3

I am using MailKit to try and send email though an exchange server via SMTP but when I try to connect I get the following error:

An exception of type 'System.Security.Authentication.AuthenticationException' occurred in MailKit.dll but was not handled in user code

Additional information: The remote certificate is invalid according to the validation procedure.

Googleing this brings up a lot of stuff about Gmail or as part of other error messages (like FTP or web api requests and such). I have talked with the IT guys and it is not a self-signed cert and we don't require authentication (in fact the BugZilla instance I admin is setup with the same settings and works fine). What am I doing wrong or how can I get more details to further troubleshoot?

using (var Client = new SmtpClient())
{
    Client.Connect("mail.address.com", 587, false);
    Client.AuthenticationMechanisms.Remove("XOAUTH2");
    Client.Send(Message);
    Client.Disconnect(true);
}

Edit: I have verified with IT that it is the same cert used in IIS that hosts the mail.address.com domain as well as in exchange. I have also installed it as a trusted root but still get the same error.

Edit 2: If I update the code to Client.Connect("mail.address.com", 587, true); then I get the error:

An exception of type 'System.IO.IOException' occurred in >System.Private.Networking.dll but was not handled in user code

Additional information: The handshake failed due to an unexpected packet format.

jstedfast
  • 35,744
  • 5
  • 97
  • 110
Matthew Verstraete
  • 6,335
  • 22
  • 67
  • 123

2 Answers2

5

Try using Client.Connect("mail.address.com", 587, SecureSocketOptions.None); to disable STARTTLS.

If you want to keep STARTTLS, you might try overriding Client.ServerCertificateValidationCallback.

The easiest way to get more information about the error is to override ServerCertificateValidationCallback with something like this:

bool ValidateRemoteCertificate (object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
    Console.WriteLine ("SslPolicyErrors: {0}", sslPolicyErrors);

    return sslPolicyErrors == SslPolicyErrors.None;
}
jstedfast
  • 35,744
  • 5
  • 97
  • 110
  • Doesn't this allow all certs to come through and expose it as a security risk? – Matthew Verstraete Feb 03 '16 at 20:39
  • Only if you always return `true` even if there are errors. – jstedfast Feb 03 '16 at 20:40
  • How big of a risk is disabling STARTTLS? – Matthew Verstraete Feb 03 '16 at 20:47
  • Depends. Since you aren't authenticating, you don't have to worry about your user/passwd being snooped, but your email message will still be sent in the clear. So the question is whether you feel the need to encrypt the message while it is in transit to the mail server in case there are any hackers trying to snoop them. – jstedfast Feb 03 '16 at 20:53
  • Thanks, I did not think it would be a big deal but thought I would double check. Setting `SecureSocketOptions.None` got rid of that error but now I am getting an authentication error. – Matthew Verstraete Feb 03 '16 at 20:56
  • Is the error about needing to authenticate? Some SMTP servers require authentication and some do not. – jstedfast Feb 03 '16 at 20:57
  • It is `5.7.1 Client was not authenticated` but the server does not require authentication, this is verified by my BugZilla instance not authenticating and sending emails fine. – Matthew Verstraete Feb 03 '16 at 21:02
  • That error means that the server requires you to be authenticated in order to send mail from the From-address you are using. Often times SMTP servers will allow anonymous access IFF the From address is local to the server domain, but require authentication if the From address is for another domain. – jstedfast Feb 03 '16 at 21:11
  • It is the same address that BugZilla is using and according to the admin we don't require authentication at all. I just started messing around to see if I could figure it out what is going on – Matthew Verstraete Feb 03 '16 at 21:14
  • Try doing `Client = new SmtpClient (new ProtocolLogger ("smtp.log"))` so you can check the smtp.log file for the protocol exchange to see where it is going wrong. – jstedfast Feb 03 '16 at 21:16
  • It fails after setting the RCPT address `S: 250-ENHANCEDSTATUSCODES S: 250-STARTTLS S: 250-AUTH GSSAPI NTLM S: 250-8BITMIME S: 250-BINARYMIME S: 250 CHUNKING C: MAIL FROM: C: RCPT TO: S: 530 5.7.1 Client was not authenticated` – Matthew Verstraete Feb 03 '16 at 21:27
  • is there a `250-PIPELINING`? If so, the error is meant for the `MAIL FROM` because MailKit pipelined the `MAIL FROM` and `RCPT TO` commands and you have to matches responses to commands (in order). – jstedfast Feb 03 '16 at 21:30
  • Yes, there is a `S: 250-PIPELINING S: 250-DSN` – Matthew Verstraete Feb 03 '16 at 21:38
  • If you are on a different network than Bugzilla, then that could also be why the SMTP server is requiring you to authenticate. – jstedfast Feb 03 '16 at 21:52
  • I think we are, I will check on that with the admin, thanks – Matthew Verstraete Feb 03 '16 at 22:14
2

I had the exact same error while trying to use MailKit with Gmail and figured out that by default the Mail Shield from Avast antivirus had the "Scan SSL connection" activated. Make sure to turn that off.

From my knowledge, Avast will "open" the mail, scan it for any viruses and then sign it using it's own certificate so the mail won't be signed by the gmail's certificate anymore which produces that error:

An exception of type 'System.Security.Authentication.AuthenticationException' occurred in MailKit.dll but was not handled in user code.

Additional information: The remote certificate is invalid according to the validation procedure.

Solution 1:

  • Turn off the SSL scans from your antivirus (or the entire mail shield).

Solution 2 (Should be the best security speaking):

  • Get somehow the certificate used by the antivirus (Avast has an option to export it)
  • Import it in your imap/pop/smtp client before connecting to gmail server.
tehCivilian
  • 460
  • 6
  • 8