Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Configure Incoming Mail Handler on Jira Data Center using *Shared* mailbox

Archana Bellamkonda
Archana Bellamkonda October 28, 2019

I am at my wit's end on this, and hope to hear if anyone managed to get Mail Handlers to work on Jira Data Center using "Shared" mailbox. 

I got the following details from our AD team - 

Server/Host Name: some.outlook.host.com
IMAP Port: 993
Encryption: SSL/TLS
Email: some.user@somecompany.com
Login User: some_username@some.company.net

 

The first thing that I did was to download the public certificate. I tried couple of ways to do this. One was to use openssl - 

openssl s_client -connect some.outlook.host.com:993 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > someHostPublic.crt

I also tried to use Portecle and download it again. 

I checked that our Jira is using java under /JIRA_HOME/jre. I set the JAVA_HOME property to point to the right location of Jira

 

I then added the cerificate to cacerts under $JAVA_HOME/jre. I restarted both application and server. Nothing seemed to work. I even tried to do a system search to find all java, and add the cert to other java cacerts as well.

I keep getting this error - InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

IF anybody figured this, then PLEASE help out.

 

Thanks,

Archana

Answer
Watch
Like Be the first to like this
2407 views

3 answers

1 accepted

0 votes
Answer accepted
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 31, 2019

Hi Archana,

Sorry to hear about the frustration here. However the title of this post and content in the description appear to be dealing with two very different problems with configuring a mailbox for Jira to use.

I'd like to address Shared Mailbox aspects mentioned in the title first.  Please see our KB on IMAP fails with A3 BAD User is authenticated but not connected error in Jira server integrated with Office365.  It highlights a very common problem that Jira will not yet support the use of a shared mailbox over IMAP at this time.  That said there is a workaround here that can still offer a means to use that mailbox, albeit using a different protocol.  The solution there is to instead use a POP3 protocol instead of IMAP, and have the username reference the sharedmailbox alias like so:

Protocol: SECURE_POP
Host: outlook.office365.com
Port: 995
Username: licenseduser@mydomain.com\sharedmailboxalias
Password: (licensed user password)

That is at least one way that we know Jira server and data center deployments can connect to such mailboxes.

 

As for the problem you primarily are writing about, the TLS/SSL connection problem:

We have see the specific error you mentioned before, often enough that we create a knowledge base article about it in SSL connections fail from Jira server to external systems.

In short that KB confirms that Jira's JVM truststore does not yet see the needed certificate to be able to connect to that service.  While that guide does state the resolution is to follow the Connecting to SSL services guide and I agree we should eventually follow that to the letter, in your case before you do that the first steps should be instead to install a JAVA JRE/JDK separately on the operating system of each node rather than trying to use the bundled JRE.  This could be an Oracle Java or possibly an OpenJDK depending on which is supported per the supported platforms for the version of Jira you have.

I know you mentioned that you configured the JAVA_HOME variable to point at the bundled Java deployment included with Jira, but I'm not a fan of this approach.  Mostly because we know that Jira upgrades have the potential to overwrite/change data in the $JIRAHOME/ and $JIRAINSTALL/ directories.  By installing Java separately, in its own directory and setting up JAVA_HOME to use that JVM, we can make Java and its truststore far more resilient to upgrades of Jira itself. Otherwise every time you upgrade Jira you will potentially need to add back all SSL/TLS certificates needed to connect to secured sites all over again (and for each node).

The more difficult aspect about doing that here is that since you are on a data center deployment, you would have to repeat these steps for each node in the cluster.  That could be a frustrating and confusing additional factor here with data center.  Out of the box with data center, it's not always clear which of the nodes in a data center cluster will be making the outbound call to the mail server to retrieve that data, so each node has to be setup with the correct certificates so any one of them can successfully make this connection.

I hope this helps to clarify things a bit.  Please let me know if you have any questions or concerns about this approach.

Cheers,

Andy

View More Comments
Archana Bellamkonda
Archana Bellamkonda December 10, 2019

Hi Andy,

I appreciate your detailed answer. We were on the path to upgrading Jira, so I waited until we finished the upgrade to re-try this. I am trying this on our test instance. 

I stopped all nodes and started Jira on only ONE node. This time, we are running latest version of Jira - 8.5.1 and Jira is configured to use a separate Java - not bundled Java. I installed certificates on this local Java, and got past the InvalidAlgorithm error. Wanted to let you know of this!!

 

My Incoming Mail configuration now looks like - 

Protocol: SECURE_POP

Host Name: outlook.office365.com

Username: <userid>@<domain>\<mailbox-alias>

Password: <password that I received for <userid>>

 

This time, I get a new error - 

AuthenticationFailedException: Logon failure: unknown user name or bad password.

 

AD team just reset the password, and confirmed that POP is enabled and that the alias I am using is correct. I will do some research on the new error, but please let me know if this is a known issue.

 

Thanks,

Archana

Like
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 13, 2019

Hi Archana,

Glad to hear you got past the first error.  That does appear to be the correct format for trying to setup this mailbox to work with Jira.  So I'm afraid I don't know what could be causing the logon failure message you are seeing here.

I'm curious to learn if a different Host name might be needed here to make this work.  I don't know for sure that is the cause here, but in some cases where domains are using outlook as the provider, there might be a domain alias to use instead, such as mail.example.com.  But of course, I'm not certain if that is correct for your environment. 

Like
Reply
0 votes
Himanshu Mundra
Himanshu Mundra September 15, 2020

Hi,

We are also using pop3 and outlook office365
but we keep receiving

http error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Is there any solution for this ?

It seems like outlook office 365 keeps changing certificate 
we installed multiple certificate but with no success

 

Any guidance here would be very helpful 

Thanks

View More Comments
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 16, 2020

A PKIX path building error means that Jira's JVM truststore does not have one or more certificates needed in order to establish trust with the server in question.  We have a KB that can help explain and diagnose the problem further over in Unable to connect to SSL services due to "PKIX Path Building Failed" error.

Try walking through those steps to help identify the certs needed and then you should be able to use a utility like portecle in order to add those certificates to the truststore.

Like
Reply
0 votes
Greg Redl
Greg Redl August 5, 2020

*BUMP*
Getting the same results trying to configure an Incoming Mail connector to an Exchange Online shared mailbox

AuthenticationFailedException: Logon failure: unknown user name or bad password.

Protocol: Secure POP

Port: 995
Username: licenseduser@domain.com\sharedalias

Password: licenseduserpassword

 

There is a bug ticket open, but following that information still results in the same logon failure - https://jira.atlassian.com/browse/JRASERVER-30688

Our Office 365 Azure has 'Security Defaults' enabled to enforce multi-factor authentication.  Can I presume that this is not supported in Jira yet?  If not, is it on the road map to be?

View More Comments
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 6, 2020

Jira Server and Data Center have started to implement OAuth 2.0 for incoming mail servers, but right now this is limited to Microsoft mail servers and does not yet include gmail.  More details can be found in JRASERVER-63917.  Which also points out that this implementation begins with Jira 8.10.0, more info in Preparing for Jira 8.10.

Like Greg Redl likes this
Greg Redl
Greg Redl August 6, 2020

Andy,

Thanks for the update.  I will see about getting this version into testing to see if the Incoming Mail connector to Microsoft can be established.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events