SMTP Relay SSL error

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
sk9375
New user
New user
Posts: 5
Joined: 2014-09-30 16:26
Location: New York

SMTP Relay SSL error

Post by sk9375 » 2014-09-30 17:36

Since updating hMailServer to version 5.4.2, I have been not able to send any mails out. I use SMTP relayer as fios has blocked port 25.

The error I am getting is "TCP Connection - SSL Handshake with client failed. Error code: 336134278, Message: certificate verify failed, Remote IP: 206.46.232.100".

I am using smtp.verizon.net port 465 SSL enabled, this setting has not been changed for a while and was working before the version upgrade. I tried the beta version 5.5.1 as well without success.

Thanks for any help I can get.

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: SMTP Relay SSL error

Post by percepts » 2014-09-30 18:29

try upgrade to latest beta build 5.5.1 B2097. There have been many fixes and additions since 5.4.2 and various ones for ssl/tls since first beta of 5.5.1.

sk9375
New user
New user
Posts: 5
Joined: 2014-09-30 16:26
Location: New York

Re: SMTP Relay SSL error

Post by sk9375 » 2014-10-01 03:12

Thanks for the reply.

I installed 5.5.1-B2097 and its still the same.

I get "TCP Connection - SSL Handshake with client failed. Error code: 336134278, Message: certificate verify failed, Remote IP: 206.46.232.100".

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: SMTP Relay SSL error

Post by percepts » 2014-10-01 03:20

see topic: viewtopic.php?f=10&t=27114&p=167163&hil ... 0f#p167163

Martin has been working on this and thought he had fixed it but looks like it needs more work.

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: SMTP Relay SSL error

Post by martin » 2014-10-01 13:27

This does not seem to be the same issue as the other users, even if it's similar. There are a ton of reasons a certificate verification could fail so we need to dig a bit deeper.

Can you enable debug logging in hMailServer (if you haven't already), reproduce the issue and then post the log here?

You should be seeing log entries containing the following with more details:

- Performing SSL/TLS handshake for session
- Certificate verification failed for session

So if you search for those two sentences we should be having some more details.

sk9375
New user
New user
Posts: 5
Joined: 2014-09-30 16:26
Location: New York

Re: SMTP Relay SSL error

Post by sk9375 » 2014-10-02 01:40

Below is the debug log. Thanks.

"DEBUG" 3644 "2014-10-01 19:29:47.000" "PersistentMessage::SetNextTryTime()"
"DEBUG" 3644 "2014-10-01 19:29:47.000" "PersistentMessage::~SetNextTryTime()"
"DEBUG" 2668 "2014-10-01 19:29:47.000" "Adding task DeliveryTask to work queue SMTP delivery queue"
"DEBUG" 2696 "2014-10-01 19:29:47.000" "Executing task DeliveryTask in work queue SMTP delivery queue"
"DEBUG" 2696 "2014-10-01 19:29:47.000" "Delivering message..."
"APPLICATION" 2696 "2014-10-01 19:29:47.000" "SMTPDeliverer - Message 3094: Delivering message from sxxxx@kxxxxxx.xx to sxxxx_x@yahoo.com. File: C:\Program Files\hMailServer\Data\{220EDCCF-F51D-4189-A3E7-7FF9CDA34020}.eml"
"DEBUG" 2696 "2014-10-01 19:29:47.000" "Applying rules"
"DEBUG" 2696 "2014-10-01 19:29:47.000" "Applying rule SPAM"
"DEBUG" 2696 "2014-10-01 19:29:47.000" "Performing local delivery"
"DEBUG" 2696 "2014-10-01 19:29:47.000" "Local delivery completed"
"APPLICATION" 2696 "2014-10-01 19:29:47.000" "SMTPDeliverer - Message 3094: Relaying to host smtp.verizon.net."
"DEBUG" 2696 "2014-10-01 19:29:47.000" "Starting external delivery process. Server: smtp.verizon.net (206.46.232.100), Port: 465, Security: 1, User name: skxxxxxx"
"DEBUG" 2696 "2014-10-01 19:29:47.000" "Creating session 42"
"TCPIP" 2696 "2014-10-01 19:29:47.015" "Connecting to 206.46.232.100:465..."
"DEBUG" 2824 "2014-10-01 19:29:47.062" "TCP connection started for session 42"
"DEBUG" 2824 "2014-10-01 19:29:47.062" "Performing SSL/TLS handshake for session 42. Verify certificate: True, Expected remote host name: smtp.verizon.net"
"DEBUG" 2840 "2014-10-01 19:29:47.125" "Certificate verification failed for session 42. Expected host: smtp.verizon.net, Windows error code: -2146762487, Windows error message: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider."
"TCPIP" 2840 "2014-10-01 19:29:47.125" "TCPConnection - SSL handshake with client failed. Error code: 336134278, Message: certificate verify failed, Remote IP: 206.46.232.100"
"DEBUG" 2840 "2014-10-01 19:29:47.125" "Ending session 42"
"DEBUG" 2696 "2014-10-01 19:29:47.125" "External delivery process completed"
"DEBUG" 2696 "2014-10-01 19:29:47.125" "Summarizing delivery result"
"DEBUG" 2696 "2014-10-01 19:29:47.125" "Summarized delivery results"
"DEBUG" 2696 "2014-10-01 19:29:47.125" "SD::RescheduleDelivery_"
"DEBUG" 2696 "2014-10-01 19:29:47.125" "Retrieving retry options."
"DEBUG" 2696 "2014-10-01 19:29:47.125" "Starting rescheduling."
"APPLICATION" 2696 "2014-10-01 19:29:47.125" "SMTPDeliverer - Message 3094: Message could not be delivered. Scheduling it for later delivery in 10 minutes."
"DEBUG" 2696 "2014-10-01 19:29:47.125" "PersistentMessage::SetNextTryTime()"
"DEBUG" 2696 "2014-10-01 19:29:47.125" "PersistentMessage::~SetNextTryTime()"
"DEBUG" 2696 "2014-10-01 19:29:47.125" "Message rescheduled for later delivery."
"APPLICATION" 2696 "2014-10-01 19:29:47.125" "SMTPDeliverer - Message 3094: Message delivery thread completed."

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: SMTP Relay SSL error

Post by martin » 2014-10-02 16:29

First of all - it is possible to disable certificate verification completely if you know how to access the hMailServer database and navigate it (you need a tool to do this, and it depends on what database you are using). You need to locate the row with the name 'VerifyRemoteSslCertificate' in the table hm_settings and set the value in the settinginteger to 0 and restart hMailServer. This is an undocumented feature though and it may go away. The other workaround is to use a SMTP relayer which does not require SSL.

Anyway, it seems like your Windows installation for some reason do not trust the certificate. The error message A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. is generated by Windows. hMailServer uses the Windows certificate store when verifying certificates.

The best way forward would probably be to take a look at their certificate and really confirm that it's not trusted by Windows, and that it's not some kind of bug in hMailServer. But it's a bit tricky to troubleshoot this, since I'm not able to connect to the server in question and hence can't actually see the certificate. Would it be possible for you to follow the below steps to extract the certificate here, so that I can try diagnoze this from here?

1) Install OpenSSL from https://slproweb.com/products/Win32OpenSSL.html
2) Open a prompt and cd to C:\OpenSSL-Win32\bin
3) Execute openssl s_client -connect smtp.verizon.net:465 (replace host name with yours)
4) Copy the server certificate part (section which starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE----- including these lines).
5) Include the certificate in this thread.

sk9375
New user
New user
Posts: 5
Joined: 2014-09-30 16:26
Location: New York

Re: SMTP Relay SSL error

Post by sk9375 » 2014-10-03 00:34

Below is the session. Thanks.

$ openssl s_client -connect smtp.verizon.net:465
CONNECTED(00000003)
depth=3 C = US, O = GTE Corporation, OU = "GTE CyberTrust Solutions, Inc.", CN = GTE CyberTrust Global Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/ST=Texas/L=Irving/O=Verizon Data Services LLC/OU=SLB Mail/CN=smtp.verizon.net
i:/O=Cybertrust Inc/CN=Cybertrust Public SureServer SV CA
1 s:/O=Cybertrust Inc/CN=Cybertrust Public SureServer SV CA
i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
2 s:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
3 s:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEPjCCAyagAwIBAgIOAQAAAAABQDsV1Yc0Xq8wDQYJKoZIhvcNAQEFBQAwRjEX
MBUGA1UEChMOQ3liZXJ0cnVzdCBJbmMxKzApBgNVBAMTIkN5YmVydHJ1c3QgUHVi
bGljIFN1cmVTZXJ2ZXIgU1YgQ0EwHhcNMTMwODAxMTgyNTQ5WhcNMTUwODMxMDIw
ODA0WjCBgDELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRleGFzMQ8wDQYDVQQHEwZJ
cnZpbmcxIjAgBgNVBAoTGVZlcml6b24gRGF0YSBTZXJ2aWNlcyBMTEMxETAPBgNV
BAsTCFNMQiBNYWlsMRkwFwYDVQQDExBzbXRwLnZlcml6b24ubmV0MIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6VDU0XM5Cm4f7sOLhvFbBR54rRXteNVl
E9DCkyxmytbmqIpdDFq1CSD49odgI4ZlHlPGBDVm4Pt4JxLDcG6RjT1lwW4q2yNg
42KoVDCjuc0eRJnB3oMOE1m5/N+f3oLw0qvDAmKcxVapStGguBu+00AyBE6KXG8v
1m1y4CnvQEeQXDG5lfUJpuNOdNbceu+hkPhOYVojJj70oeY/iFhoEfahLZN9nETu
v8YUHIWGJmhYhoeb7EwQQD+W6LLvK6LkKO3qN971z5E1yZCRRVZsZHfA8C7anM81
JnZjSwFT+GDuIV8SRxzdIOVO60HZas4t7YUQkB88hlHgeTX83P4n8QIDAQABo4Hu
MIHrMB8GA1UdIwQYMBaAFASYYN+AG5ZJXWVWLaUsCSQK7Ny5MD8GA1UdHwQ4MDYw
NKAyoDCGLmh0dHA6Ly9jcmwub21uaXJvb3QuY29tL1B1YmxpY1N1cmVTZXJ2ZXJT
Vi5jcmwwHQYDVR0OBBYEFB2x6XvzIPb+eOSdOqNvhaYxhwz5MAkGA1UdEwQCMAAw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAR
BglghkgBhvhCAQEEBAMCBsAwGwYDVR0RBBQwEoIQc210cC52ZXJpem9uLm5ldDAN
BgkqhkiG9w0BAQUFAAOCAQEANxQa0fVGGNBUmCYpvOZIXLRqBpGu429tO0FE1/yM
nsFa6LTYc7eUV3bMFykLJdYngktEFko/tCvY3z644uCDlK2rUhxPPpl0GRc1PnwX
+frh8VaS/DmGDsh24KOn3ZFJNOyunOoESqE7TT5rlTA34k7mby1YiM7uffpl9d8c
gQh6eZ8qx5Ejdik+YXxGd1fKx3L0LKDOa8i69cNS9lxHBuHYMNnMHh6YmaTDvV+S
fEnoQWi23gRwFyEXUeLxdwmhaU5IMuCVhkhzgKcf8/KaRghvioLMyxFk11PB8V4D
aDK2v+N8318vcg0dL45Z++OC9XUpnAxJzdZk+KFZ6+niqw==
-----END CERTIFICATE-----
subject=/C=US/ST=Texas/L=Irving/O=Verizon Data Services LLC/OU=SLB Mail/CN=smtp.verizon.net
issuer=/O=Cybertrust Inc/CN=Cybertrust Public SureServer SV CA
---
No client certificate CA names sent
---
SSL handshake has read 4552 bytes and written 520 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 50A7230F358277D259E4BD5622D98293FFFEC0D31E08D25B4CE1853DCF1EBDA4
Session-ID-ctx:
Master-Key: 9B63EF2C474836365B9757722D4B15572F9C120701CEE9A81D750DD7DAE5DC609D55F7FA9625E3518B7F7B0489FC945E
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1412289095
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
220 vms173025pub.verizon.net -- Server ESMTP (Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16 2009))
421 4.4.2 Timeout while waiting for command.
closed

sk9375
New user
New user
Posts: 5
Joined: 2014-09-30 16:26
Location: New York

Re: SMTP Relay SSL error

Post by sk9375 » 2014-10-03 16:06

After installing CA certificate in windows store, problem went away.

I had to install below mentioned certificate to fix the issue.

1 s:/O=Cybertrust Inc/CN=Cybertrust Public SureServer SV CA
i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root

Thanks everybody who helped.

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: SMTP Relay SSL error

Post by martin » 2014-10-03 21:41

I did some quick searches and see that a lot of Verizon customers are having issues with their email server certificates. For example, this thread has several users complaining ovr the same isuse:
http://forums.verizon.com/t5/Verizon-ne ... 725/page/5

Seems like they have set up their servers to use a certificate which isn't trusted by default in Windows. Weird. One workaround to be to connect to a separate host name which has a proper certificate.

So it does not seem to be an issue with hMailServer.
Martin Knafve
martin@hmailserver.com
https://twitter.com/knafve

minollo
New user
New user
Posts: 2
Joined: 2011-12-05 21:11

Re: SMTP Relay SSL error

Post by minollo » 2014-10-17 07:01

sk9375 wrote:After installing CA certificate in windows store, problem went away.

I had to install below mentioned certificate to fix the issue.

1 s:/O=Cybertrust Inc/CN=Cybertrust Public SureServer SV CA
i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root

Thanks everybody who helped.
I'm having your same problem; what did you do exactly to install that certificate? I tried downloading it and installing it as a root certificate, but I'm not sure I got the right one, and the handshake still fails...

minollo
New user
New user
Posts: 2
Joined: 2011-12-05 21:11

Re: SMTP Relay SSL error

Post by minollo » 2014-10-17 13:04

minollo wrote: I'm having your same problem; what did you do exactly to install that certificate? I tried downloading it and installing it as a root certificate, but I'm not sure I got the right one, and the handshake still fails...
Nevermind, I figured it out; I didn't realize it was really two certificates, a root one (which was already installed, and the intermediate one, which was missing). All good now.

rampage
New user
New user
Posts: 2
Joined: 2016-06-14 02:11

Re: SMTP Relay SSL error

Post by rampage » 2016-06-14 02:14

I'm getting the exact same error however I have the root certificate installed locally in the root cert store and the intermediate chain in the correct store as well.

any help would be appreciated.

User avatar
mattg
Moderator
Moderator
Posts: 20781
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SMTP Relay SSL error

Post by mattg » 2016-06-14 04:23

Which exact same error?

Please start a new thread and link to this one if you feel they are similar
Oh wait, I see you did already
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply