Sockect timeout on SMTP server

Pawel Kulpa
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
May 31, 2020

I have come upon an interesting behaviour of the Jira server while configuring notifications via cloud hosted smtp server.

When I try to configure SMTP notifications in Jira using the SMTP with TLS on 465 I get  SocketTimeoutException.

Of course first thing I suspected was a network problem, but I installed the email client (ThunderBird) on the serwer hosting the Jira instance and repeated the configuration. To my surprise everything worked OK which suggests that the Jira server itself might have a problem with the SMTP connection.

1 answer

1 accepted

0 votes
Answer accepted
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 3, 2020

Hey Pawel, welcome to the Community!

I'd like more information about which Cloud hosted SMTP service you're using if that's possible. 465 isn't an official standardized port; I'd expect secure SMTP traffic to go over 587 on modern mail servers. Knowing what provider you're using might be helpful in diagnosing the cause of the problem.

 

One thing that comes to mind is that Thunderbird will be using your system's certificate store, whereas Jira is going to use Java's keystore. Not all the certificate authorities trusted by your system may be trusted by your Java environment, and if your mail server is using STARTTLS, you'll get a read timeout with a certificate error.

We've got a knowledgebase article with a description of this error. Let's go down this path and see if that's the cause!

 

Testing your mailserver to see if it uses STARTTLS

Use the check TLS tool to enter your mail server's address and see if it responds with a STARTTLS confirmation

image.png

If it does, continue on to collect and import the mail server's certificate into Java's keystore!

Retrieving and importing a mail certificate with STARTTLS

Firstly, you'll need to get the public certificate your mail server is providing. Swap in the server address in this command (I've listed port 465 as that's what you've stated - it is worth double-checking with the provider if they offer service on 587):

openssl s_client -debug -connect SMTP.YOURMAILSERVICE.com:465 -starttls smtp < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt

 

This saves their cert to public.crt - which you then need to import into the java keystore in the Java environment Jira is running under. Run this command in your Jira's installation directory (change the path to public.crt if it's saved somewhere else):

jre/bin/keytool -import -alias tomcat -keystore jre/lib/security/cacerts -file public.crt

Finally, you'll need to restart Jira for the imported cert to be available.

 

 

We've also got some guidance if the problem is truly caused by some sort of timeout - either due to slow network or Exchange server throttling. If the above didn't help, you can work through the steps and resolutions in this kb article about timeouts .

Cheers,
Daniel

Pawel Kulpa
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
June 4, 2020

Yes that's it. I got mislead by the suggestion in Jira GUI to use port 465.

BTW it would be nice to update the suggestion to the new port.

Like Daniel Eads likes this
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 8, 2020

Great suggestion - I've logged this in our public Jira instance. I'm glad you got it straightened out with your mail server!

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
SERVER
VERSION
8.6.0
TAGS
AUG Leaders

Atlassian Community Events