After upgrading, emails are not being sent/received

book

Article ID: 187195

calendar_today

Updated On:

Products

CA Infrastructure Management CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

Scheduled report and on-demand report emails are not being sent out after upgrading
 
One of our users stopped getting emailed reports right after upgrade. The reports look like they have been running.  

We see the following error in DMService.log:

ERROR | EmailJobTaskThreadPool-Thread-28 | 2020-03-09 09:29:28,588 | com.ca.im.portal.dm.scheduling.email.EmailJobTask                
| Error sending e-mail: Mail server connection failed; nested exception is javax.mail.MessagingException: Can't send command to SMTP host;
nested exception is:
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake. Failed messages: javax.mail.MessagingException: Can't send command to SMTP host;
nested exception is:
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
org.springframework.mail.MailSendException: Mail server connection failed; nested exception is javax.mail.MessagingException: Can't send command to SMTP host;
nested exception is:
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake. Failed messages: javax.mail.MessagingException: Can't send command to SMTP host;
nested exception is:
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake; message exception details (1) are:
Failed message 1:
javax.mail.MessagingException: Can't send command to SMTP host;
nested exception is:
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
...
Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
... 12 more
Caused by: java.io.EOFException: SSL peer shut down incorrectly
... 19 more



Cause

In 3.7.7 we made a change to enable STARTTLS

Symptom:

Emails could not be sent securely if email server supported STARTTLS.

Resolution:
 
Updated Performance Center email properties to enable STARTTLS on all emails being sent.  Removed Use SSL button, as PC will try and send all emails securely if email server supports STARTTLS.

Environment

If you are on a release prior to 3.7.7, and then upgrade to 3.7.7 or higher you could run into this problem.

Resolution

For this issue do the following:

  1. Run: echo quit | openssl s_client -starttls smtp -connect <EMAILSERVERIP>:25 > certcheck.log
  2. Collect certcheck.log file for review
  3. Look in certcheck.log for: Server certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
  4. Copy from certcheck.log, lines starting from BEGIN line to END line into a new file: /tmp/email.cer
  5. Run: /opt/CA/jre/bin/keytool -import -file /tmp/email.cer -keystore /opt/CA/jre/lib/security/cacerts -storepass changeit -alias emailserver
    •  Answer "yes" when asked to trust cert.
  6. Run the following command and check for "emailserver" in the output to confirm the cert was added
    • /opt/CA/jre/bin/keytool -list -v -keystore /opt/CA/jre/lib/security/cacerts -storepass changeit -alias emailserver
  7. Restart DM and PC service.
  8. Try sending an email.

Emails should now work.  If they do not, do the following:

  1. Go to http://PC_HOST:8181/pc/center/admin/debug
  2. Login with admin  / admin password
  3. Follow the links to the Device Manager logging runtime configuration. Add/Update a logging category - enter the following names for categories and set the log level from INHERITED to TRACE, then click Add.
    • com.ca.im.portal.dm.scheduling.email.EmailJobTask
    • com.ca.im.portal.dm.scheduling.email.EmailJobScheduler
    • com.ca.im.portal.api.services.scheduling.email.EmailJobManager
  4. Email another dashboard as a test and collect the /opt/CA/PerformanceCenter/DM/logs/DMService.log for further investigation

Additional Information

Note that if you have a configuration that may hit multiple mail servers such as a bank of mail servers behind a load balancer (you can only configure one mail server in DX Netops Performance Management) you must have the certificates from ALL the mail servers you may connect to.  To do this you must repeat steps 4 and 5 above, using a different alias for each mail server, and making sure you copy the contents of certcheck.log to a new "cer" file name for each mail server

Additionally, you must have any related root/intermediate certificates if the mail server certificate is not self signed.