0

I’m trying to send an email on runtime Mule using an SMTPS connector running on a AWS EC2 Lynx machine to AWS SES but I keep getting a ‘Unable to connect to mail transport’ Mule exception.

I can Telnet from the EC2 machine to the AWS SES endpoint but cannot get EHLO to work, I may be doing something wrong there. I can successfully send the email to AWS SES from my own PC running my app on Anypoint using the same SMTPS connector and the same AWS SES credentials so I know everything is good there.

I’m thinking there must be a difference between Anypoint and runtime Mule?

Here is my connector code, do I need to add a trust store for it to work on runtime?

<smtps:connector name="SMTPS" contentType="text/html" validateConnections="true" doc:name="SMTPS">

    <smtps:tls-client /> 
    <smtps:tls-trust-store />

</smtps:connector>

Here is the relevant part of the log

INFO org.mule.lifecycle.AbstractLifecycleManager - Initialising: 'SMTPS.dispatc her.1395684883'. Object is: SmtpMessageDispatcher 2016-11-08 16:30:25,149 [[feecalculator].HTTP_Listener_Configuration.worker.01] INFO org.mule.api.security.tls.TlsPropertiesMapper - Defaulting mule.email.smtp s trust store to client Key Store 2016-11-08 16:30:25,361 [[feecalculator].HTTP_Listener_Configuration.worker.01] INFO org.mule.api.security.tls.TlsProperties - Loading configuration file: tls- default.conf 2016-11-08 16:30:25,620 [[feecalculator].HTTP_Listener_Configuration.worker.01] ERROR org.mule.exception.CatchMessagingExceptionStrategy -

Message : Unable to connect to mail transport.

Element : /sendEmailFlow/processors/0/0/0 @ feecalculator:sendEmai l.xml:22 (Prod SMTPS)

Exception stack is: Unable to connect to mail transport. (org.mule.api.endpoint.EndpointException)

The difference on my local machine is 'tls-default.conf not found' :

INFO 2016-11-08 16:19:16,533 [[feecalculator].HTTP_Listener_Configuration.worker.08] org.mule.lifecycle.AbstractLifecycleManager: Initialising: 'SMTPS.dispatcher.1555978287'. Object is: SmtpMessageDispatcher INFO 2016-11-08 16:19:16,539 [[feecalculator].HTTP_Listener_Configuration.worker.08] org.mule.api.security.tls.TlsPropertiesMapper: Defaulting mule.email.smtps trust store to client Key Store WARN 2016-11-08 16:19:16,574 [[feecalculator].HTTP_Listener_Configuration.worker.08] org.mule.api.security.tls.TlsProperties: File tls-default.conf not found, using default configuration. INFO 2016-11-08 16:19:20,100 [[feecalculator].HTTP_Listener_Configuration.worker.08] org.mule.lifecycle.AbstractLifecycleManager: Starting: 'SMTPS.dispatcher.1555978287'. Object is: SmtpMessageDispatcher

sky.high
  • 3
  • 1
  • 3
  • https://aws.amazon.com/premiumsupport/knowledge-center/ec2-port-25-throttle/ – Michael - sqlbot Nov 03 '16 at 10:40
  • Thanks Michael, smpts ports have to be either 465 or 2465 I cannot use 25 so its not being throttled and that also would not explain why the connection worked on my local machine but not on EC2 with identical smtps setting and credentials – sky.high Nov 03 '16 at 15:09
  • I suppose you get an exception. Can you post your logs ? If is TSL aniway you need a truststore either in mule or having the certificates trusted in the cacert at jvm level on your pc. – Mauro Rocco Nov 04 '16 at 15:59
  • Hi Mauro I suspected it must be a cert issue, I guess the cacert on my local machine is trusted where as the EC2 server isn't, do you know how i can prove that? I'll post the exception log tomorrow – sky.high Nov 06 '16 at 04:48
  • I've addded the relevant part of the log to my original question – sky.high Nov 08 '16 at 23:35

1 Answers1

0

Solved:

On my development machine Anypoint defaults to the JRE 1.8 installed ‘cacerts’ trust store in the ‘security’ folder which contains a trust for AWS SES whereas the AWS EC2 Lynx openJDK 1.8 either does not have a trust installed or Mule CE does not default to the installed trust store, I’m not sure which. This explains why my development machine could send an mail via SES but the production system could not.

The solution is to use openssl to create a trust store file for the SES domain certificate and specify the trust file in the SMTPS connector (smtps:tls-trust-store). If a file path is not specified, the trust file needs to be added to the Mule project src/main/resources folder for the project domain or project application when no project domain exists.

This issue is further complicated by a difference between Anypoint and Mule CE, Anypoint requires SES endpoint declarations that contain ‘special characters’ to be double escaped where as Mule CE does not.

sky.high
  • 3
  • 1
  • 3