CA Service Management

Expand all | Collapse all

Mail eater error with STARTTLS office365

Jump to Best Answer
  • 1.  Mail eater error with STARTTLS office365

    Posted 06-06-2018 05:46 AM

    Hello,

     

    I tried to configure the mail eater like is described on the following document:

    Connecting Maileater to Office 365 Mail - CA Service Management - 17.1 - CA Technologies Documentation 

     

    Unfortunately I'm getting the following error messages:

     

    ERROR [ForkJoinPool-1-worker-0] c.c.S.m.c.JavaMailIMAPClient - Failed to make connection with STARTTLS to server outlook.com, port 143, trying SSL connection

     

    ERROR [ForkJoinPool-1-worker-0] c.c.S.m.c.JavaMailIMAPClient - Failed to connect to the Store.

     

    Bellow is the configuration:

     

    Can anyone help me to understand what is wrong? What can I do to solve this?

     

    Thank you in advance



  • 2.  Re: Mail eater error with STARTTLS office365

    Broadcom Employee
    Posted 06-06-2018 09:57 AM

    For the User Name field, are you using the full email address of your Office365 account, or just the username portion?

     

    Can you confirm if port 143 is open through your firewall / traffic filtering? I've seen similar errors when port 143 was blocked, preventing a connection to the O365 servers.



  • 3.  Re: Mail eater error with STARTTLS office365

    Posted 06-06-2018 10:01 AM

    Hi,

     

    I'm using the full email address and the port is open.



  • 4.  Re: Mail eater error with STARTTLS office365

    Broadcom Employee
    Posted 06-06-2018 11:16 AM

    what if you change the certificate path from

    D:/certificates/O365Cert.cert

    to

    D:\certificates\O365Cert.cert

    ?



  • 5.  Re: Mail eater error with STARTTLS office365

    Posted 06-06-2018 03:34 PM

    Hi,

     

    Already tried that but didn't work.

    I've also noticed another error in the logs

     

    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.



  • 6.  Re: Mail eater error with STARTTLS office365

    Broadcom Employee
    Posted 06-06-2018 04:09 PM

    on which server you have

    D:\certificates\O365Cert.cert

    ?



  • 7.  Re: Mail eater error with STARTTLS office365

    Posted 06-07-2018 01:29 PM

    I only have one server.

    And the SDM installation is on D: disk

    I also tried the path with // and \\, still got the same error message.

    In the firewall, I've also opened the 993 port.

     

    Should I change the certificate to another folder?

    What do you suggest?



  • 8.  Re: Mail eater error with STARTTLS office365

    Broadcom Employee
    Posted 06-07-2018 02:12 PM

    So I assume this file is on the SDM server

    Did you recycle pdm_maileater_nxd?

    If all yes, then I would recommend open a Support case. The message says there is no certificate.



  • 9.  Re: Mail eater error with STARTTLS office365

    Posted 06-08-2018 07:05 AM

    Hi,

     

    I will do that.

    Thanks a lot for your help.

     

    Regards



  • 10.  Re: Mail eater error with STARTTLS office365
    Best Answer

    Posted 06-08-2018 07:08 AM

    The way to write the certificate path is

    C:/certificates/O365Cert.cer

     



  • 11.  RE: Re: Mail eater error with STARTTLS office365

    Posted 10-22-2019 02:01 AM
    Hi,

    Did you manage to resolve the issue, if so what was the resolution.

    Regards,
    Yogan


  • 12.  RE: Re: Mail eater error with STARTTLS office365

    Posted 09-02-2020 05:22 PM
    We are also experiencing this problem now. Was a solution ever found?


  • 13.  RE: Re: Mail eater error with STARTTLS office365

    Posted 09-03-2020 04:53 AM
    Check if the Office365 haven't changed their SSL certs, you may have to re-import them again in the `.cer` file that is configured in SDM.


  • 14.  RE: Re: Mail eater error with STARTTLS office365

    Posted 09-03-2020 11:06 AM
    Hi,
    Even with correct certificate. When SDM is restarted it reads just once the email. Than it will continue with error and nothing happens.

    2020-09-03 11:08:40:473 INFO [pool-4-thread-2] c.c.S.m.MailboxPollingRequest - Performing scheduled Mail Poll for Mailbox 400001.
    2020-09-03 11:08:43:288 INFO [ForkJoinPool-1-worker-2] c.c.S.m.ConnectSession - [mailbox:O365 SDM:400001] Received messages count : 3
    2020-09-03 11:08:45:471 INFO [ForkJoinPool-1-worker-2] c.c.S.m.ConnectSession - [mailbox:O365 SDM:400001] Processed messages count: 3
    2020-09-03 11:09:15:472 INFO [pool-4-thread-4] c.c.S.m.MailboxPollingRequest - Performing scheduled Mail Poll for Mailbox 400001.
    2020-09-03 11:09:15:684 ERROR [ForkJoinPool-1-worker-3] c.c.S.m.c.JavaMailPOP3Client - Failed to connect to the Store.
    javax.mail.MessagingException: Connect failed
    ...
    Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: ...
    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.
    ...
    Caused by: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.
    at org.bouncycastle.jcajce.provider.PKIXCertPathBuilderSpi.engineBuild(Unknown Source)
    at java.security.cert.CertPathBuilder.build(Unknown Source)
    ... 33 common frames omitted
    2020-09-03 11:47:56:142 INFO [pool-4-thread-2] c.c.S.m.MailboxPollingRequest - Performing scheduled Mail Poll for Mailbox 400001.
    2020-09-03 11:48:24:853 INFO [pool-4-thread-4] c.c.S.m.MailboxPollingRequest - Scheduled Mail Poll has been cancelled.
    2020-09-03 11:49:05:401 ERROR [ForkJoinPool-1-worker-0] c.c.S.m.c.JavaMailPOP3Client - Failed to make connection with STARTTLS to server outlook.com, port 995, trying SSL connection
    2020-09-03 11:49:05:678 ERROR [ForkJoinPool-1-worker-0] c.c.S.m.c.JavaMailPOP3Client - Failed to connect to the Store.
    javax.mail.MessagingException: Connect failed
    ...
    Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.
    ...
    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.
    ...
    Caused by: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.
    at org.bouncycastle.jcajce.provider.PKIXCertPathBuilderSpi.engineBuild(Unknown Source)
    at java.security.cert.CertPathBuilder.build(Unknown Source)
    ... 34 common frames omitted





  • 15.  RE: Re: Mail eater error with STARTTLS office365

    Posted 09-03-2020 11:06 AM
    We are experiencing the same for almost a week - tried several certificates, nothing woprks.


  • 16.  RE: Mail eater error with STARTTLS office365

    Posted 09-03-2020 11:06 AM
    We are experiencing the same in our environment, tried changing certificates, everything - it just comes with the same error. Already opened a support case.


  • 17.  RE: Mail eater error with STARTTLS office365

    Posted 09-03-2020 12:48 PM
    Hi Pavel,

    I was able to resolve my issue today! Turns out, Outlook got a new cert back in August. I had to open a case with Microsoft to get assistance with getting that new cert (make sure you use the root cert!), but the engineer I worked with said you can use OpenSSL tool to get the cert, too, if needed.

    Once I put the new cert on my SD servers, updated the cert path in all my maileater mailboxes, and restarted SDM services, it started working again! I hope this helps your problem, too!



  • 18.  RE: Mail eater error with STARTTLS office365

    Posted 09-03-2020 12:54 PM
    Here's the instructions MS gave me for grabbing the cert with OpenSSL:


    If you want, go here to install OpenSSL for Windows

    https://wiki.openssl.org/index.php/Binaries 

     

    after installing, open a cmd prompt as local admin and go to the source bin folder, C:\Tools\OpenSSL-Win64 SupportTLS1.2\bin, and type-

    openssl s_client -connect outlook.com:143

     

    after you hit enter, scroll down to where you see "Begin Certificate" and copy all the data there starting with "Begin Certificate until and including "End Certificate" then paste to notepad and save as a .cer file.

     

    See below-

     

    CONNECTED(000000E8)

    depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA

    - SHA256 - G3

    verify error:num=20:unable to get local issuer certificate

    verify return:1

    depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = ou

    tlook.com

    verify return:1

    ---

    Certificate chain

    0 s:C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlo

    ok.com

       i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA -

    SHA256 - G3

    1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA -

    SHA256 - G3

       i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA

    ---

    Server certificate

    -----BEGIN CERTIFICATE-----

    MIIIqzCCB5OgAwIBAgIMbeoL4ZcnYKFZsYVgMA0GCSqGSIb3DQEBCwUAMGYxCzAJ

    BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTwwOgYDVQQDEzNH

    bG9iYWxTaWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g

    RzMwHhcNMjAwODEzMjMxODQ5WhcNMjIwODE0MjMxODQ5WjBqMQswCQYDVQQGEwJV

    UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE

    ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMRQwEgYDVQQDEwtvdXRsb29rLmNvbTCC

    ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMkgP1e5+XGqPGoKXT/JjZml

    UCYlTtxpUrMzcOdyooOSVNHUhhXyxGX4vOXSHhIlnnWOd9KOlMoDS/TIyuPjm2aj

    oTd0zP7EHmTc4xi6wXs5W7FH6RGS7+7mCM2TewnHOf7l4kc/aHikF3gTyxI4nYkr

    H3Wbh11T/LAqry2GinY7zl6uQ3Rowyi/EC/d2UNLLabcH22Q0M4UHmzcewbke6mB

    QO3eGLffU2G8GIMRx7Qbme8U5GM541wv54lYW9oDOjmWispP2ONsf27T5zA0nNuL

    6GqmCHcdY9ZXnc2nRwU5lnv9mgmZ70mxiQK+T7jvoAQpdPuafp2oEPt+sGxgT1cC

    AwEAAaOCBVMwggVPMA4GA1UdDwEB/wQEAwIFoDCBngYIKwYBBQUHAQEEgZEwgY4w

    SwYIKwYBBQUHMAKGP2h0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0

    L2dzb3JnYW5pemF0aW9udmFsc2hhMmczLmNydDA/BggrBgEFBQcwAYYzaHR0cDov

    L29jc3AyLmdsb2JhbHNpZ24uY29tL2dzb3JnYW5pemF0aW9udmFsc2hhMmczMFYG

    A1UdIARPME0wQQYJKwYBBAGgMgEUMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3

    Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAECAjAJBgNVHRMEAjAA

    MEYGA1UdHwQ/MD0wO6A5oDeGNWh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3Nv

    cmdhbml6YXRpb252YWxzaGEyZzMuY3JsMIICEAYDVR0RBIICBzCCAgOCC291dGxv

    b2suY29tghYqLmNsby5mb290cHJpbnRkbnMuY29tgg0qLmhvdG1haWwuY29tghYq

    LmludGVybmFsLm91dGxvb2suY29tggoqLmxpdmUuY29tghYqLm5yYi5mb290cHJp

    bnRkbnMuY29tggwqLm9mZmljZS5jb22CDyoub2ZmaWNlMzY1LmNvbYINKi5vdXRs

    b29rLmNvbYIXKi5vdXRsb29rLm9mZmljZTM2NS5jb22CG2F0dGFjaG1lbnQub3V0

    bG9vay5saXZlLm5ldIIdYXR0YWNobWVudC5vdXRsb29rLm9mZmljZS5uZXSCIGF0

    dGFjaG1lbnQub3V0bG9vay5vZmZpY2VwcGUubmV0ghZhdHRhY2htZW50cy5vZmZp

    Y2UubmV0ghphdHRhY2htZW50cy1zZGYub2ZmaWNlLm5ldIIdY2NzLmxvZ2luLm1p

    Y3Jvc29mdG9ubGluZS5jb22CIWNjcy1zZGYubG9naW4ubWljcm9zb2Z0b25saW5l

    LmNvbYILaG90bWFpbC5jb22CFm1haWwuc2VydmljZXMubGl2ZS5jb22CDW9mZmlj

    ZTM2NS5jb22CEm91dGxvb2sub2ZmaWNlLmNvbYIUc3Vic3RyYXRlLm9mZmljZS5j

    b22CGHN1YnN0cmF0ZS1zZGYub2ZmaWNlLmNvbTAdBgNVHSUEFjAUBggrBgEFBQcD

    AQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUaIa4fXrZbUlrhy8YixU0bNe0eg4wHQYD

    VR0OBBYEFIp8c0RwqE2DJW+mU9pCUpbJFXEhMIIBfAYKKwYBBAHWeQIEAgSCAWwE

    ggFoAWYAdgAiRUUHWVUkVpY/oS/x922G4CMmY63AS39dxoNcbuIPAgAAAXPqHn0v

    AAAEAwBHMEUCIQD0UI/nOMl60ff3acUF6o4DgCyHBgO2m+algy+5r3u0rAIgUaaP

    6OVsp/8WAX4VQhEx3NzHN3xkLKzdQrs8eTF0zJ0AdQApeb7wnjk5IfBWc59jpXfl

    vld9nGAK+PlNXSZcJV3HhAAAAXPqHnqnAAAEAwBGMEQCIAPxGdcPL8SphKAz1Ham

    7vGu4APnrphDF7AP+xK7E9o0AiAQ5qkdixxk1Mn3wD08d0mxCD0dXjT52RB8dGsY

    xl5tBwB1AFWB1MIWkDYBSuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MMAAABc+oefa4A

    AAQDAEYwRAIgJiFk26biPTJ9n6iutym3QptJqvWlwBIBobbn8gHUL0UCIE4Zukd1

    i0nXS7oEYt2it2sF0AEffDYXJymyFxx/EIGKMA0GCSqGSIb3DQEBCwUAA4IBAQAm

    9KN3HdyexBqIIzCM4RT5Yg6/rSTJq6vQaIu88ewc0Jat+V/d4O6o4Cw6GaVoDG7+

    5oDOoztsAIhcvzzYaAg2uZ6Em1+X+3fqcvtzRwCwqHxkOPHMwClxZ2V2TIBYl8hi

    Yz7xPsAOSF9VIY+WaL1BFHoLjDFbOayjoJlYJPrZGTIcny2p7bmXpGYwKdiCovX8

    bRDxrB0/+96hDraEkNRVXCEbHyFFksWaRwUPuBx4brlro6mNsVn/9OZxdzgS/kGP

    BJIIPzIqkl4Ke34E7iQQOfOsXgSTkaKPkAQzXFyUs4ArQ7/jdGQg9ACybHuod/t0

    Nc7dtl+DGMTnMRqNMA3E

    -----END CERTIFICATE-----

    subject=C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = ou

    tlook.com

     

    issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA

    - SHA256 - G3

     

    ---




  • 19.  RE: Mail eater error with STARTTLS office365

    Posted 09-03-2020 01:24 PM
    I found that I had to use port 993 to get that response.

    ------------------------------
    Lindsay Estabrooks
    Principal Consultant
    IT-EDU Consultants
    ------------------------------



  • 20.  RE: Mail eater error with STARTTLS office365

    Posted 09-04-2020 10:35 AM
    Hi,

    I got it only after ran the following command:

    C:\PROGRA2\CA\SERVIC1\bin>pdm_perl pdm_keystore_mgr.pl -import C:\newcertificate.cert
    Generating 2.048 bit RSA key pair and self-signed certificate (SHA256withRSA) wi 
    th a validity of 36.500 days 
    for: CN=CA, OU=CA Service Desk Manager, O=EITM, L=Islandia, ST=NY, C=US 
    [Storing D:\PROGRA2\CA\SERVIC1\pdmconf\nx.keystore] 
    Certificate was added to keystore 
    [Storing D:\PROGRA2\CA\SERVIC1\pdmconf\nx.keystore]


  • 21.  RE: Mail eater error with STARTTLS office365

    Broadcom Employee
    Posted 09-04-2020 10:53 AM

    Hello all,

    There is a known issue with regards to certificates and Office 365, which has been documented here:
    https://knowledge.broadcom.com/external/article?articleId=198751




  • 22.  RE: Mail eater error with STARTTLS office365

    Posted 09-04-2020 12:31 PM
    Thanks David,

    That article has been useful. I have been able to help several of my clients get this working again quickly.

    Cheers,

    ------------------------------
    Lindsay Estabrooks
    Principal Consultant
    IT-EDU Consultants
    ------------------------------



  • 23.  RE: Mail eater error with STARTTLS office365

    Broadcom Employee
    Posted 09-04-2020 12:37 PM
    No worries.  I included more specific information in the article to elaborate on where the certificates originated.


  • 24.  RE: Mail eater error with STARTTLS office365

    Posted 09-08-2020 03:23 AM
    Wouldn't it be easier for pdm_mail_nxd/pdm_maileater to automatically trust the CA certificates distributed with the JDK ?

    This would make the SSL/TLS (which nowadays is kind of mandatory everywhere) easier to configure - no more certificate file to create - and would alleviate this set of problems (mail provider changing the CA for their certificates).