#1895 ✓cantreproduce
Sebastien Varrette

Error: Timeout when setting up SSL/TLS

Reported by Sebastien Varrette | December 21st, 2017 @ 09:26 PM

Hi,

I have a strange issue happening since this morning and an update of the SSL certificate of our mailserver.
Somehow they impose the usage of StartTLS and SMTP access (:387 in our case) now failed.

  • the new certificate have been imported and accepted permanently
  • IMAPS works fine
  • SMTP+SSL failed with Timeout when setting up SSL/TLS.

Here are the logs upon delivery attempt:

16:00:30 Handling reply
16:00:30 Sending request (31)
16:00:30 Handling request
16:00:30 Clearing connection to <smtp.domain.com>
16:00:32 Ready to run action (retry count: 2)
16:00:32 Clearing connection to <smtp.domain.com>
16:00:32 Trying to connect to <smtp.domain.com> on port 587 (CFNetwork) without STARTTLS (required)
16:00:32 Resolved hostname (<smtp.domain.com>).
16:00:32 Prepare secure connection...
16:00:32 Successful connection.
16:00:32 Initiating secure connection...
16:00:35  Waiting (0) 3/16...
16:00:38  Waiting (0) 6/16...
16:00:41  Waiting (0) 9/16...
16:00:44  Waiting (0) 12/16...
16:00:47  Waiting (0) 15/16...
16:00:50  Waiting (0) 18/16...
16:00:50 Error: Timeout when setting up SSL/TLS.
16:00:50 Error code: 8
16:00:50 New timeout values (8/8): 24/24
16:00:50 Failed action (0). Reset observed read/write timeouts: 8/8

local tests of SMTP server in StartTLS works using

$> openssl s_client -starttls smtp -connect <smtp.domain.com>:587 -crlf
CONNECTED(00000003)
depth=1 /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL High Assurance CA 3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
[...]
---
No client certificate CA names sent
---
SSL handshake has read 3974 bytes and written 491 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: AC4900003C6FDD61D8C00044B9905C786972A97791FFDAB8536D1D3972E7234E
    Session-ID-ctx:
    Master-Key: FB813953E68EBC546DEF65050E5BFC3258E826916B868C0AB83C852E89C6DB3AB851D7069E0D6ED6874AA039D51830B3
    Key-Arg   : None
    Start Time: 1513871935
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 CHUNKING

Which seems to confirm the Successful connection. log.
For the rest, I confirm I have no clue. Any idea on your side ?

Comments and changes to this ticket

  • Sebastien Varrette

    Sebastien Varrette December 22nd, 2017 @ 08:28 AM

    Complementary, it seems that our organisation went to NTLM authentication, that could be the source of the problem.
    Does that help you to have an idea of the issue ?

  • Sebastien Varrette

    Sebastien Varrette December 22nd, 2017 @ 09:22 AM

    Apparemment, ce n'est pas ce qui est forcé, mais bien le starttls i.e. TLSv1 (au lieux de SSL v3)
    J'ai l'impression que CFnetwork ne supporte pas cela (cf le log connect to <smtp.domain.com> on port 587 (CFNetwork) without STARTTLS (required).
    Serait il possible de tester dans la configuration pour forcer TLS ? La configuration actuelle 'Use SSL' ne laisse pas cette possibilité.

  • Sebastien Varrette

    Sebastien Varrette December 22nd, 2017 @ 09:29 AM

    Note: following ticket #1585, I suffixed the port for SMTP with p (thus changing from 587 to 587p) and this seems to enforce startTLS now.
    However the sending action now failed with the message 'Unspecified Error' in the popup.

    09:26:27 Handling reply
    09:26:27 Sending request (1161)
    09:26:27 Handling request
    09:26:27 Clearing connection to <smtp.domain.com>
    09:26:30 Ready to run action (retry count: 3)
    09:26:30 Clearing connection to <smtp.domain.com>
    09:26:30 Trying to connect to <smtp.domain.com> on port 587p (CFNetwork) with STARTTLS (required)
    09:26:30 Resolved hostname (<smtp.domain.com>).
    09:26:30 Successful connection.
    09:26:40 Error code: 2
    09:26:40 Failed action (0). Reset observed read/write timeouts: 8/8
    
  • benny

    benny December 22nd, 2017 @ 09:43 AM

    It appears it fails before NTLM authentication (which MailMate cannot do which means that might also be a problem, but first we need to connect). Could you provide the real SMTP hostname. That would allow me to reproduce the issue. You can use “Help ▸ Send Feedback” if you have a working account in MailMate and you don't want to share the hostname.

  • Sebastien Varrette

    Sebastien Varrette December 22nd, 2017 @ 05:05 PM

    So our IT service seems to have reverting some setting at the network level -- that might explain the CFNetwork error code 2 cfHostErrorUnknown:

    An unknown error occurred (a name server failure, for example).
    

    Now things are working fine, however it might indicate that may be Mailmate should allow for a more deeper analysis of the subsequent certificates used; or a link to the CFNetwork error explaination ?

    Anyway, thanks for your feedback, things are fine now.

  • benny

    benny December 22nd, 2017 @ 10:17 PM

    • State changed from “new” to “resolved”

    The error code is an internal error for timing out on a request. It's not a CFNetwork error.

  • Sebastien Varrette

    Sebastien Varrette January 5th, 2018 @ 04:19 PM

    This issue reappeared upon reboot ;(

  • benny

    benny January 6th, 2018 @ 09:30 AM

    @Sebastien: I've replied to your email.

  • benny

    benny January 6th, 2018 @ 09:30 AM

    • State changed from “resolved” to “cantreproduce”
  • Alex Veer

    Alex Veer February 12th, 2024 @ 11:52 AM

    • State changed from “cantreproduce” to “new”

    Receive fair appraisals and top dollar for your gold possessions through our reputable cash for gold process. Cash for Gold

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Mac OS X email client.

Shared Ticket Bins

People watching this ticket

Pages