comment 3 Yair Zaslavsky 2013-12-06 03:39:06 EST
(In reply to Arthur Berezin from comment #2)
> Is this the same as BZ1020908?

I don't think it's exactly the same.
This is about using STARTTLS in order not to use a dedicated SSL port or have one required, if i understand correctly.
Comment 4 Yair Zaslavsky 2013-12-06 03:44:11 EST
Actually I saw an example where authentication is required altough using STARTLS.
Comment 5 Sandro Bonazzola 2014-01-14 03:44:50 EST
ovirt 3.4.0 alpha has been released
Comment 6 Jiri Belka 2014-01-27 05:08:04 EST
Created attachment 855998 [details]

fail, ovirt-engine-tools-3.4.0-0.2.master.20140112020439.git9ad8529.el6.noarch

2014-01-27 09:58:07,809 ERROR [org.ovirt.engine.core.notifier.utils.sender.mail.JavaMailSender] Failed to send message  to jbelka@redhat.com with subject Issue Solved Notification. (jb-rh34.rhev.lab.eng.brq.redhat.com), [Host dell-r210ii-13 was activated by admin@internal.] due to to error: Could not convert socket to TLS
javax.mail.MessagingException: Could not convert socket to TLS;
  nested exception is:
        javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1880)
        at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:648)
        at javax.mail.Service.connect(Service.java:317)
        at javax.mail.Service.connect(Service.java:176)
        at javax.mail.Service.connect(Service.java:125)
        at javax.mail.Transport.send0(Transport.java:194)
        at javax.mail.Transport.send(Transport.java:124)
        at org.ovirt.engine.core.notifier.utils.sender.mail.JavaMailSender.send(JavaMailSender.java:111)
        at org.ovirt.engine.core.notifier.utils.sender.mail.EventSenderMailImpl.send(EventSenderMailImpl.java:79)
        at org.ovirt.engine.core.notifier.NotificationService.processEvents(NotificationService.java:266)
        at org.ovirt.engine.core.notifier.NotificationService.run(NotificationService.java:121)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
        at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:304)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:178)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
Comment 7 Jiri Belka 2014-01-27 05:09:40 EST
[root@jb-rh34 ~]# /usr/share/ovirt-engine/bin/java-home 
[root@jb-rh34 ~]# /usr/lib/jvm/jre/bin/java -version
java version "1.7.0_51"
OpenJDK Runtime Environment (rhel- u51-b02)
OpenJDK 64-Bit Server VM (build 24.45-b08, mixed mode)
Comment 8 Martin Perina 2014-01-27 11:41:47 EST
It's not the problem of the feature but it's the problem CA that signed certificate for smpt.corp.redhat.com. This Red Hat IS CA is not one of valid CA included in Java SDK cacerts file, so that's the cause of error.

I tested this with Gmail account which it's certificate signed by Equifax Secure Certificate Authority, which is included in cacerts and everything works fine.

So if you want to use SSL/TLS  with SMTP and you have self-signed certificate or certificate not signed by one of world known CA's you have to add CA's public cert into cacerts file.

Btw this behavior is not changed by adding STARTTLS feature, you have same problem with SMTPS connections certificates.
Comment 9 Martin Perina 2014-01-28 04:22:06 EST
If your SMTP server uses self signed certificate or certificate signed by your own CA, you have to add server certificate or your CA certificate into Java cacerts file using this command:

keytool -importcert -keystore /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/lib/security/cacerts -trustcacerts -file /tmp/your_ca.crt -alias yourca

Please adapt path to cacerts file for your environment.
Comment 10 Jiri Belka 2014-01-28 08:25:49 EST
ok, ovirt-engine-tools-3.4.0-0.2.master.20140112020439.git9ad8529.el6.noarch

Received: from jb-rh34.rhev.lab.eng.brq.redhat.com ([])
	by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id s0SDOQWL007092
	(version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO)
Comment 11 Itamar Heim 2014-06-12 10:07:41 EDT
Closing as part of 3.4.0

Note You need to log in before you can comment on or make changes to this bug.