STMP failure after upgrade from 1.37 to 1.51

dan.s

We updated our FusionAuth-hosted instance last night from version 1.37 to version 1.51 because of the XSS vulnerability in the FusionAuth admin application.

Prior to the upgrade, our STMP integration was operable, afterwards it is not. We have verified that the email provider is accessible (our app's backend uses the same provider), and the configuration does not seem to have changed, using port 587 and TLS. The email provider is paubox, so the host is smtp.paubox.com.

Sending a test email from the tenant editing screen produces:
Unable to send email via JavaMail

Prime Messaging Exception
Exception reading response
Cause: SocketTimeoutException: Read timed out

Triggering a welcome email to be sent results in the following in the Event Log (Debug is enabled)
Async Email Send exception occurred.

Template Id: 006c9493-53c7-4e74-9332-************
Template Name: ******* - Welcome Email - Dev
Tenant Id: 00000000-0000-0000-7661-**********
Addressed to: *******

Cause:
jakarta.mail.MessagingException : Message: Exception reading response

App Log is reporting:
DEBUG: Jakarta Mail version 2.1.2
DEBUG: URL jar:file:/usr/local/fusionauth/fusionauth-app/lib/smtp-2.0.2.jar!/META-INF/javamail.providers
DEBUG: successfully loaded resource: jar:file:/usr/local/fusionauth/fusionauth-app/lib/smtp-2.0.2.jar!/META-INF/javamail.providers
DEBUG: Tables of loaded providers
DEBUG: Providers Listed By Class Name: {org.eclipse.angus.mail.smtp.SMTPTransport=jakarta.mail.Provider[TRANSPORT,smtp,org.eclipse.angus.mail.smtp.SMTPTransport,Oracle], org.eclipse.angus.mail.smtp.SMTPSSLTransport=jakarta.mail.Provider[TRANSPORT,smtps,org.eclipse.angus.mail.smtp.SMTPSSLTransport,Oracle]}
DEBUG: Providers Listed By Protocol: {smtp=jakarta.mail.Provider[TRANSPORT,smtp,org.eclipse.angus.mail.smtp.SMTPTransport,Oracle], smtps=jakarta.mail.Provider[TRANSPORT,smtps,org.eclipse.angus.mail.smtp.SMTPSSLTransport,Oracle]}
DEBUG: successfully loaded resource: /META-INF/javamail.default.address.map
DEBUG: URL jar:file:/usr/local/fusionauth/fusionauth-app/lib/smtp-2.0.2.jar!/META-INF/javamail.address.map
DEBUG: successfully loaded resource: jar:file:/usr/local/fusionauth/fusionauth-app/lib/smtp-2.0.2.jar!/META-INF/javamail.address.map
DEBUG: setDebug: Jakarta Mail version 2.1.2

SWAKS succeeds:
=== Trying smtp.paubox.com:587...
=== Connected to smtp.paubox.com.
<- 220 welcome to paubox smtp
-> EHLO ip----.ec2.internal
<- 250-paubox smtp at your service
<- 250-8BITMIME
<- 250-SMTPUTF8
<- 250-PIPELINING
<- 250-AUTH LOGIN PLAIN
<- 250-STARTTLS
<- 250 OK
-> STARTTLS
<- 220 Ready to start TLS
=== TLS started with cipher TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
=== TLS no local certificate set
=== TLS peer DN="/CN=paubox.com"
~> EHLO ip----.ec2.internal
<~ 250-paubox smtp at your service
<~ 250-8BITMIME
<~ 250-SMTPUTF8
<~ 250-PIPELINING
<~ 250-AUTH LOGIN PLAIN
<~ 250 OK
~> AUTH LOGIN
<~ 334 ************
~> ********
<~ 334 ************
~> ********************************************************
<~ 235 OK
~> MAIL FROM:<@.com>
<~ 250 OK
~> RCPT TO:<.@.com>
<~ 250 OK
~> DATA
<~ 354 Enter message, ending with "." on a line by itself
~> Date: Wed, 24 Jul 2024 22:29:19 +0000
~> To: .@.com
~> From: @.com
~> Subject: test Wed, 24 Jul 2024 22:29:19 +0000
~> Message-Id: <******.@ip----**.ec2.internal>
~> X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/
~>
~> Please disregard!
~>
~>
~> .
<~ 250 Requested mail action okay, completed
~> QUIT
<~ 221 Service closing transmission channel
=== Connection closed with remote host.

Resolved by setting timeouts in Edit Tenant -> Advanced -> SMTP Settings:
mail.smtp.timeout=30000
mail.smtp.connectiontimeout=10000

These timeouts were made accessible to SMTP settings in 1.44.0. They default to "no timeout" in JavaMail, and there is no documentation of any other default in FusionAuth.

Alex Patterson

JavaMail settings in FusionAuth can be configured under the SMTP settings of a tenant. You can access these settings by navigating to Tenants > Edit > Advanced > SMTP settings. Here, you can add additional properties for JavaMail.

For example, to enable debug mode, you can add mail.debug=true to the additional properties. This will provide more verbose logging for SMTP, which can be helpful for troubleshooting email issues. The debug logs can be viewed under System > Logs and selecting fusionauth-app.log source.

In some cases, you might need to set timeouts for the SMTP connection. This can be done by adding the following properties:

mail.smtp.connectiontimeout=2000
mail.smtp.timeout=2000

These settings will set the read and write timeouts to 2 seconds (2000 ms) source.

If you're experiencing issues with email delivery, it might be helpful to change the SMTP port or switch between TLS and SSL, especially if you're using a cloud service like FusionAuth Cloud, which has certain restrictions on ports source.

Remember to be cautious when enabling debug mode or changing other settings, as it could potentially lead to a large volume of logs or affect the performance of your application.

mark.robustelli

So are you saying you can no longer access Tenant -> Advanced -> SMTP Settings -> Additional properties?

dan.s

@mark-robustelli No, the additional settings are accessible, and the issue appears to be resolved by setting some values in additional settings.

Assuming the actual problem was that our SMTP provider is slower than FusionAuth expects, there's still a documentation issue: the additional settings can be found in JavaMail documentation, which indicates the defaults are that there is no timeout. Since it's not behaving like there is no timeout, it seems like FusionAuth must be somehow, directly or indirectly, overriding that default. Documentation of that would be nice, perhaps also expected ranges for the settings, and impacts of using values outside expected ranges.

Simply, settings should be documented.

At least there is a message here in the forum now indicating the issue and resolution.

Alex Patterson