Re: CUE Voicemail SMTP Issues

jshdcooper · ‎01-03-2018

Hello,

In the past couple of weeks, we've had several customers start having issues with voicemail notifications generated from the CUE module. I've tried multiple providers (google,yahoo, outlook.com) and I get similar errors for all of them. The debug is

2327 01/03 14:31:06.216 VMSS mnot 0 DEBUG: getProvider() returning javax.mail.Provider[TRANSPORT,smtp,com.sun.mail.smtp.SMTPTransport,Sun Microsystems, Inc]
DEBUG SMTP: useEhlo true, useAuth true
DEBUG SMTP: trying to connect to host "smtp.gmail.com", port 465, isSSL false
Send failed, UID=0
2327 01/03 14:31:06.225 VMSS mnot 0 EmailSender: Error sending emailjavax.mail.MessagingException: Could not connect to SMTP host: smtp.gmail.com, port: 465;
  nested exception is:
        javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I've generated a new SSL cert on the CUE module, I can ping the hostname from the CUE module, there's no ACL blocking, but I get the same thing. Is anyone else having a similar issue or have any suggestions?

Thanks!

Mohammed al Baqari · ‎01-04-2018

Make sure that you delete the old certificate chain and have the new one
installed. You need to have the full certificate chain installed including
root ca and intermediate ca

jshdcooper · ‎01-04-2018

Thanks for the response. How do I remove the old cert in the CUE?

danielblock1 · ‎02-05-2018

Anybody else on this? I'm having the exact same problem. Would love to know how to solve this...

jshdcooper · ‎02-05-2018

I have not got a solution to this yet.

R0g22 · ‎02-05-2018

Yup. This is an ongoing issue with CUE and SMTP integration. There is a solution to this wherein the certificates will need to be manually updated through the CUE bash. Procedure can only be done by TAC.
The solution is only for CUE on SRE module deployments. For virtual CUE, you will need to wait for 9.X release.

R0g22 · ‎02-05-2018

You cannot do that. There is no way for a customer to do that on CUE. It can only be done by TAC. Open up a TAC case.

danielblock1 · ‎02-05-2018

My device is EOL, and I'm told that means I can't even open up a TAC if I wanted to. So what should I do? Am I totally screwed?

R0g22 · ‎02-05-2018

What device is it ?

danielblock1 · ‎02-05-2018

UC520

R0g22 · ‎02-05-2018

ahh .. yeah that's EoLDS. No more TAC support. You can still use SMTP but without authentication. The issue is related to a SSL handshake failure when the SMTP server presents it's certificate to the CUE. Since CUE does not have the cert, it drops the connection.
Just use Port 25 without any security and you should be good taken the fact that any of the SMTP providers support non-auth based integration. If they don't, then you will be have to migrate to either a SRE or vCUE.

paolo bevilacqua · ‎07-02-2019

I want to add on this issue. It's a major flaw that there is no way to add root certificates for SMTP without shell access, especially for the devices which cannot be placed under support.

In the past I was able to upload valid these by hacking to shell access, for that I had patched an installation image, corrected the checksum, booted, mounted the disk and uploaded to cacert storage. With the SRE hardware (secure bootstrap) that is not possible anymore, but one could try removing the disk, mounting on a linux system and update cacert from there.

The only valid workaround remains to setup a local SMTP server that then relays as needed.