Issue 2435 in k9mail: SSL certificate problem for SMTP but same certificate works for IMAP
k9m...@googlecode.com
Owner: ----
Labels: Type-Defect Priority-Medium Product-k9mail
New issue 2435 by pointfulnet: SSL certificate problem for SMTP but same
certificate works for IMAP
http://code.google.com/p/k9mail/issues/detail?id=2435
Using 3.003 to connect to a Zimbra server via IMAP and SMTP. Have lost the
ability to send email at some point -- IMAP is working fine, but SMTP is no
longer working.
The cause is clearly an SSL problem. The strange thing is, the server is
using the same certificate and hostname for both IMAP and SMTP. So why
would IMAP work and SMTP fail?
Here are the details:
Going into the configuration for the Outgoing Server yields the error
message:
Setup could not finish
Cannot connect to server. (Unable to open connection to SMTP server.)
Log from that looks like:
E/k9 (21802): Error while testing settings
E/k9 (21802): com.fsck.k9.mail.MessagingException: Unable to open
connection to SMTP server.
E/k9 (21802): at
com.fsck.k9.mail.transport.SmtpTransport.open(SmtpTransport.java:294)
E/k9 (21802): at
com.fsck.k9.activity.setup.AccountSetupCheckSettings$1.run(AccountSetupCheckSettings.java:131)
E/k9 (21802): Caused by: java.io.IOException: Read error: Failure in
SSL library, usually a protocol error
E/k9 (21802): at
org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.nativeread(Native
Method)
E/k9 (21802): at
org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.access$300(OpenSSLSocketImpl.java:55)
E/k9 (21802): at
org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl$SSLInputStream.read(OpenSSLSocketImpl.java:542)
E/k9 (21802): at java.io.InputStream.read(InputStream.java:159)
E/k9 (21802): at
java.io.BufferedInputStream.fillbuf(BufferedInputStream.java:157)
E/k9 (21802): at
java.io.BufferedInputStream.read(BufferedInputStream.java:243)
E/k9 (21802): at
com.fsck.k9.mail.filter.PeekableInputStream.read(PeekableInputStream.java:28)
E/k9 (21802): at
com.fsck.k9.mail.transport.SmtpTransport.readLine(SmtpTransport.java:403)
E/k9 (21802): at
com.fsck.k9.mail.transport.SmtpTransport.executeSimpleCommand(SmtpTransport.java:492)
E/k9 (21802): at
com.fsck.k9.mail.transport.SmtpTransport.executeSimpleCommand(SmtpTransport.java:477)
E/k9 (21802): at
com.fsck.k9.mail.transport.SmtpTransport.open(SmtpTransport.java:197)
E/k9 (21802): ... 1 more
Completely uninstalling K-9 and reconfiguring the account provides more
insight. When configuring the account, everything during IMAP configuration
goes fine and tests successfully. During SMTP configuration, I get this
error message:
Unrecognized Certificate
Cannot safely connect to server
(java.security.InvalidAlgorithmParameterException: the trust anchor set is
empty) Certificate chain[0]: .... <complete output of the certificate chain>
And am then prompted to "Accept Key" or "Reject Key". Accepting the Key
just gets me back to the same "Setup could not finish" error.
Log from that looks like:
E/k9 (22870): Error while testing settings
E/k9 (22870): com.fsck.k9.mail.CertificateValidationException: Not
trusted server certificate
E/k9 (22870): at
com.fsck.k9.mail.transport.SmtpTransport.open(SmtpTransport.java:285)
E/k9 (22870): at
com.fsck.k9.activity.setup.AccountSetupCheckSettings$1.run(AccountSetupCheckSettings.java:131)
E/k9 (22870): Caused by: javax.net.ssl.SSLException: Not trusted
server certificate
E/k9 (22870): at
org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:371)
E/k9 (22870): at
org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl$SSLInputStream.<init>(OpenSSLSocketImpl.java:520)
E/k9 (22870): at
org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.getInputStream(OpenSSLSocketImpl.java:461)
E/k9 (22870): at
com.fsck.k9.mail.transport.SmtpTransport.open(SmtpTransport.java:175)
E/k9 (22870): ... 1 more
E/k9 (22870): Caused by: java.security.cert.CertificateException:
java.security.InvalidAlgorithmParameterException: the trust anchors set is
empty
E/k9 (22870): at
org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:151)
E/k9 (22870): at
com.fsck.k9.mail.store.TrustManagerFactory$SecureX509TrustManager.checkServerTrusted(TrustManagerFactory.java:99)
E/k9 (22870): at
org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:366)
E/k9 (22870): ... 4 more
E/k9 (22870): Caused by:
java.security.InvalidAlgorithmParameterException: the trust anchors set is
empty
E/k9 (22870): at
java.security.cert.PKIXParameters.checkTrustAnchors(PKIXParameters.java:611)
E/k9 (22870): at
java.security.cert.PKIXParameters.<init>(PKIXParameters.java:86)
E/k9 (22870): at
org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.<init>(TrustManagerImpl.java:82)
E/k9 (22870): at
org.apache.harmony.xnet.provider.jsse.TrustManagerFactoryImpl.engineGetTrustManagers(TrustManagerFactoryImpl.java:132)
E/k9 (22870): at
javax.net.ssl.TrustManagerFactory.getTrustManagers(TrustManagerFactory.java:226)
E/k9 (22870): at
com.fsck.k9.mail.store.TrustManagerFactory.<clinit>(TrustManagerFactory.java:162)
E/k9 (22870): at
com.fsck.k9.mail.store.ImapStore$ImapConnection.open(ImapStore.java:2158)
E/k9 (22870): at
com.fsck.k9.mail.store.ImapStore.checkSettings(ImapStore.java:374)
E/k9 (22870): at
com.fsck.k9.activity.setup.AccountSetupCheckSettings$1.run(AccountSetupCheckSettings.java:111)
Again, the strange thing to me here is that the same certificate is being
used with SMTP as with IMAP. So why would it work with one but not with the
other? Perhaps there is a bug in the way the SSL connection is set up for
SMTP?
k9m...@googlecode.com
Comment #1 on issue 2435 by jessev: SSL certificate problem for SMTP but
http://code.google.com/p/k9mail/issues/detail?id=2435
Could you try 3.118
k9m...@googlecode.com
Comment #2 on issue 2435 by pointfulnet: SSL certificate problem for SMTP
http://code.google.com/p/k9mail/issues/detail?id=2435
Tried 3.118 as clean install. Same result.
k9m...@googlecode.com
Comment #3 on issue 2435 by draison: SSL certificate problem for SMTP but
http://code.google.com/p/k9mail/issues/detail?id=2435
I'm having the exact same problem using version 3.202. Here's my log:
D/k9 ( 1553): SMTP >>> QUIT
V/k9 ( 1553): DomainNameChecker.matchDns(): this domain:
zimbra.iongroup.lu that domain: zimbra.iongroup.lu
D/k9 ( 1553): SMTP <<< 220 zimbra.iongroup.lu ESMTP Postfix
D/k9 ( 1553): SMTP >>> EHLO [192.168.178.23]
E/k9 ( 1553): Error while testing settings
E/k9 ( 1553): com.fsck.k9.mail.MessagingException: Unable to open
connection to SMTP server.
E/k9 ( 1553): at
com.fsck.k9.mail.transport.SmtpTransport.open(SmtpTransport.java:296)
E/k9 ( 1553): at
com.fsck.k9.activity.setup.AccountSetupCheckSettings$1.run(AccountSetupCheckSettings.java:131)
E/k9 ( 1553): Caused by: java.io.IOException: Read error: Failure in
SSL library, usually a protocol error
E/k9 ( 1553): at
org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.nativeread(Native
Method)
E/k9 ( 1553): at
org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.access$300(OpenSSLSocketImpl.java:55)
E/k9 ( 1553): at
org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl$SSLInputStream.read(OpenSSLSocketImpl.java:542)
E/k9 ( 1553): at java.io.InputStream.read(InputStream.java:159)
E/k9 ( 1553): at
java.io.BufferedInputStream.fillbuf(BufferedInputStream.java:157)
E/k9 ( 1553): at
java.io.BufferedInputStream.read(BufferedInputStream.java:243)
E/k9 ( 1553): at
com.fsck.k9.mail.filter.PeekableInputStream.read(PeekableInputStream.java:28)
E/k9 ( 1553): at
com.fsck.k9.mail.transport.SmtpTransport.readLine(SmtpTransport.java:405)
E/k9 ( 1553): at
com.fsck.k9.mail.transport.SmtpTransport.executeSimpleCommand(SmtpTransport.java:494)
E/k9 ( 1553): at
com.fsck.k9.mail.transport.SmtpTransport.executeSimpleCommand(SmtpTransport.java:479)
E/k9 ( 1553): at
com.fsck.k9.mail.transport.SmtpTransport.open(SmtpTransport.java:199)
E/k9 ( 1553): ... 1 more
k9m...@googlecode.com
Comment #4 on issue 2435 by lokiUnbound: SSL certificate problem for SMTP
http://code.google.com/p/k9mail/issues/detail?id=2435
I am getting the exact same issue with k9 3.207 on Cyanogen 6.1 (Android
2.2.1).
The same k9 version on a Samsung Vibrant (Android 2.1) works fine.
k9m...@googlecode.com
Comment #5 on issue 2435 by lokiUnbound: SSL certificate problem for SMTP
http://code.google.com/p/k9mail/issues/detail?id=2435
Further investigation by using stunnel show that the connection drops after
the server returns the 250 response to the EHLO.
k9m...@googlecode.com
Comment #6 on issue 2435 by bas.withagen: SSL certificate problem for SMTP
http://code.google.com/p/k9mail/issues/detail?id=2435
setting security type to 'SSL (if available)' is a workaround though it
probably mean no ssl is used
k9m...@googlecode.com
Comment #7 on issue 2435 by nikkolb: SSL certificate problem for SMTP but
http://code.google.com/p/k9mail/issues/detail?id=2435
Interestingly it still uses SSL when you choose 'SSL (if available)'. So
this workaround has no negative effect on the usage of SSL.
k9m...@googlecode.com
Comment #8 on issue 2435 by Donty01: SSL certificate problem for SMTP but
http://code.google.com/p/k9mail/issues/detail?id=2435
I get the same issue for a client on HTC Desire A2.2 using Vodafone in the
UK when using the current market version of K9. Is there any progress on
why this happens on some devices yet?
Works on all the T-Mobile devices we have without issue including Desires,
could it also be something on the OS the airtime provider mods?
k9m...@googlecode.com
Comment #9 on issue 2435 by Richard....@googlemail.com: SSL certificate
http://code.google.com/p/k9mail/issues/detail?id=2435
Same issue with HTC Desire A2.2 using 3 in the UK - v3.604 of K9 mail.
Using HMail server as the backend - again with the same SSL certificate for
both sending & recieving mail (SMTP / IMAP).
Able to set up the SMTP connection when I can see the test login is
successful in the mail server logs, but the actual sending of mail is
unsuccessful & does not appear in the HMailServer logs.
k9m...@googlecode.com
Comment #10 on issue 2435 by Richard....@googlemail.com: SSL certificate
http://code.google.com/p/k9mail/issues/detail?id=2435
All attempts to use SSL security (either if available or always) would
successfully pass the test in configuration, but would always fail to send
mail.
However I then reverted back to using SMTP - successfully sent an e-mail
and switched back to use SSL if available and it is now working....
k9m...@googlecode.com
Comment #11 on issue 2435 by halfg...@gmail.com: SSL certificate problem
http://code.google.com/p/k9mail/issues/detail?id=2435
I have the same problem, but testing the connection also fails. But when I
set it to "SSL (if available)", it works. And it really does use SSL
(because my mailserver doesn't accept authenticated login on plain SMTP):
Apr 13 00:19:27 meel postfix/smtpd[32299]: connect from <hostname><ip>
Apr 13 00:19:27 meel postfix/smtpd[32299]: setting up TLS connection from
<hostname><ip>
Apr 13 00:19:27 meel postfix/smtpd[32299]: Anonymous TLS connection
established from <hostname><ip>: TLSv1 with cipher DHE-RSA-AES256-SHA
(256/256 bits)
All other applications work fine (internet browsing with the same
certificate, IMAP) and, thunderbird on a PC sends mail with it just fine.
K-9 Mail version:3.604.
Phone: HTC Desire Z. Android 2.2.1, build 1.82.405.1.
Zimbra mail server: 6.0.10_GA_2692.UBUNTU8_64 UBUNTU8_64 FOSS edition
SSL certificate is a free one bought at https://www.startssl.com/
If you need an account on my server to test with, drop me a line.
k9m...@googlecode.com
Comment #12 on issue 2435 by tkmR...@gmail.com: SSL certificate problem for
http://code.google.com/p/k9mail/issues/detail?id=2435
Experiencing the same issue on Evo 3D running version 3.802. Any movement
on this?
k9m...@googlecode.com
Comment #13 on issue 2435 by bernhard...@gmail.com: SSL certificate problem
http://code.google.com/p/k9mail/issues/detail?id=2435
halfg wrote:
> But when I set it to "SSL (if available)", it works.
did you tried setting the account smtp to "SSL (if available)" ?
k9m...@googlecode.com
Comment #14 on issue 2435 by halfg...@gmail.com: SSL certificate problem
http://code.google.com/p/k9mail/issues/detail?id=2435
Do you mean as opposed to plain? SMTP is set to SSL (if available), because
if I set it to "SSL (always)" it fails with the certificate error.
That's the problem: force SSL and it complains about the certificate, set
SSL to "if available" and it works (SSL connection works).
k9m...@googlecode.com
Comment #15 on issue 2435 by bernhard...@gmail.com: SSL certificate problem
http://code.google.com/p/k9mail/issues/detail?id=2435
my comment was for tkmR.
At the moment it seems to be the best workaround to set SSL to "SSL (if
available)"
i'll look into this when have some time.
k9m...@googlecode.com
Comment #16 on issue 2435 by halfg...@gmail.com: SSL certificate problem
http://code.google.com/p/k9mail/issues/detail?id=2435
Again, if you need an account on my Zimbra server, let me know.
k9m...@googlecode.com
Comment #17 on issue 2435 by drankina...@gmail.com: SSL certificate problem
http://code.google.com/p/k9mail/issues/detail?id=2435
Guys, this SMTP issue is still not solved in Android 3.2.1. I have hosted
the same 2 mail servers for a decade. Everything (iOS, all devices,
Motorola, etc..) can connect to these servers fine -- EXCEPT Android. The
servers are postfix with TLS. Android refuses configure the outgoing mail
no matter what combination of None, SSL, TLS server type is selected. There
are two types of messages that occur:
Security Type: TLS
Port: 587
(with or without sign-in required)
Cannot safely connect to server.
(java.security.cert.CertPathValidatorException: Trust anchor for
certification path not found.)
Security Type: TLS (Accept all certificates)
Port: 25
(with or without sign-in required)
Cannot safely connect to server.
(SSL handshake aborted: ssl=0x4942f0: Failure in SSL library, usually a
protocol error: 140770FC:SSL routines: SSL23_GET_SERVER_HELLO: unknown
protocol (external/openssl/s23_clnt.c:683 0xacffa3f8:0x00000000))
Can this get fixed? I know this post concerns the default android mailer
and not K9, but I suspect the issue it with android itself regardless of
the mailer used. Thanks.
k9m...@googlecode.com
Comment #18 on issue 2435 by AndreasN...@gmail.com: SSL certificate problem
I don't know if this could help you. I had similar problems using k9mail
with my vServer running with qmail and courier. imap and smtp hostname are
the same.
Adding first of my mail accounts worked fine, but after the third I got
similar problems like described here.
After testing other clients on my android 4.0.4 with similar effects, I
looked at the server side. In the courier config file
/etc/courier-imap/imapd I found the option MAXPERIP which was set to 4.
With my multiple accounts this seems much to small so I set this to 25 and
restarted my mail server.
Now k9mail works like a charme.
But again, I don't know if this could help each of you.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
k9m...@googlecode.com
Comment #19 on issue 2435 by twisteda...@gmail.com: SSL certificate problem
K-9 Mail version 4.409
I have the same issue when trying to setup the smtp.gmail.com settings.
FAILED
Security Type: SSL/TLS Always
Port: 587
My work around was to change the port to: 465
SUCCESS
Security Type: SSL/TLS Always
Port: 465
After changing to this port I no longer had the issue w/ the certificate
and I could send mail.