Email Sending Broken in 24.1.19.1287

21

Incorrect, this has nothing to with SSL on the server side, in fact Manager is running a vanilla installation with an NginX reverse proxy on another host running SSL Offloading. The server hosting Manager.io doesnt have any SSL on it at all. The error is involved when Manager.IO tries to contact the mainjet SMTP servers using TLS / SSL and it cannot seem get all the CRL lists through the Certificate Chain.

So 2 things possibly happening here:

  1. Manager.IO is now ignoring the CRL / Trusted Roots list in the Linux /etc/ssl directories (Possibly a .Net Framework Error)

  2. It sees the /etc/ssl directories containing the CRL and Trusted Roots, ignores them and tries to fetch directly. Again this would be an error on the .Net Framework and it’s System.Net.Mail function that would talk to the Crypto Modules of .NET

Either way as the /etc/ssl directory is like for like between the snapshot and the new version, only filesystem changes are manager.io service.

When I get some time I run a Jetbrains dotPeek over them and have a look at a decompiled version of Manager to see how this is implemented.

22

I’m not sure if advanced email setup is available in any other accounting software or even ERP, so I guess what you are requesting @bdallen is something that’s outside the norm.

Don’t get me wrong, I’m not against advanced email features, but like everything else, this could lead to a very deep rabbithole for minimal benefits to the average user.

While I’m not going to dismis your request @bdallen and I’m going to leave it for @lubos to decide whether it’s feasible; I will however suggest using another email provider for sending emails from Manager (e.g. Google, since every business has at least one google account) and use the other email for everything else.

23

@Ealfardan - The 90’s called and wants it locked down systems back.

I see many ERP’s with the ability to use a custom port number, take MYOB for example.

PGOS - Chnage comms setting
PGOS - Chnage comms setting1184×740 61.1 KB

It seems quickbooks online allows “Advanced” settings.

Even the behemoth SAP allows advanced settings.

https://help.sap.com/docs/SAP_BUSINESS_ONE/68a2e87fb29941b5bf959a184d9c6727/0fa0f7ef4a66457d8622290c7d1d2fca.html

I see the whole argument of locking this down completely pointless.

24

Quick look at the EmailTest function in dotPeek, it seems that regardless of the port. It will try TLS. It will only disable TLS and go SSL if it’s = 587.

So evem if you use port 25 it will still try TLS.

          SmtpClient smtpClient = new SmtpClient(formData.Host, formData.Port);
          ServicePointManager.ServerCertificateValidationCallback = (RemoteCertificateValidationCallback) ((sender, certificate, chain, sslPolicyErrors) => sslPolicyErrors == SslPolicyErrors.None || sender == smtpClient && formData.DoNotVerifyTLSCertificate);
          smtpClient.UseDefaultCredentials = false;
          string password = formData.Password;
          if (string.IsNullOrWhiteSpace(password))
            password = ApplicationData.Get(emailTest.FileID).Single<Manager.Model.EmailSettings>().Password;
          if (!string.IsNullOrWhiteSpace(formData.Username) || !string.IsNullOrWhiteSpace(password))
            smtpClient.Credentials = (ICredentialsByHost) new NetworkCredential()
            {
              UserName = formData.Username,
              Password = password
            };
          smtpClient.EnableSsl = formData.Port == 587;
          smtpClient.DeliveryFormat = formData.DoNotUseInternationalDeliveryFormat ? SmtpDeliveryFormat.SevenBit : SmtpDeliveryFormat.International;
          smtpClient.Timeout = (int) TimeSpan.FromSeconds(20.0).TotalMilliseconds;
          smtpClient.DeliveryMethod = SmtpDeliveryMethod.Network;
          try

Can you please just remove the Drop down for port number and make it an editable field, and also add a Checkbox to Disable TLS.

Just give the users the options to have their own custom SMTP settings, there are sometimes business cases where arbitrary ports / settings are required.

25

Have you tried Quickbook email setting with your Server? If your server can run well on Quickbooks, then your request should be accepted.

26

Yes it works fine, got a copy from a client and used it. @Mabaega I can also set a custom port in Quickbooks too which allows us to use our own internal mail gateway. WOW!!!

I have run OpenSSL command line diagnostics and as suspected returns perfectly fine and verify’s perfectly.

Last login: Sat Feb  3 16:06:55 AEST 2024 on ttyS0                                                     
root@erp01-bne-met1:~# openssl s_client -connect in-v3.mailjet.com:587 -starttls smtp
CONNECTED(00000003):
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C = FR, L = Paris, O = MAILJET SAS, CN = mailjet.com
verify return:1
---
Certificate chain
 0 s:C = FR, L = Paris, O = MAILJET SAS, CN = mailjet.com
   i:C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
 1 s:C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHGjCCBgKgAwIBAgIQBKO3Pd4wwFj3BVDWnY5BczANBgkqhkiG9w0BAQsFADBZ
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTMwMQYDVQQDEypE
aWdpQ2VydCBHbG9iYWwgRzIgVExTIFJTQSBTSEEyNTYgMjAyMCBDQTEwHhcNMjMw
NDAzMDAwMDAwWhcNMjQwNDAyMjM1OTU5WjBJMQswCQYDVQQGEwJGUjEOMAwGA1UE
BxMFUGFyaXMxFDASBgNVBAoTC01BSUxKRVQgU0FTMRQwEgYDVQQDEwttYWlsamV0
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANe8obS6pd3XNbco
oZku4V3Hxkk2xrdQQCCC/sO95nXg5S3BcDeeh1mVMAHKpMHGxFcR1cHI1fgrNaJE
yBXEtUcv11IwYe/tbWmHwy3QYxN9IVJio6YpSNrXBa9RXrjCKCbjAsCHttWt5Bed
WXCPCP9ro9HhSgiaYQJXo/lDmobQFB/sMIFH3/tOKS7CF1mXgAfTHbINTvJ37eN0
XXvqAsT83oBEgaVVCGryRxm+6rQQgO3QoVSizI4wHd9H++gtH9+nWQ5vRjPZDIh5
HRhuVFGX8LGH2hk0kmQnWQIeruNIzb6gUPA4eBuYMmc8Gjh99jiByy0C3yBgGMi+
gvV9nbMCAwEAAaOCA+wwggPoMB8GA1UdIwQYMBaAFHSFgMBmx9833s+9KTeqAx2+
7c0XMB0GA1UdDgQWBBR7tl1ITlYCYEY24WOzf5Plp8SuLDB+BgNVHREEdzB1ggtt
YWlsamV0LmNvbYINKi5tYWlsamV0LmNvbYIMKi5tYWlsamV0LmRlggptYWlsamV0
LmRlghNibG9nLmZyLm1haWxqZXQuY29tghNibG9nLmVzLm1haWxqZXQuY29tghNi
bG9nLmRlLm1haWxqZXQuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwgZ8GA1UdHwSBlzCBlDBIoEagRIZCaHR0cDovL2Ny
bDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsRzJUTFNSU0FTSEEyNTYyMDIw
Q0ExLTEuY3JsMEigRqBEhkJodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNl
cnRHbG9iYWxHMlRMU1JTQVNIQTI1NjIwMjBDQTEtMS5jcmwwPgYDVR0gBDcwNTAz
BgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20v
Q1BTMIGHBggrBgEFBQcBAQR7MHkwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRp
Z2ljZXJ0LmNvbTBRBggrBgEFBQcwAoZFaHR0cDovL2NhY2VydHMuZGlnaWNlcnQu
Y29tL0RpZ2lDZXJ0R2xvYmFsRzJUTFNSU0FTSEEyNTYyMDIwQ0ExLTEuY3J0MAkG
A1UdEwQCMAAwggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB2AO7N0GTV2xrOxVy3
nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABh0hPn2MAAAQDAEcwRQIhAIVBx/haz8k5
0kyezmHRF+06eJ7KKHlU2/rg48ovmmiQAiBAsykvZMysrkI5uuGHj0eZHp8qExQa
KTEc+OwpPRdJjAB2AHPZnokbTJZ4oCB9R53mssYc0FFecRkqjGuAEHrBd3K1AAAB
h0hPn4kAAAQDAEcwRQIgODfe3CEzKv9Y3rKfggiibS9+i/wmGvbLRQqzxH6DWwwC
IQDwOiWR2fuqr4IfgbZviONAE6nQ8uasX35yPgVVO4XyYAB2AEiw42vapkc0D+Vq
AvqdMOscUgHLVt0sgdm7v6s52IRzAAABh0hPn08AAAQDAEcwRQIhAIKWqwYu8GwI
AcrNRpaDr0O6wbro8f4xhf1P1x8cDDNDAiAM9WkAyBNLF4F/vBcWMpj6hwXRX8GX
p3hO6DpuJvHS2jANBgkqhkiG9w0BAQsFAAOCAQEAWlZl2O7nY3p+aj83Ij09c1yY
8QRsyg8z4RDLM5jy1ev/hRYtEIUZ6E/MpT7v6so1Lm2qzbozF+SowVLUMQ7CgC0X
Zb9X5g3emoR1wER5HxZk69PF0VX3KOEoBmpyMlTxRbKwxhE9490uRsClFZBrkXxc
SnfdN6uyezsB/ioAvB3lDSRjc9nVn0Dim1I3Itt/IxEfosfpIQzL1mF77NugcWrh
Ld+quT63sfesPozpqltCx6AWOgWm2D2ncI3+enrEKDxiOLFkxGfCKZvXLbrsFM4O
5R2aQITzEBOfLd0GDZQPPL61N8nsBpJmIbrGb0N9tVVEXXNiTvwwksOhUdLl/w==
-----END CERTIFICATE-----
subject=C = FR, L = Paris, O = MAILJET SAS, CN = mailjet.com

issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3919 bytes and written 422 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 CHUNKING
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: E82EEA7AE103B2B71B9CDB1FCF93C8FED815ABFBD36E5C7BA4B32A9A82659BED
    Session-ID-ctx: 
    Resumption PSK: 8A907247397DF9E843767EB8C81999863BE4A81959D3A9FEB376A4EB662464729FA8EAB706154FE6677D607A23EFE5D9
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 5e 3b 73 26 2b a7 a3 89-4b 59 58 73 a2 16 d5 d1   ^;s&+...KYXs....
    0010 - 52 17 8a cf 81 72 c3 c0-be 7a d4 77 56 03 fd e4   R....r...z.wV...
    0020 - c3 30 0a 98 88 bd ce ed-1b 25 2b fc f4 2e 1e 99   .0.......%+.....
    0030 - d5 a4 fe 25 af b1 f0 52-28 3f 94 c4 56 f9 00 db   ...%...R(?..V...
    0040 - 26 cb 47 37 4a 8b 82 16-63 76 c9 80 6d a4 87 01   &.G7J...cv..m...
    0050 - fc c7 c7 bb 72 be b9 ae-7e 19 e0 3a d9 c7 ee f3   ....r...~..:....
    0060 - 09 54 da 20 67 29 28 cd-bd b7 12 eb 6b f4 d6 ae   .T. g)(.....k...
    0070 - eb b0 63 02 ad 03 16 a6-8e f3 78 9f 4b 57 7d b7   ..c.......x.KW}.
    0080 - 1e 10 1c a4 ff f7 a6 64-13 70 a1 9a 1a 8a 62 95   .......d.p....b.
    0090 - 7d fe 5c 9f d5 03 40 2b-37 74 9b 27 1f df a5 e4   }.\...@+7t.'....
    00a0 - d1 d5 75 c4 82 f0 4e b1-3f 3d 0c 2b 07 78 8a e0   ..u...N.?=.+.x..
    00b0 - 36 05 b0 4e 4c 5e de 57-33 e6 e0 72 c7 33 48 74   6..NL^.W3..r.3Ht
    00c0 - d3 4f 01 a2 d6 ab eb 5b-53 6d 95 9a 83 11 0a 75   .O.....[Sm.....u

    Start Time: 1706940797
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

This seems to be related to somewhere within manager, not being able to verify the certificate chain itself, even with Disable Verify it just spits the same error back.

But in the end, what’s really needed is the ability to set custom ports, and the ability to disable/enable TLS. This will enable more options to use other mail servers, like an internal one we have… WOW

If I could just get more custom options for ports, I would literally just dump mailjet and run it internally.

As for using GMail etc, not an option.

27

I also have the problem with email. Test email works fine, but other email does not.

1 Like