SMTP: SSL error/Unable to connect

imp4ct · March 3, 2020, 4:46pm

Hello

I’m trying to configure the email server for my NCP, but I always get this error message when sending a test mail:

A problem occurred while sending the email. Please revise your settings. (Error: Connection could not be established with host smtpauths.bluewin.ch :stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small)

config:

<?php
$CONFIG = array (
  'passwordsalt' => 'sensitive',
  'secret' => 'sensitive',
  'trusted_domains' => 
  array (
    0 => 'localhost',
    5 => 'nextcloudpi.local',
    7 => 'nextcloudpi',
    8 => 'nextcloudpi.lan',
    11 => 'sensitive',
    1 => 'sensitive',
    20 => 'sensitive',
    21 => 'sensitive',
    12 => 'sensitive',
  ),
  'datadirectory' => '/media/myCloudDrive/ncdata',
  'dbtype' => 'mysql',
  'version' => '18.0.1.3',
  'overwrite.cli.url' => 'sensitive',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'ncadmin',
  'dbpassword' => 'sensitive',
  'installed' => true,
  'instanceid' => 'sensitive',
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => '/var/run/redis/redis.sock',
    'port' => 0,
    'timeout' => 0.0,
    'password' => 'sensitive',
  ),
  'tempdirectory' => '/media/myCloudDrive/ncdata/tmp',
  'mail_smtpmode' => 'smtp',
  'mail_from_address' => 'sensitive',
  'mail_domain' => 'bluewin.ch',
  'preview_max_x' => '2048',
  'preview_max_y' => '2048',
  'jpeg_quality' => '60',
  'overwriteprotocol' => 'https',
  'maintenance' => false,
  'logfile' => '/media/myCloudDrive/ncdata/nextcloud.log',
  'loglevel' => '2',
  'log_type' => 'file',
  'mail_sendmailmode' => 'smtp',
  'mail_smtphost' => 'smtpauths.bluewin.ch',
  'mail_smtpport' => '465',
  'mail_smtpsecure' => 'ssl',
  'mail_smtpauth' => 1,
  'mail_smtpname' => 'sensitive@bluewin.ch',
  'mail_smtppassword' => 'sensitive',
  'mail_smtpauthtype' => 'LOGIN',
  'theme' => '',
  'data-fingerprint' => 'sensitive',
  'htaccess.RewriteBase' => '/',
  'updater.secret' => 'sensitive',
);

I’ve tried using gmail (with IMAP enabled in settings) instead but there I get the following error:

A problem occurred while sending the email. Please revise your settings. (Error: Connection could not be established with host smtp.gmail.com :stream_socket_client(): unable to connect to ssl://smtp.gmail.com:465 (Connection timed out))

Any suggestions how to solve this would be highly appreciated!
Thanks

HHJIIUZTGR · May 8, 2020, 9:23am

I have the same problem

devnull · May 8, 2020, 9:32am

Do you really need SMTPS:465 or perhaps STARTTLS ? Please post the link to your provider-configuration-page.

HHJIIUZTGR · May 8, 2020, 9:37am

The parameters are correct. It works with another same nextcloud installation in a commercial cloud.

HHJIIUZTGR · May 8, 2020, 9:58am

Errorlog:

stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small at /var/www/nextcloud/3rdparty/swiftmailer/swiftmailer/lib/classes/Swift/Transport/StreamBuffer.php#94

devnull · May 8, 2020, 10:38am

Perhaps you can test ssl from the command line.

https://wiki.zimbra.com/wiki/Simple_Troubleshooting_For_SMTP_Via_Telnet_And_Openssl

part:
openssl s_client -crlf -connect zcs723.EXAMPLE.com:465

Post answer and errors for your destination server smtps:465

HHJIIUZTGR · May 8, 2020, 12:19pm

with a different SMTP address (gmail.com) everything works. Thanks a lot.

ryhaberecht · May 24, 2020, 9:52am

Just had the same problem.

The only solution sadly is to make your mail provider use better encryption. Make them use Diffie-Hellmann parameters (MODP) of at least 2048 bit length.

However, there is a workaround you could use, but really should not, since it weakens the security of ALL encrypted connections made by your server, acting as a TLS client.
Edit /etc/ssl/openssl.cnf to read

CipherString = DEFAULT@SECLEVEL=1

instead of the default

CipherString = DEFAULT@SECLEVEL=2

igordashaar · August 30, 2020, 6:40pm

I have the same issue but I am not sure if this is the same cause.
As far as i understand the key has 2048bit and TLS1.2 is used.
I really do not want to compromise on security here. Are there any other suggestions?

$ openssl s_client -crlf -connect smtp.goneo.de:465
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA CA G1
verify return:1
depth=0 CN = *.goneo.de
verify return:1
139889939375424:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:…/ssl/statem/statem_clnt.c:2149:
-–
Certificate chain
0 s:CN = *.goneo.de
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA CA G1
1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA CA G1
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
-–
Server certificate
-----BEGIN CERTIFICATE-----
MIIGKTCCBRGgAwIBAgIQAbl+90iydskpf3rtFgFS6DANBgkqhkiG9w0BAQsFADBg
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMR8wHQYDVQQDExZSYXBpZFNTTCBUTFMgUlNBIENBIEcx
MB4XDTIwMDMxMDAwMDAwMFoXDTIyMDUwOTEyMDAwMFowFTETMBEGA1UEAwwKKi5n
b25lby5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALTOu4/ZvYhJ
UTASGuZuQATKU7RDGApaadTe1Qz+4V6WAhqZzMt7/8kPJ9MxvuBrCXBjDLCl+dON
dtZXR6ko2RGlN+qQqfeXGACOP1h+Qr6w+Bs1w4RIDVgXB3x4ooOTNyQ9xnGDFYsZ
Miwn85XFOYyW0MSjbvmkIPoSP+SBNZftcDk8JRQrKLAeNXfvcE0fXSvr28PNm5N3
YuWza9TMwEdj6NVO34wpsQw1n0eg8mfUEkHMlf0ED2QlmxMn9jg3wOxpk7Eivq/V
RxMcavMbvm75hYDRN/9QZyGU8TX4Crz1DCG5mkm9ImALqRQveN8B/0Mzt7mXDF57
Yh7iJr5R028CAwEAAaOCAygwggMkMB8GA1UdIwQYMBaAFAzbbIJJD0pnCrgU7nrE
SFKI61Y4MB0GA1UdDgQWBBR6jH0xGgUfVeE/ZOD0neU+z1GOKjAfBgNVHREEGDAW
ggoqLmdvbmVvLmRlgghnb25lby5kZTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMD8GA1UdHwQ4MDYwNKAyoDCGLmh0dHA6Ly9j
ZHAucmFwaWRzc2wuY29tL1JhcGlkU1NMVExTUlNBQ0FHMS5jcmwwTAYDVR0gBEUw
QzA3BglghkgBhv1sAQIwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNl
cnQuY29tL0NQUzAIBgZngQwBAgEwdgYIKwYBBQUHAQEEajBoMCYGCCsGAQUFBzAB
hhpodHRwOi8vc3RhdHVzLnJhcGlkc3NsLmNvbTA+BggrBgEFBQcwAoYyaHR0cDov
L2NhY2VydHMucmFwaWRzc2wuY29tL1JhcGlkU1NMVExTUlNBQ0FHMS5jcnQwCQYD
VR0TBAIwADCCAX4GCisGAQQB1nkCBAIEggFuBIIBagFoAHYAu9nfvB+KcbWTlCOX
qpJ7RzhXlQqrUugakJZkNo4e0YUAAAFwxPpDSAAABAMARzBFAiEAssho8B4j5mjJ
TlAH8nm2Qn5GJIERYVxLTgRsCBnA3rQCIGfL2dSYrLHSgY/WmrNxkPF7Vr8K/ZU7
/xNZcC8qn/2+AHYAIkVFB1lVJFaWP6Ev8fdthuAjJmOtwEt/XcaDXG7iDwIAAAFw
xPpDdgAABAMARzBFAiEAtmnfoMCCSyBJBo987OAbHSyYgUaHnGlKRs9lLb6WzZUC
IGFJKiKoUVLzKiKqT3HtC5v65ZJbm1EjA3fg6peVzCiIAHYAUaOw9f0BeZxWbbg3
eI8MpHrMGyfL956IQpoN/tSLBeUAAAFwxPpDlwAABAMARzBFAiEAkE+0qBlLZtbm
YkPWcoHyM5AqLLxnrq2C+7Qw7q8tPwkCICB5QfEzDaWb3VaF8XdEALhB3HYYTsyR
C/Wr6jwmM3VjMA0GCSqGSIb3DQEBCwUAA4IBAQB53aE9y+D/3C4VInshkL93ZKy2
sw2EimhSKQovrhnTYhWWficM0hFtkVxc7NIoc8e2vFia7e/2g9USglmNSgpSE81t
5DxOqAeYvXItm7jok81Sbj4dYM4ggsoWacktVvHWfRzxDCBL/RA5mGukmV8kz62R
kWd07Yc1pZjBwC4JcCaBC1n4oWm/tW49/Ydv9ZbKjmZp9+nB5AgZiDtkTHVgQaD7
tsmpOyZ1qAjx8kGJUHP4/A93O1Te/6/BrsBDg5uULOktZLS/vFOdDbG9PrWdcVS0
8A4Yi+FylNLHTQyNUBX17DDlxg+/E1IWLOFbyAzyBODPLPwNhS1XnpJR6FTs
-----END CERTIFICATE-----
subject=CN = *.goneo.de

issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA CA G1

-–
No client certificate CA names sent
-–
SSL handshake has read 3396 bytes and written 312 bytes
Verification: OK
-–
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1598811258
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---

$ openssl version -a
OpenSSL 1.1.1f 31 Mar 2020
built on: Mon Apr 20 11:53:50 2020 UTC
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,–noexecstack -Wall -Wa,–noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-P_ODHM/openssl-1.1.1f=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: “/usr/lib/ssl”
ENGINESDIR: “/usr/lib/x86_64-linux-gnu/engines-1.1”
Seeding source: os-specific

burkhre2 · November 4, 2020, 7:38am

One could weaken the security level just for the nextcloud mail program by adding the following to config/config.php:
‘mail_smtpstreamoptions’ => array ( ‘ssl’ => array ( ‘security_level’ => 1, ), ),

wincotec · May 8, 2021, 5:49pm

This workaround does not work for me