Email not working (SSL_connect returned=1)

Thanks @flink91, I just updated and for me it still doesn’t send emails.

I use SMTP port 25 without TLS and SSL, there are no errors in the log and tomorrow I will post the details, I hope …

1 Like

I confirm, 2.9.0.beta4 002d62b847 and always:
SSL_connect returned=1 errno=0 peeraddr=xxx.xxx.xxx.xxx:25 state=error: certificate verify failed (Hostname mismatch)

The patch does not work for disabling the checks, it only works for disabling starttls altogether. What do your settings look like?

1 Like

DISCOURSE_SMTP_ADDRESS: smtp.mydomain.info
DISCOURSE_SMTP_PORT: 25
DISCOURSE_SMTP_USER_NAME: info@mydomain.info
DISCOURSE_SMTP_PASSWORD: “mypassword”
DISCOURSE_SMTP_OPENSSL_VERIFY_MODE: none
DISCOURSE_SMTP_ENABLE_START_TLS: false # (optional, default true)
DISCOURSE_SMTP_DOMAIN: mydomain.info # (required by some providers)

Thanks

Hmm that should indeed work (although I did not test the patch myself)

I also updated the second forum to the version 2.9.0.beta5 (47034d9ca0) and:

======================================== ERROR ========================================
                                    UNEXPECTED ERROR

SSL_connect returned=1 errno=0 peeraddr=xxx.xxx.xxx.xxx:25 state=error: certificate verify failed (Hostname mismatch)

====================================== SOLUTION =======================================
This is not a common error. No recommended solution exists!

Great!

OK, since sending emails no longer works without SSL / TLS, can someone please help me reconfigure it?

From here:

  1. Try to open a connection to your smtp server via openssl:

(telnet, nc etc. are not installed inside the container.)

Fiddle with some different settings until you succeed with a connection.

openssl s_client -connect your.smtp.server:465

And this is the answer:

openssl s_client -connect smtps.aruba.it:465
CONNECTED(00000003)
depth=2 C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA
verify return:1
depth=1 C = IT, ST = Bergamo, L = Ponte San Pietro, O = Actalis S.p.A., CN = Actalis Organization Validated Server CA G3
verify return:1
depth=0 C = IT, ST = Bergamo, L = Ponte San Pietro, O = Aruba S.p.A., CN = *.aruba.it
verify return:1
---
Certificate chain
 0 s:C = IT, ST = Bergamo, L = Ponte San Pietro, O = Aruba S.p.A., CN = *.aruba.it
   i:C = IT, ST = Bergamo, L = Ponte San Pietro, O = Actalis S.p.A., CN = Actalis Organization Validated Server CA G3
 1 s:C = IT, ST = Bergamo, L = Ponte San Pietro, O = Actalis S.p.A., CN = Actalis Organization Validated Server CA G3
   i:C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHvjCCBaagAwIBAgIQQsyIUeEmwDx+2lgTpgT70jANBgkqhkiG9w0BAQsFADCB
iTELMAkGA1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcMEFBvbnRl
IFNhbiBQaWV0cm8xFzAVBgNVBAoMDkFjdGFsaXMgUy5wLkEuMTQwMgYDVQQDDCtB
Y3RhbGlzIE9yZ2FuaXphdGlvbiBWYWxpZGF0ZWQgU2VydmVyIENBIEczMB4XDTIy
MDQwNTEyMjI0M1oXDTIzMDQwNTEyMjI0M1owZjELMAkGA1UEBhMCSVQxEDAOBgNV
BAgMB0JlcmdhbW8xGTAXBgNVBAcMEFBvbnRlIFNhbiBQaWV0cm8xFTATBgNVBAoM
DEFydWJhIFMucC5BLjETMBEGA1UEAwwKKi5hcnViYS5pdDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMTsWOBfptIEva0cH2jJ177n5TuMqC85jYsc8IC7
zeCQzI7yqWZl2uwbkXQ8SKnb8MDzGaYGMzBW7/Zow2qIoG9XlRMet5J6MKpLn7Us
LMB1rMSMa0UeG1+VWH1pbIrpXw2nKdAEktaUwqtNVWIBGe/f4hnuM0ESVBfblt+4
7IeHiOsiSu1t54L57kgo+yRknLmSZi5N1JhgFIjCQG/iaqj2Y/jDpd/iX21iN7+P
Iir1Zop0cdEAqyi+Sp5/PK9Pz6RdQKLfnJmKroB/NJEKrSXLAI1vWYyL5wQN/LEz
AykZqlf6iPnQ0VhonKly05A6mIJP16X8FAmB7eq0jTHv2TcCAwEAAaOCA0IwggM+
MAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUn4qxtfGx3oL0J3y+iM3eqUOBo0sw
fgYIKwYBBQUHAQEEcjBwMDsGCCsGAQUFBzAChi9odHRwOi8vY2FjZXJ0LmFjdGFs
aXMuaXQvY2VydHMvYWN0YWxpcy1hdXRob3ZnMzAxBggrBgEFBQcwAYYlaHR0cDov
L29jc3AwOS5hY3RhbGlzLml0L1ZBL0FVVEhPVi1HMzAfBgNVHREEGDAWggoqLmFy
dWJhLml0gghhcnViYS5pdDBRBgNVHSAESjBIMDwGBiuBHwETATAyMDAGCCsGAQUF
BwIBFiRodHRwczovL3d3dy5hY3RhbGlzLml0L2FyZWEtZG93bmxvYWQwCAYGZ4EM
AQICMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATBIBgNVHR8EQTA/MD2g
O6A5hjdodHRwOi8vY3JsMDkuYWN0YWxpcy5pdC9SZXBvc2l0b3J5L0FVVEhPVi1H
My9nZXRMYXN0Q1JMMB0GA1UdDgQWBBT5JV1WzJxD4wKVKCWHmNcn8d7D1TAOBgNV
HQ8BAf8EBAMCBaAwggF/BgorBgEEAdZ5AgQCBIIBbwSCAWsBaQB2AK33vvp8/xDI
i509nB4+GGq0Zyldz7EMJMqFhjTr3IKKAAABf/m2kgoAAAQDAEcwRQIgI+uZPC+F
CY9H7NSyarAPzAXGfUrbEyn1Eq/5kautM64CIQC6zAXsxVHVvRF86izV+qKxWCpK
nmmUC7Fz0xfFhablzwB3AFWB1MIWkDYBSuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MM
AAABf/m2kjcAAAQDAEgwRgIhAJ1dk0jwHeP7pCOlhptfu2t9ZLkSyJRGkdCbnT1D
ANYxAiEA0WTOchSXhiXA3PtLW5D+4P8l9yTAJRoaW/ilb5n/1MAAdgBvU3asMfAx
GdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAX/5tpIUAAAEAwBHMEUCIFiEZiPG
Ymr6DKYDfO0lidp9JafTSjT/ZHuZn7LOLdyoAiEAx3lSUK6he9ZeIBykatBimWWN
ipirn4oSEiKjT7DflTowDQYJKoZIhvcNAQELBQADggIBAIwK3YVxzM5BsKXIMpy7
Crpbzo2OLCkkDooNPM1lxeBGjCWOlSPTryiqNR5s7+ADtAGz0v6kllSLSAxm5Bah
PEWbg6zYoob6X8daEEzYVGrtXu1p2iGUuMNREjJRoiMZRY2i97FBkxYJSax/3d7n
xmcTEMnDUYZ+4sb7umre3sVKvnBK77IgHNatRLkeC6mnwHM+icW1/0m7IkrZ6loM
wwBApqErrsln4wXCMbIjBEqQAtH0PNO7TxnoIn+51Y3ejVNO8yifeyYprsC6gLEN
dfD+VrfU9ls1BKdXY4tMFrQXyGqylOUB5Z1hBM2D9uVpKAHYGrSFj8la7CaTkPLH
zIbjdINU1lX3AiXZPemirap6i4Tr25511hig5zbifBvUZtRnzxCv8taxb3tM+9Vp
7n0e0jibrl3YOQykjgxgBILfOFjpsfSV0NyZ+fwfdHqkxeZelt3OCzoE5LUBSLzv
ck9GJSPdGsuBH0y/mRBaghjEF4F3WkdINFLCJTrMh3gIAVdraVlganr5QdoMiV+M
28gf+cf6Bo1I+vuEsdBaRkpIFaBve5PjYADS2A3R9upk68j00EGH+50YnWVafBII
aY5JeMOSIXG9taUq3QszPi/H827Ky4BGG3sN0fBQsR7kniKkfnNDnN6frw/2FSas
gp5el2uwKHDl5M/w10cCL5hp
-----END CERTIFICATE-----
subject=C = IT, ST = Bergamo, L = Ponte San Pietro, O = Aruba S.p.A., CN = *.aruba.it

issuer=C = IT, ST = Bergamo, L = Ponte San Pietro, O = Actalis S.p.A., CN = Actalis Organization Validated Server CA G3

---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4572 bytes and written 432 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: E79BF76633C1FF1930AB44B11DD45E5CE0CE4D3ECAA3B035C4239E3D576BADC0
    Session-ID-ctx:
    Master-Key: B2DFD5C791C36245D8B51F876F720F627F60F5AA1C085D4F16643D206406737059C6DD4CB51A508FFD872FE718822394
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - d5 97 a0 c2 6a b1 51 3e-7c 9d fa b3 d2 99 0f 13   ....j.Q>|.......
    0010 - fc 39 61 86 c1 88 91 51-11 7b 55 42 e5 7c 1f 27   .9a....Q.{UB.|.'
    0020 - 39 3b 22 67 45 6c 22 53-7a 1a 4f f8 76 e9 ef 89   9;"gEl"Sz.O.v...
    0030 - 3c 11 df 3b 98 f3 0c 1e-44 f0 f9 af 27 71 f5 6f   <..;....D...'q.o
    0040 - ab 3e 78 b4 9d b3 e5 49-fb 20 80 2e a2 5b f8 4a   .>x....I. ...[.J
    0050 - 4f 4b fe 60 5a c2 cf ea-d0 81 6b bc 42 a3 ac 2a   OK.`Z.....k.B..*
    0060 - 4a 14 e5 61 a8 5e 94 c6-5c 27 09 81 e5 4d 93 b7   J..a.^..\'...M..
    0070 - 13 b2 e0 6d f2 db 08 c2-16 f5 b9 e3 52 6b 70 d0   ...m........Rkp.
    0080 - 25 44 b4 37 07 c6 83 c3-0b 41 c4 d6 99 45 03 f2   %D.7.....A...E..
    0090 - 5a 79 27 ea e2 52 96 62-bc bc 34 53 13 32 02 2b   Zy'..R.b..4S.2.+
    00a0 - 5a 46 1f 51 f4 82 12 36-2c 6d 4f 5b e6 07 94 7c   ZF.Q...6,mO[...|

    Start Time: 1655216339
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
220 smtpdh01.ad.aruba.it Aruba Outgoing Smtp  ESMTP server ready
HELO mydomain.info
250 smtpdh01.ad.aruba.it hello [5.xxx.xxx.xxx], pleased to meet you

My app.yml

 DISCOURSE_SMTP_ADDRESS: smtps.aruba.it
  DISCOURSE_SMTP_PORT: 465
  DISCOURSE_SMTP_USER_NAME: myemail@domain.info
  DISCOURSE_SMTP_PASSWORD: "password"
  DISCOURSE_SMTP_ENABLE_START_TLS: false            # (optional, default true)
  DISCOURSE_SMTP_DOMAIN: domain.info              # (required by some providers)

Sending does not work…

./discourse-doctor

==================== MAIL TEST ====================
For a robust test, get an address from http://www.mail-tester.com/
Or just send a test message to yourself.
Email address for mail test? ('n' to skip) [myemail@domain.info]:
Sending mail to myemail@domain.info. . .
Testing sending to myemail@domain.info using smtps.aruba.it:465, username:myemail@domain.info with plain auth.
======================================== ERROR ========================================
                                    UNEXPECTED ERROR

Net::ReadTimeout

====================================== SOLUTION =======================================
This is not a common error. No recommended solution exists!

DISCOURSE_SMTP_ENABLE_START_TLS: it is the same, nothing changes.

After more than a month of trying how can I solve?
Is it possible that I alone cannot send emails?

Thanks

Can you configure your mail server to use port 587 (TLS or none, see which works) and then try this and rebuild discourse

DISCOURSE_SMTP_ADDRESS: smtps.aruba.it
DISCOURSE_SMTP_PORT: 587
DISCOURSE_SMTP_USER_NAME: myemail@domain.info
DISCOURSE_SMTP_PASSWORD: “password”

1 Like

There’s this from the Troubleshooting email on a new Discourse install guide if it’s any help?:

It does not work, these is the initial configuration that I have been using for a year but it has not worked for a month.

======================================== ERROR ========================================
                                    UNEXPECTED ERROR

SSL_connect returned=1 errno=0 peeraddr=xxx.xxx.xxx.xxx:587 state=error: certificate verify failed (Hostname mismatch)

====================================== SOLUTION =======================================
This is not a common error. No recommended solution exists!

If i try to connect with openssl:

openssl s_client -connect smtps.aruba.it:587
CONNECTED(00000003)
548286781936:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 306 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
root@vps:/var/www/discourse#

Unfortunately no, I tried everything …

Try adding just this line to your app.yml

DISCOURSE_SMTP_OPENSSL_VERIFY_MODE: none

Don’t add the START_TLS line

2 Likes

I’ve moved this over to a dedicated #support topic. :+1: (my topic title skills need work, so feel free to suggest a more fitting description of the issue :slight_smile:)

1 Like

You will need to specifically configure your SMTP server to use port 587 (not all servers have it enabled) with TLS or STARTTLS.

2 Likes

Now it works with discourse-doctor, the web test goes into timeout error but the emails are sent.

Thanks everyone for the help!

My VPS uses aarch64 CPU, could this be the problem?

2 Likes

Tagging @flink91 my suggestion seems to have worked with BETA 5; that would indicate that the TLS patch may not be working as expected.

Adding

DISCOURSE_SMTP_ENABLE_START_TLS: false

Appears to make SSL connections fail

2 Likes

Thanks!

And yes that’s weird indeed :thinking:
I’ll take another look to try to understand why it’s not working as intended but I guess everything will work again when the mail gem is fixed :crossed_fingers:

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.