I have come upon an interesting behaviour of the Jira server while configuring notifications via cloud hosted smtp server.
When I try to configure SMTP notifications in Jira using the SMTP with TLS on 465 I get SocketTimeoutException.
Of course first thing I suspected was a network problem, but I installed the email client (ThunderBird) on the serwer hosting the Jira instance and repeated the configuration. To my surprise everything worked OK which suggests that the Jira server itself might have a problem with the SMTP connection.
Hey Pawel, welcome to the Community!
I'd like more information about which Cloud hosted SMTP service you're using if that's possible. 465 isn't an official standardized port; I'd expect secure SMTP traffic to go over 587 on modern mail servers. Knowing what provider you're using might be helpful in diagnosing the cause of the problem.
One thing that comes to mind is that Thunderbird will be using your system's certificate store, whereas Jira is going to use Java's keystore. Not all the certificate authorities trusted by your system may be trusted by your Java environment, and if your mail server is using STARTTLS, you'll get a read timeout with a certificate error.
We've got a knowledgebase article with a description of this error. Let's go down this path and see if that's the cause!
Testing your mailserver to see if it uses STARTTLS
Use the check TLS tool to enter your mail server's address and see if it responds with a STARTTLS confirmation
If it does, continue on to collect and import the mail server's certificate into Java's keystore!
Retrieving and importing a mail certificate with STARTTLS
Firstly, you'll need to get the public certificate your mail server is providing. Swap in the server address in this command (I've listed port 465 as that's what you've stated - it is worth double-checking with the provider if they offer service on 587):
openssl s_client -debug -connect SMTP.YOURMAILSERVICE.com:465 -starttls smtp < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt
This saves their cert to public.crt - which you then need to import into the java keystore in the Java environment Jira is running under. Run this command in your Jira's installation directory (change the path to public.crt if it's saved somewhere else):
jre/bin/keytool -import -alias tomcat -keystore jre/lib/security/cacerts -file public.crt
Finally, you'll need to restart Jira for the imported cert to be available.
We've also got some guidance if the problem is truly caused by some sort of timeout - either due to slow network or Exchange server throttling. If the above didn't help, you can work through the steps and resolutions in this kb article about timeouts .
Cheers,
Daniel
Yes that's it. I got mislead by the suggestion in Jira GUI to use port 465.
BTW it would be nice to update the suggestion to the new port.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Great suggestion - I've logged this in our public Jira instance. I'm glad you got it straightened out with your mail server!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.