Unknown error of sending emails

329 views
Skip to first unread message

pilla...@gmail.com

unread,
Aug 20, 2021, 4:42:06 PM8/20/21
to xnat_discussion
Dear XNAT team and users,

Thank you very much in advance if you have solutions to this kind of issue.

I have XNAT 1.7.1 installed manually with PostgreSQL 9.5 and tomcat 7. I setup email server with SMTP protocol and TLS. It has been working well for me for 3 years. But it has stopped working since 3 days ago. The error message is as follows.

XNAT has encountered an error with your request:

Status: Unknown status

URI: Unknown URI

Message: Unknown error occurred

If this error continues to occur, please contact your system administrator with information about how to recreate the problem.


The turbine.log shows errors as follows:

javax.mail.MessagingException: Could not convert socket to TLS;

  nested exception is:

        javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

        at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1999)

        at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:709)

        at javax.mail.Service.connect(Service.java:364)

        at org.springframework.mail.javamail.JavaMailSenderImpl.connectTransport(JavaMailSenderImpl.java:501)

        at org.springframework.mail.javamail.JavaMailSenderImpl.doSend(JavaMailSenderImpl.java:421)

        at org.springframework.mail.javamail.JavaMailSenderImpl.send(JavaMailSenderImpl.java:345)

        at org.springframework.mail.javamail.JavaMailSenderImpl.send(JavaMailSenderImpl.java:340)

        at org.nrg.mail.services.impl.SpringBasedMailServiceImpl.sendMimeMessage(SpringBasedMailServiceImpl.java:75)

        at org.nrg.mail.services.impl.SpringBasedMailServiceImpl.sendMessage(SpringBasedMailServiceImpl.java:46)

        at org.nrg.mail.services.impl.AbstractMailServiceImpl.sendHtmlMessage(AbstractMailServiceImpl.java:149)

        at org.nrg.mail.services.impl.AbstractMailServiceImpl.sendHtmlMessage(AbstractMailServiceImpl.java:185)

        at org.nrg.mail.services.impl.AbstractMailServiceImpl.sendHtmlMessage(AbstractMailServiceImpl.java:254)

        at org.nrg.xdat.turbine.modules.actions.EmailAction.sendMessage(EmailAction.java:67)

        at org.nrg.xdat.turbine.modules.actions.EmailAction.execute(EmailAction.java:47)

        at org.nrg.xdat.turbine.modules.actions.EmailAction.doPerform(EmailAction.java:42)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

        at java.lang.reflect.Method.invoke(Method.java:498)

        at org.apache.turbine.util.velocity.VelocityActionEvent.executeEvents(VelocityActionEvent.java:138)

        at org.apache.turbine.util.velocity.VelocityActionEvent.perform(VelocityActionEvent.java:81)

        at org.apache.turbine.modules.actions.VelocityAction.perform(VelocityAction.java:75)

        at org.apache.turbine.modules.actions.VelocitySecureAction.perform(VelocitySecureAction.java:64)

        at org.apache.turbine.modules.ActionLoader.exec(ActionLoader.java:102)

        at org.apache.turbine.modules.pages.DefaultPage.doBuild(DefaultPage.java:116)

        at org.apache.turbine.modules.Page.build(Page.java:56)

        at org.apache.turbine.modules.PageLoader.exec(PageLoader.java:104)

        at org.apache.turbine.Turbine.doGet(Turbine.java:796)

        at org.apache.turbine.Turbine.doPost(Turbine.java:891)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

at org.nrg.xnat.restlet.util.UpdateExpirationCookie.doFilter(UpdateExpirationCookie.java:37)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:316)

        at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:126)

        at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)

        at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)

        at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:122)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)

        at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)

        at org.nrg.xnat.security.XnatInitCheckFilter.doFilter(XnatInitCheckFilter.java:51)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)

        at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:169)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)

        at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:48)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)

        at org.nrg.xnat.security.XnatBasicAuthenticationFilter.doFilterInternal(XnatBasicAuthenticationFilter.java:143)

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)

        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:205)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)

        at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:120)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)

        at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)

        at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)

Moore, Charlie

unread,
Aug 20, 2021, 4:46:43 PM8/20/21
to xnat_di...@googlegroups.com
Hello,

When it stopped working 3 days ago, did that correspond with a restart of tomcat? If so, you're running into this bug: https://issues.xnat.org/browse/XNAT-5975, which was fixed in 1.8.2. As a workaround, you can try:
  1. Turn "Start TLS" off in the mail server settings. Save the form.
  2. Turn "Start TLS" back on and save again.
Give that a try and let us know if it resolves the issue for you.

Thanks,
Charlie
From: xnat_di...@googlegroups.com <xnat_di...@googlegroups.com> on behalf of pilla...@gmail.com <pilla...@gmail.com>
Sent: Friday, August 20, 2021 3:42 PM
To: xnat_discussion <xnat_di...@googlegroups.com>
Subject: [XNAT Discussion] Unknown error of sending emails
 

* External Email - Caution *
--
You received this message because you are subscribed to the Google Groups "xnat_discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to xnat_discussi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/xnat_discussion/505a8b96-7613-4641-9a1e-3281bc88bc58n%40googlegroups.com.

 

The materials in this message are private and may contain Protected Healthcare Information or other information of a sensitive nature. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail.

pilla...@gmail.com

unread,
Aug 20, 2021, 6:45:34 PM8/20/21
to xnat_discussion
Hi Charlie,

Thank you for your help. Yes, 3 days ago there was a user reported that my XNAT server gave 502 error. So I restarted tomcat7. But I didn't test email at the time. I turned TLS off and saved the form. Then turned TLS back on and saved again. The same issue remains. What should I do now?

Best wishes,
Jianliang

pilla...@gmail.com

unread,
Aug 26, 2021, 4:58:14 PM8/26/21
to xnat_discussion
Hi Charlie,

I have been repeating the steps you suggested. But I got no luck at all. My current OS is Ubuntu 18.04 (bionic), with tomcat7, postgresql 9.5 and Java-8. Any further advice please! Thank you very much.

Best wishes,
J

Herrick, Rick

unread,
Aug 26, 2021, 8:12:29 PM8/26/21
to xnat_di...@googlegroups.com

I suspect the issue is that your SMTP service is using an outdated/deprecated encryption algorithm, most likely TLSv1 or TLSv1.1. It’s possible there’s an easy fix. In the mail server settings under site administration, there’s an entry for SSL trust. Try putting the address for your SMTP server in that box and clicking Save. You’ll need to restart XNAT for that change to take effect.

 

If that works great! If not (and I suspect it won’t because it’s breaking at the transport level), things get a bit dicier. The first thing to check is what encryption the SMTP server is trying to use. You can find this out with the following command (here I’m using Gmail’s SMTP server, but just substitute the server address and port for your

 

$ echo quit | openssl s_client -connect smtp.gmail.com:587 -starttls smtp

 

I’ve attached the full output, but the part you’re interested in is towards the bottom:

 

SSL handshake has read 4545 bytes and written 419 bytes

Verification: OK

---

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384

 

My guess is that you’ll see something like TLSv1 or SSLv3 where TLSv1.3 is here.

 

Regardless of what you see there, the next step is to check the security settings for your JRE/JDK. These can be found in a file named java.security, which you should be to find in the folder jre/lib/security inside your JRE/JDK installation (e.g. /usr/lib/jvm/java-8-openjdk-amd64). In that file, look for an entry named jdk.tls.disabledAlgorithms:

 

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \

    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \

    include jdk.disabled.namedCurves

 

If the algorithm you see in the output from openssl is in the list of disabled algorithms, then that’s your issue.

 

I’m about 95% certain that’s what’s going on.

 

You can fix that in a few ways. In order from best to worst:

 

  • Upgrade or configure your SMTP server to use a newer encryption algorithm for TLS. If you have no control over or access to that server, this obviously isn’t an option, at least not directly. However, those algorithms are disabled for a reason, which is that there are known weaknesses and/or exploits, so the best fix is to use better encryption.
  • Modify java.security to remove the encryption algorithm that the SMTP server is trying to use. You’re still using a weaker/deprecated algorithm but at least the exposure is limited to that single algorithm.
  • Downgrade your JRE/JDK to a version that doesn’t disable the encryption algorithm that the SMTP server is trying to use.

 

HTH.

 

-- 

Rick Herrick

XNAT Architect/Developer

Computational Imaging Laboratory

Washington University School of Medicine

smtp.gmail.com-connect.txt

pilla...@gmail.com

unread,
Aug 27, 2021, 5:47:13 PM8/27/21
to xnat_discussion
Hi Rick,

Thank you very much,.

In the java.security, I have 

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, \

    EC keySize < 224

my smtp server (I don't have control at all) returns

---

SSL handshake has read 4274 bytes and written 523 bytes

Verification: OK

---

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384


What should I do?


Best wishes,

J



pilla...@gmail.com

unread,
Sep 10, 2021, 10:00:44 AM9/10/21
to xnat_discussion
Hi Rick and Charlie,

I am just updating with you. I have the issue sorted out. After discussed with my colleagues at IT department, I found out that was caused by recent change of SMTP security policy on university mail server. A new SMTP address is provided and now the mails sending service is back online.

Thank you very much for your discussion and help earlier.

Best wishes,
J

Reply all
Reply to author
Forward
0 new messages