#1895 ✓cantreproduce
Sebastien Varrette

Error: Timeout when setting up SSL/TLS

Reported by Sebastien Varrette | December 21st, 2017 @ 09:26 PM

Hi,

I have a strange issue happening since this morning and an update of the SSL certificate of our mailserver.
Somehow they impose the usage of StartTLS and SMTP access (:387 in our case) now failed.

  • the new certificate have been imported and accepted permanently
  • IMAPS works fine
  • SMTP+SSL failed with Timeout when setting up SSL/TLS.

Here are the logs upon delivery attempt:

16:00:30 Handling reply
16:00:30 Sending request (31)
16:00:30 Handling request
16:00:30 Clearing connection to <smtp.domain.com>
16:00:32 Ready to run action (retry count: 2)
16:00:32 Clearing connection to <smtp.domain.com>
16:00:32 Trying to connect to <smtp.domain.com> on port 587 (CFNetwork) without STARTTLS (required)
16:00:32 Resolved hostname (<smtp.domain.com>).
16:00:32 Prepare secure connection...
16:00:32 Successful connection.
16:00:32 Initiating secure connection...
16:00:35  Waiting (0) 3/16...
16:00:38  Waiting (0) 6/16...
16:00:41  Waiting (0) 9/16...
16:00:44  Waiting (0) 12/16...
16:00:47  Waiting (0) 15/16...
16:00:50  Waiting (0) 18/16...
16:00:50 Error: Timeout when setting up SSL/TLS.
16:00:50 Error code: 8
16:00:50 New timeout values (8/8): 24/24
16:00:50 Failed action (0). Reset observed read/write timeouts: 8/8

local tests of SMTP server in StartTLS works using

$> openssl s_client -starttls smtp -connect <smtp.domain.com>:587 -crlf
CONNECTED(00000003)
depth=1 /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL High Assurance CA 3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
[...]
---
No client certificate CA names sent
---
SSL handshake has read 3974 bytes and written 491 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: AC4900003C6FDD61D8C00044B9905C786972A97791FFDAB8536D1D3972E7234E
    Session-ID-ctx:
    Master-Key: FB813953E68EBC546DEF65050E5BFC3258E826916B868C0AB83C852E89C6DB3AB851D7069E0D6ED6874AA039D51830B3
    Key-Arg   : None
    Start Time: 1513871935
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 CHUNKING

Which seems to confirm the Successful connection. log.
For the rest, I confirm I have no clue. Any idea on your side ?

Comments and changes to this ticket

  • Sebastien Varrette

    Sebastien Varrette December 22nd, 2017 @ 08:28 AM

    Complementary, it seems that our organisation went to NTLM authentication, that could be the source of the problem.
    Does that help you to have an idea of the issue ?

  • Sebastien Varrette

    Sebastien Varrette December 22nd, 2017 @ 09:22 AM

    Apparemment, ce n'est pas ce qui est forcé, mais bien le starttls i.e. TLSv1 (au lieux de SSL v3)
    J'ai l'impression que CFnetwork ne supporte pas cela (cf le log connect to <smtp.domain.com> on port 587 (CFNetwork) without STARTTLS (required).
    Serait il possible de tester dans la configuration pour forcer TLS ? La configuration actuelle 'Use SSL' ne laisse pas cette possibilité.

  • Sebastien Varrette

    Sebastien Varrette December 22nd, 2017 @ 09:29 AM

    Note: following ticket #1585, I suffixed the port for SMTP with p (thus changing from 587 to 587p) and this seems to enforce startTLS now.
    However the sending action now failed with the message 'Unspecified Error' in the popup.

    09:26:27 Handling reply
    09:26:27 Sending request (1161)
    09:26:27 Handling request
    09:26:27 Clearing connection to <smtp.domain.com>
    09:26:30 Ready to run action (retry count: 3)
    09:26:30 Clearing connection to <smtp.domain.com>
    09:26:30 Trying to connect to <smtp.domain.com> on port 587p (CFNetwork) with STARTTLS (required)
    09:26:30 Resolved hostname (<smtp.domain.com>).
    09:26:30 Successful connection.
    09:26:40 Error code: 2
    09:26:40 Failed action (0). Reset observed read/write timeouts: 8/8
    
  • benny

    benny December 22nd, 2017 @ 09:43 AM

    It appears it fails before NTLM authentication (which MailMate cannot do which means that might also be a problem, but first we need to connect). Could you provide the real SMTP hostname. That would allow me to reproduce the issue. You can use “Help ▸ Send Feedback” if you have a working account in MailMate and you don't want to share the hostname.

  • Sebastien Varrette

    Sebastien Varrette December 22nd, 2017 @ 05:05 PM

    So our IT service seems to have reverting some setting at the network level -- that might explain the CFNetwork error code 2 cfHostErrorUnknown:

    An unknown error occurred (a name server failure, for example).
    

    Now things are working fine, however it might indicate that may be Mailmate should allow for a more deeper analysis of the subsequent certificates used; or a link to the CFNetwork error explaination ?

    Anyway, thanks for your feedback, things are fine now.

  • benny

    benny December 22nd, 2017 @ 10:17 PM

    • State changed from “new” to “resolved”

    The error code is an internal error for timing out on a request. It's not a CFNetwork error.

  • Sebastien Varrette

    Sebastien Varrette January 5th, 2018 @ 04:19 PM

    This issue reappeared upon reboot ;(

  • benny

    benny January 6th, 2018 @ 09:30 AM

    @Sebastien: I've replied to your email.

  • benny

    benny January 6th, 2018 @ 09:30 AM

    • State changed from “resolved” to “cantreproduce”

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Mac OS X email client.

Shared Ticket Bins

People watching this ticket

Pages