Closed beezel closed 7 years ago
snipe
commented
7 years ago at HandleExceptions->handleError('2', 'stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', '/var/www/html/snipeit/vendor/swiftmailer/swiftmailer/lib/classes/Swift/Transport/StreamBuffer.php', '95', array())It looks like the SSL certificate on your mail server is invalid.
beezel
commented
7 years ago Except that it isn't. We have an open wildcard cert with RapidSSL that doesn't expire until 7/2019.
As this is all purely internal, can we bypass SSL checking in any manner?
I would be happy to provide our server information to you privately if you need to look at the cert to verify it's legitimacy.
snipe
commented
7 years ago What's your mail server? mail.tonkin.com?
beezel
commented
7 years ago Correct, and passes http://www.checktls.com/perl/TestReceiver.pl check.
snipe
commented
7 years ago TLS is not the same thing as SSL though.
Is this mail server blocked from outside connections?
agianotto$ telnet mail.tonkin.com 25
Trying 50.203.99.222...agianotto$ telnet mail.tonkin.com 587
Trying 50.203.99.222...Neither of those connect.
snipe
commented
7 years ago Also, wildcard certs don't really matter if they're only installed on the web server and not on the mail server.
beezel
commented
7 years ago Thanks for assistance, I am not our mail or network guy, so this is not my area of expertise.
Not sure why you cannot telnet in, we test out fine internally, externally, and via mxtoolbox.com Connecting to 50.203.99.222
220 smtp.tonkin.com mail.tonkin.com [656 ms] EHLO PWS3.mxtoolbox.com 250-mail.tonkin.com says hello 250-SIZE 0 250-8BITMIME 250-DSN 250-ETRN 250-AUTH LOGIN CRAM-MD5 250-AUTH LOGIN 250-AUTH=LOGIN 250 STARTTLS [656 ms] MAIL FROM:supertool@mxtoolbox.com 250 ok [672 ms] RCPT TO:test@example.com 550 not local host example.com, not a gateway [672 ms]
Is there any manner to disable TLS? In the mail.php i have encryption set to null, but it still attempts to TLS. This machine (snipeit) is whitelisted in our mail server, so we can safely trust it to blast a few emails.
snipe
commented
7 years ago Can you show me your mail settings from your .env file, minus the password of course
beezel
commented
7 years ago MAIL_DRIVER=smtp MAIL_HOST=mail.tonkin.com
MAIL_PORT=25 MAIL_USERNAME=jallen@tonkin.com
MAIL_PASSWORD=REDACT
MAIL_ENCRYPTION=TLS MAIL_FROM_ADDR=jallen@tonkin.com MAIL_FROM_NAME=jallen@tonkin.com
When I changed that encryption setting to null i got
Swift_TransportException in AbstractSmtpTransport.php line 162: Cannot send message without a sender address
This is from generating a new user section.
snipe
commented
7 years ago What happens if you try:
MAIL_DRIVER=smtp
MAIL_HOST=mail.tonkin.com
#This is correct if you are using Office 365 for your email
MAIL_PORT=587
MAIL_USERNAME=jallen@tonkin.com
#Mail username, usually same a email address
MAIL_PASSWORD=REDACT
#Your email password
MAIL_ENCRYPTION=tls
MAIL_FROM_ADDR=jallen@tonkin.com
MAIL_FROM_NAME=jallen@tonkin.comSwift_TransportException in StreamBuffer.php line 269: Connection could not be established with host mail.tonkin.com [Connection refused #111]
it looks like we don't listen on 587. We have an SSL port at 465, that also leaves us with:
Swift_TransportException in AbstractSmtpTransport.php line 404: Connection to mail.tonkin.com:465 Timed Out
snipe
commented
7 years ago I'm not even seeing those ports open though...
agianotto$ nmap 50.203.99.222
Starting Nmap 6.47 ( http://nmap.org ) at 2016-09-06 13:51 PDT
Nmap scan report for 50-203-99-222-static.hfc.comcastbusiness.net (50.203.99.222)
Host is up (0.047s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
443/tcp open https
554/tcp open rtsp
7070/tcp open real serverOur firewall does some kind of packet inspection, I am not 100% sure as it is not my realm.
I assure you that our email is working (you can email me at jallen@tonkin.com if you'd like), and internally we are much more open. Here is my nmap internally:
Scanning mail.tonkin.com (172.16.18.239) [1000 ports]
Discovered open port 8080/tcp on 172.16.18.239
Discovered open port 135/tcp on 172.16.18.239
Discovered open port 110/tcp on 172.16.18.239
Discovered open port 587/tcp on 172.16.18.239
Discovered open port 25/tcp on 172.16.18.239
Discovered open port 445/tcp on 172.16.18.239
Discovered open port 995/tcp on 172.16.18.239
Discovered open port 139/tcp on 172.16.18.239
Discovered open port 443/tcp on 172.16.18.239
Discovered open port 80/tcp on 172.16.18.239
Discovered open port 993/tcp on 172.16.18.239
Discovered open port 143/tcp on 172.16.18.239
Discovered open port 3389/tcp on 172.16.18.239
Discovered open port 8100/tcp on 172.16.18.239
Discovered open port 465/tcp on 172.16.18.239
Discovered open port 49155/tcp on 172.16.18.239
Discovered open port 49153/tcp on 172.16.18.239
Discovered open port 1433/tcp on 172.16.18.239
Discovered open port 49154/tcp on 172.16.18.239
Discovered open port 49159/tcp on 172.16.18.239
Discovered open port 8181/tcp on 172.16.18.239
Discovered open port 49152/tcp on 172.16.18.239
Discovered open port 8088/tcp on 172.16.18.239
snipe
commented
7 years ago This is also interesting: https://ssl-tools.net/mailservers/tonkin.com
beezel
commented
7 years ago It looks like our server does not show all intermediate certs up the chain, which certain mail servers require to guarantee TLS. I have opened a ticket with our mail person to fix this, which may also fix this current issue.
There is no way to send mail non-TLS internally?
snipe
commented
7 years ago Based on what you're saying, your env config should look like:
MAIL_DRIVER=smtp
MAIL_HOST=mail.tonkin.com
MAIL_PORT=465
MAIL_USERNAME=jallen@tonkin.com
MAIL_PASSWORD=REDACT
MAIL_ENCRYPTION=tls
MAIL_FROM_ADDR=jallen@tonkin.com
MAIL_FROM_NAME='ITAM'Did you run that nmap from the machine that Snipe-IT is running on, or from your desktop machine?
If you run telnet mail.tonkin.com 465 from the Snipe-IT machine, what do you see?
Also try openssl s_client -connect mail.tonkin.com: 465 from the snipe-it machine.
I was going to suggest intermediate certificate issues as well.
Whether or not you can send non-TLS mail is up to your mail server. Some will force TLS.
snipe
commented
7 years ago (I would bet that the intermediate cert fix will fix this issue.)
beezel
commented
7 years ago I meant, can we elect to not use TLS via snipeIT. We can successfully send generic telnet emails from our whitelisted IPs internally (like snipeit) with 0 auth.
[root@snipeit ~]# telnet mail.tonkin.com 587 Trying 172.16.18.239... Connected to mail.tonkin.com. Escape character is '^]'. 220 smtp.tonkin.com mail.tonkin.com
[root@snipeit ~]# openssl s_client -connect mail.tonkin.com:465 CONNECTED(00000003) depth=0 CN = .tonkin.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = .tonkin.com verify error:num=27:certificate not trusted verify return:1 depth=0 CN = *.tonkin.com verify error:num=21:unable to verify the first certificate verify return:1
It does look like TLS intermediate cert is the culprit for this scenario, and I'm hoping our mail admin can get it resolved.
Changing to port 465 and 'ITAM' has another timeout. Sticking with port 25 I continue to get "cannot send email without sender address"
snipe
commented
7 years ago Well, you've already tried setting encryption to null, and it didn't seem happy about that.
This shouldn't work, but try enclosing some settings in single quotes.
MAIL_DRIVER=smtp
MAIL_HOST='mail.tonkin.com'
MAIL_PORT=25
MAIL_USERNAME='jallen@tonkin.com'
MAIL_PASSWORD=REDACT
MAIL_ENCRYPTION=tls
MAIL_FROM_ADDR='jallen@tonkin.com'
MAIL_FROM_NAME='ITAM'(Also, apologies for portscanning you. I was just trying to troubleshoot.)
beezel
commented
7 years ago Thank you for so much help, we've at least definitely narrowed it down to the TLS chain.
It may or may not be worth noting somewhere that TLS is required to send via an external mail host.
At this point I think my best bet would be to get sendmail working on the snipeit side? Other than waiting on the mail admin who may or may not ever fix the TLS issue.
snipe
commented
7 years ago It isn't required though, that's the thing. Lots of people use no encryption and it works fine. My guess is that your mail host is trying to force TLS.
The error you get with port 25 almost makes it look like its parsing the env file wrong, which is why I suggested trying with the single quotes. It's as if it thinks that from name field isn't even set.
beezel
commented
7 years ago Hrm, I wish I knew enough about all the areas to figure this out. We can successfully send an email via telnet from snipeit:
[root@snipeit ~]# telnet mail.tonkin.com 25
Trying 172.16.18.239...
Connected to mail.tonkin.com.
Escape character is '^]'.
220 smtp.tonkin.com mail.tonkin.com
helo tonkin.com
250 hello mail.tonkin.com
mail from:jallen@tonkin.com
250 ok
rcpt to:jallen@tonkin.com
250 ok its for jallen@tonkin.com
data
354 ok, send it; end with
If I set encryption type to null, in .env, i continue to get:
Swift_TransportException in AbstractSmtpTransport.php line 162: Cannot send message without a sender address
So I am unsure how to send it unencrypted from snipeit functionally.
snipe
commented
7 years ago Did you try it with the single quotes, as I mentioned above?
beezel
commented
7 years ago Yes, I have tried all options you suggested, as well as all the varieties I could come up with. single quotes, 25, 587, 465, 'ITAM', 'jallen@tonkin.com' etc.
snipe
commented
7 years ago I have to run out for a bit, but @uberbrady is going to try to help you. (He's badass with mail servers.)
beezel
commented
7 years ago I have success!!
Thank you @snipe, your 'it doesn't appear to be parsing your .env' comment inspired me to manually edit my mail.php with a MAIL_FROM_ADDR, and it is now working beautifully.
Not sure why .env is not overriding the mail.php, or what the design is behind it, but that solved my problems 100%.
Thank you again for your diligent work!
snipe
commented
7 years ago Huh. That's super weird. We have hundreds of installs running and it always groks that env file. ¯(ツ)/¯
Oh well, glad it's sorted either way.
mattgann
commented
7 years ago Is there a way to not required a server at all, my company won't allow me to use any
boyejoayo
commented
7 years ago I had this same issue, all I had to do is to change the MAIL_USERNAME and MAIL_PASSWORD to null as shown below:
MAIL_DRIVER=smtp MAIL_HOST=email.domain.com MAIL_PORT=25 MAIL_USERNAME=null MAIL_PASSWORD=null MAIL_ENCRYPTION=null MAIL_FROM_ADDR=email@domain.com MAIL_FROM_NAME='Email Name' MAIL_REPLYTO_ADDR=email@domain.com MAIL_REPLYTO_NAME='Email Name'
Our email server is an internal Exchange Server and we already bypassed SSL connections between the Snipe-IT and the mail server so TLS encryption is not needed.
I hope this helps someone.
darkebe
commented
7 years ago Thank you @ayboye null value is not documented
Expected Behavior (or desired behavior if a feature request)
Email generated and sent when user is created and 'email credentials' is checked.
Actual Behavior
"Whoops, something went wrong"
http://pastebin.com/cMheVhfs
Please confirm you have done the following before posting your bug report:
Please provide answers to these questions before posting your bug report:
Version of Snipe-IT you're running
v3.3.0-16-ge52a0f6
CentOS 7 with Apache
install.sh
http://pastebin.com/cMheVhfs
Creating new users, wish to email creds.
Failed to load resource: the server responded with a status of 500 (Internal Server Error)
Does work.
app/storage/logsand your webserver's logs.Modified mail.php multiple times as I've seen on other tickets, no success.
No.
mail.php: Info redacted, but configured correctly. Internal mail server tested and working over Telnet to 25 with same user/pass as attempted in Conf
http://pastebin.com/BQ3LGX19