ColdFusion email settings with TLS

Question

I am trying to configure ColdFusion to send emails using 1&1's servers (smtp.1and1.com) and even though I have set the username and password it keeps failing.

This is what I've done so far:

Set outgoing server to smtp.1and1.com
set username and password
set port to 587
selected Use TLS checkbox
selected Verify Settings box

when I click Save I get the message "Connection Verification Failed!"

In the ColdFusion log files in the mail.log I see this error:

"Error","scheduler-1","03/22/16","19:39:21",,"Can't send command to SMTP host"

I ran WireShark and captured some packets and it seems it does connect to the server, some communication goes back and forth, and then it aborts.

Below is a sample of the capture:

  No Time     Protocol Length Info
     1 0.000000 TCP      66     49858 ? 587 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
     2 0.000567 TCP      66     587 ? 49858 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=512
     3 0.000611 TCP      54     49858 ? 587 [ACK] Seq=1 Ack=1 Win=131328 Len=0
     4 0.007028 SMTP     112    S: 220 perfora.net (mreueus002) Nemesis ESMTP Service ready
     5 0.015100 SMTP     70     C: EHLO vm229CAC8
     6 0.015556 TCP      60     587 ? 49858 [ACK] Seq=59 Ack=17 Win=29696 Len=0
     7 0.015697 SMTP     159    S: 250 perfora.net Hello vm229CAC8 [**.**.**.**] | 250 SIZE 69920427 | 250 AUTH LOGIN PLAIN | 250 STARTTLS
     8 0.019485 SMTP     64     C: STARTTLS
     9 0.021416 SMTP     62     S: 220 OK
    10 0.058490 TLSv1    132    Client Hello
    11 0.059244 TLSv1    1514   Server Hello
    12 0.059246 TCP      1514   [TCP segment of a reassembled PDU]
    13 0.059283 TCP      54     49858 ? 587 [ACK] Seq=105 Ack=3092 Win=131328 Len=0
    14 0.059308 TLSv1    710    Certificate
    15 0.070314 TLSv1    61     Alert (Level: Fatal, Description: Certificate Unknown)
    16 0.070368 TCP      54     49858 ? 587 [FIN, ACK] Seq=112 Ack=3748 Win=130560 Len=0
    17 0.070858 TLSv1    61     Alert (Level: Fatal, Description: Internal Error)
    18 0.070905 TCP      54     49858 ? 587 [RST, ACK] Seq=113 Ack=3755 Win=0 Len=0
    19 0.071198 TCP      60     587 ? 49858 [FIN, ACK] Seq=3755 Ack=113 Win=29696 Len=0

All of which makes me think that there is something with the certificate (since it aborts before it even bothers with the username and password).

I've saved the 3 certificates from packet 14 and looked at them and they all seem fine - validity is OK, Thawte is the root CA - checked and confirmed the included one is OK, etc.

What am I missing? And are there any other log files that might shed some more light on this issue?

Thanks

Have you checked the log files in the coldfusion admin portal? — JanR, Mar 23 '16 at 03:56
Yes - this is where I saw the error "Can't send command to SMTP host" — Vladimir Strinski, Mar 23 '16 at 04:08
what other options of connecting do you have? it might be that the server requires `STARTTLS` — JanR, Mar 23 '16 at 04:11
It actually does that - see packet 8 where it issues the STARTTLS command. I am looking to see if there are any other options as we speak. — Vladimir Strinski, Mar 23 '16 at 04:15

score 4 · Accepted Answer · edited May 23 '17 at 11:52

I found it. It was the certificate.

ColdFusion runs on top of Java. Java has its own set of trusted root certificates. This server's root certificate wasn't there (hence why it wasn't trusted).

Solution essentially boiled down to:

Save the root certificate in a file
import it into the ColdFusion's java run-machine' trusted root certificates
restart ColdFusion so that it picks up the changes

The first step was easy - I expanded the 14th packet within WireShark, there were 3 certificates in it, saved them as 1.cer 2.cer and 3.cer files (it was 3.cer which had just the root one). I guess I could've visited any of 1&1's web pages via https and grabbed it, but wasn't sure if they'll use the same root CA. So extracting it from the actual packet seemed like the safer option.

ColdFusion was installed in C:\ColdFusion\ and to find out which Java runtime it starts I looked under C:\ColdFusion\bin\cfstart.bin which had was referring to ..\runtime\bin\jrun -start coldfusion.

Its Java run-machine had the certificates stored in C:\ColdFusion\runtime\jre\lib\security\cacerts

What remained was how to import it in that keystore - I used portecle as suggested here.

After restarting ColdFusion and asking it politely to verify the settings it confirmed them and I saw the below log in WireShark:

No.  Time     Protocol Length Info
 104 3.895581 TCP      66     55157 ? 587 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
 105 3.896180 TCP      66     587 ? 55157 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=512
 106 3.896229 TCP      54     55157 ? 587 [ACK] Seq=1 Ack=1 Win=131328 Len=0
 107 3.902608 SMTP     112    S: 220 perfora.net (mreueus003) Nemesis ESMTP Service ready
 108 3.903791 SMTP     70     C: EHLO vm229CAC8
 109 3.904271 TCP      60     587 ? 55157 [ACK] Seq=59 Ack=17 Win=29696 Len=0
 110 3.904390 SMTP     159    S: 250 perfora.net Hello vm229CAC8 [**.**.**.**] | 250 SIZE 69920427 | 250 AUTH LOGIN PLAIN | 250 STARTTLS
 111 3.904532 SMTP     64     C: STARTTLS
 112 3.906347 SMTP     62     S: 220 OK
 118 4.112009 TCP      62     [TCP Retransmission] 587 ? 55157 [PSH, ACK] Seq=164 Ack=27 Win=29696 Len=8
 119 4.112057 TCP      66     55157 ? 587 [ACK] Seq=27 Ack=172 Win=131072 Len=0 SLE=164 SRE=172
 120 4.115457 TLSv1    132    Client Hello
 121 4.116154 TLSv1    1514   Server Hello
 122 4.116157 TCP      1514   [TCP segment of a reassembled PDU]
 123 4.116158 TLSv1    710    Certificate
 124 4.116201 TCP      54     55157 ? 587 [ACK] Seq=105 Ack=3748 Win=131328 Len=0
 125 4.156467 TLSv1    321    Client Key Exchange
 127 4.196201 TCP      60     587 ? 55157 [ACK] Seq=3748 Ack=372 Win=30720 Len=0
 128 4.196237 TLSv1    97     Change Cipher Spec, Encrypted Handshake Message
 129 4.196799 TCP      60     587 ? 55157 [ACK] Seq=3748 Ack=415 Win=30720 Len=0
 130 4.197005 TLSv1    97     Change Cipher Spec, Encrypted Handshake Message
 131 4.197742 TLSv1    91     Application Data
 132 4.198262 TLSv1    166    Application Data
 133 4.198550 TLSv1    87     Application Data
 134 4.199201 TLSv1    93     Application Data
 135 4.199677 TLSv1    117    Application Data
 136 4.200122 TLSv1    93     Application Data
 137 4.200345 TLSv1    101    Application Data
 138 4.240137 TCP      60     587 ? 55157 [ACK] Seq=3981 Ack=595 Win=30720 Len=0
 143 4.448738 TLSv1    105    Application Data
 154 4.652126 TCP      105    [TCP Retransmission] 587 ? 55157 [PSH, ACK] Seq=3981 Ack=595 Win=30720 Len=51
 155 4.652153 TCP      66     55157 ? 587 [ACK] Seq=595 Ack=4032 Win=131072 Len=0 SLE=3981 SRE=4032

and also tried sending a few test emails and everything worked as expected.

Thanks for everyone's help and suggestions! :)

p.s. And I found also the backup option. Turns out 1&1 does support TLS but does not require it. Plain old SMTP with no TLS worked just fine on port 587.

I discovered this accidentally - it is probably a bug in ColdFusion (version 9 in my case). In ColdFusion's Server Settings > Mail > Undelivered Mail I told it to resend a failed email. And it did - but without attempting the TLS part.

ColdFusion email settings with TLS

1 Answers1