Test Email Settings - Error: Unable to connect with TLS encryption

Graffen · April 13, 2018, 8:26am

Ever since upgrading to NC13, I have not been able to send email from my Nextcloud docker instance.

I receive an error when I click the test button saying

A problem occurred while sending the email. Please revise your settings. (Error: Unable to connect with TLS encryption)

On my mail server, the log says

Apr 13 08:19:10 mail postfix/submission/smtpd[3303]: connect from xxxxxxxxx.dk[11.22.33.44]
Apr 13 08:19:10 mail postfix/submission/smtpd[3303]: SSL_accept error from xxxxxxxxx.dk[11.22.33.44]: -1 Apr 13 08:19:10 mail postfix/submission/smtpd[3303]: warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1399:SSL alert number 48:
Apr 13 08:19:10 mail postfix/submission/smtpd[3303]: lost connection after STARTTLS from xxxxxxxxx.dk[11.22.33.44]
Apr 13 08:19:10 mail postfix/submission/smtpd[3303]: disconnect from xxxxxxxxx.dk[11.22.33.44] ehlo=1 starttls=0/1
commands=1/2

My Nextcloud instance is running in Docker on my NAS, behind nginx-proxy and letsencrypt-nginx-proxy-companion. I have a theory that there is something weird going on with the TLS connection and perhaps a self-signed cert inside the Nextcloud docker container.

Anyone have an idea?

rai-monogramm · April 13, 2018, 9:33am

Same issue as you. I don’t understand what’s going on while nextcloud mail app is working fine for sending mail with the same smtp server.

madmath03 · April 17, 2018, 10:23pm

You might find a clue with the following issue :

It might be different for you since apparently the issue occurred when upgrading NC, but in our case it seems the issue was because our mail server updated its security and upgraded to TLS 1.2 which is not supported by NC13.

You might want to take a look at your mail server TLS level. Anything above TLS 1 will probably fail.
Configuring our mail server to allow TLS 1 and higher fixed it for us.

Hope this will help you.

planetekta · July 2, 2018, 7:46am

I am having same issue.
my mail server is supporting both TLS1 and TLS1.2.
Can’t configure mail.

planetekta · July 2, 2018, 7:49am

Have you found any solution for this.
I am also having same issue.

rvanlaar · October 27, 2018, 3:18pm

For me this issue was related with using a self signed certificate on my mail.

Stackoverflow solution

The error went away after switching to lets encrypt.

elvisman113 · January 25, 2019, 9:13pm

I went an alternate route and enabled acceptance of self-signed certificates in Nextcloud’s mailer function. Make the following change in /var/www/nextcloud/lib/private/Mail/Mailer.php in the getSmtpInstance() function. For Nextcloud 15.0.2, this should be added around line 262.

$transport->setStreamOptions(array('ssl' => array('allow_self_signed' => true, 'verify_peer' => false)));

Note: This will have to be done again when you upgrade Nextcloud, as it will likely copy over any edits. I prefer this route as I don’t expose my mail server and don’t want to get a public cert.

danjde · February 10, 2019, 3:25pm

Well @elvisman113!
Could you explain better where commit the changes?

I’m using NC 15.0.2 with cert self signed (for now), and I’ve try (with no luck) to add your code on line 257, so:

/**
 * Returns the SMTP transport
 *
 * @return \Swift_SmtpTransport
 */
protected function getSmtpInstance(): \Swift_SmtpTransport {
        $transport = new \Swift_SmtpTransport();
        $transport->setTimeout($this->config->getSystemValue('mail_smtptimeout', 10));
        $transport->setHost($this->config->getSystemValue('mail_smtphost', '127.0.0.1'));
        $transport->setPort($this->config->getSystemValue('mail_smtpport', 25));
        if ($this->config->getSystemValue('mail_smtpauth', false)) {
                $transport->setUsername($this->config->getSystemValue('mail_smtpname', ''));
                $transport->setPassword($this->config->getSystemValue('mail_smtppassword', ''));
                $transport->setAuthMode($this->config->getSystemValue('mail_smtpauthtype', 'LOGIN'));
                $transport->setStreamOptions(array('ssl' => array('allow_self_signed' => true, 'verify_peer' => false)));
        }
        $smtpSecurity = $this->config->getSystemValue('mail_smtpsecure', '');
        if (!empty($smtpSecurity)) {
                $transport->setEncryption($smtpSecurity);
        }

        return $transport;
}

Many thanks!

Davide

elvisman113 · February 11, 2019, 2:33pm

I placed the call to setStreamOptions down before the return statement. As you had it, the options would only get set when SMTP Auth is disabled. Here’s my version:

/**
 * Returns the SMTP transport
 *
 * @return \Swift_SmtpTransport
 */
protected function getSmtpInstance(): \Swift_SmtpTransport {
        $transport = new \Swift_SmtpTransport();
        $transport->setTimeout($this->config->getSystemValue('mail_smtptimeout', 10));
        $transport->setHost($this->config->getSystemValue('mail_smtphost', '127.0.0.1'));
        $transport->setPort($this->config->getSystemValue('mail_smtpport', 25));
        if ($this->config->getSystemValue('mail_smtpauth', false)) {
                $transport->setUsername($this->config->getSystemValue('mail_smtpname', ''));
                $transport->setPassword($this->config->getSystemValue('mail_smtppassword', ''));
                $transport->setAuthMode($this->config->getSystemValue('mail_smtpauthtype', 'LOGIN'));
        }
        $smtpSecurity = $this->config->getSystemValue('mail_smtpsecure', '');
        if (!empty($smtpSecurity)) {
                $transport->setEncryption($smtpSecurity);
        }

        /* EDIT - allow self-signed mail cert */
        $transport->setStreamOptions(array('ssl' => array('allow_self_signed' => true, 'verify_peer' => false)));
        /* EDIT end */

        return $transport;
}