FMP17.0.4.400 Update and Airmail

[elipsett]

FMP17 updated this morning, and suddenly it can't send email via Airmail anymore. It reports "Could not convert socket to TLS"
Any suggestions?

I'm generating PDFs on a Mac 10.12.6, printing the PDF to disk, and then attaching it to an email, all scripted.
It's worked perfectly for about two years, including upgrading from FMP13 to FMP17 when 17 was released...

Any suggestions, or hopefully remedies, gratefully accepted!

Edited April 25, 2019 by elipsett

[sean360Works]

Hello,

What are the SMTP settings you are using? I found this webpage(https://www.serversettings.email/Airmail.net-email-server-settings-imap.php) that specifies settings to try to connect with Airmail through various E-mail clients. The settings applied by our Email plugin should be the same. Try these different combinations and let me know if you're able to connect.

Outgoing (SMTP) Secure - Port: 465 for and Security Type: SSL/TLS (Accept all certificates)
Outgoing (SMTP roaming server) Secure - Port: 587 and Security Type: SSL/TLS (Accept all certificates)
Outgoing (SMTP) - Port: 25 and Security Type: None (Accept all certificates)
Outgoing (SMTP roaming server) Insecure - Port: 587 and Security Type: None (Accept all certificates)

The webpage specifies to use port 587, so I would start by specifying that port and enabling STARTTLS to connect.

If you're still unable to connect, please send me log files capturing Email activity. Reproduce the error, and reference our documentation at the link below to locate those log files, and attach them to either this forum or an email to [email protected]. Make sure not to close and restart FileMaker--or restart the fmse if you're running Email on FM Server--as that will clear the log file of statements capturing behavior from the previous session.

http://docs.360works.com/index.php/Plugin_log_files

[elipsett]

I've been using 587 with SSL/TLS, and it has worked fine for about two years.
I tried using 465 as you suggest, with no change. I sent the log to Joshua last week, but attach today's version here FYI:

Thanks.

360Plug-ins_FMAdvanced.log

[elipsett]

I just installed FMP Adv 13 on the same machine, and it has the same problem, so FMP itself is not the issue.
That narrowed it down to your plugin, Airmail, MacOS, and various anti-virus packages. 

I downloaded the old plugin (2.17) and installed it; same results.
So the plugin itself doesn't appear to be the problem.

As far as I can tell, Filemaker has permission in the MacOS security settings, and BitDefender.
I turned the Mac firewall off, and the error persisted, so the Mac firewall does not seem to be the issue. 
BitDefender allows FileMaker to access the MacOS system, and uses the Mac firewall.

[elipsett]

I don't know if this is relevant or not, but my mail host (pair.com) just commented 
"The only thing I can think of is that we recently disabled the TLS1.0 security protocol on all our servers which could be causing the issue."

They are going to try to see what the access log shows at their end.


========Update======
Pair.com responded:
"Unfortunately, that does appear to be the issue, it is trying to connect 
using the TLS1.0 protocol. This upgrade would have been done anytime over 
the last two months as our server team has been slowly updating them in 
small batches, your server happened to be one of the last ones we updated. 
We can offer you a temporary proxy server that will allow that program to 
connect for the time being until you can upgrade to software that supports 
at least TLS1.1. Just let me know and I will set that up and send you the 
necessary settings. "

==============

So, would that be an issue with Airmail or with your plugin?

Edited April 29, 2019 by elipsett

[sean360Works]

Hello,

Our plugins reference Java in a jre instance it downloads onto the computer when it initializes for the first time. The Java/jre version is what determines the TLS protocol the plugin employs to connect to the mail server. Our most current plugins use Java 8 and up, which should connect over TLS 1.2. A reason new plugins would try to connect over older TLS protocols would be due to the mail server's configuration---the mail server itself restricts TLS connections to allow only those of a specified protocol.

According to the log file you sent, Email is making use of jre version 9.0.1, so it should be able to connect via TLS protocol 1.2. Is it possible for you to get their server log files that demonstrate our plugin is only trying to connect using TLS 1.0, and not the more recent protocols? I'd like to verify this behavior to share with our developers since the expected behavior is Email tries TLS 1.2, at least first.

Before requesting those logs, please try connecting to the e-mail server to produce the error, and save our log file as well, so that way we can match the plugin behavior timestamps with those from their logs. When producing the behavior, you can try any combination of connection you like, but certainly get one where you specify port 587 and enable STARTTLS, and another where you specify port 465 and enable SSL.

Did you create your Pair server web account prior to June 1, 2011? If so, it looks like their e-mail server connectivity follows a different set of rules.(https://www.pair.com/support/kb/smtp-service-at-pair-networks/)

It looks like you tried connecting to your mail server over port 465 at some point, and had all the security options enabled. Could you try setting only ssl to true, and specify only the domain portion---no port--- of the address? This should default to port 465 anyway with SSL enabled, but I'd like to see how that combination performs, since Pair should allow SSL connections, as well. Please send me the log file capturing this behavior. It can be the log file that I already suggested you generate and grab for me.

Let me know if you have any questions.

[elipsett]

Thanks.
I just tried several options you suggested, from 13:25-13:28 April 30 Japan time, and have asked Pair to provide their logs; no response yet. The error message on my FileMaker client was the same for all three.

[elipsett]

Response from pair below. The log here is about 5 minutes about my test trials, and I'm pretty sure it only reflects the automatic AirMail fetch (IMAP) logins, not the test SMTP logins I ran earlier. I've asked them to try to find the earlier logs. My log is also attached. If it will simplify your life, I certainly have no objection to you emailing Pair support directly.
I can also set up a test email account in that domain so you can fiddle directly, if it helps.
======Response from Pair.com=====
Here is one full log entry (most recent one) from the sales account. You 
can note that it states "TLS" which means it is using the TLS1.0 protocol 
rather than the newer TLS1.2 version. I read that the program is supposed 
to have support for the newer protocol but for some reason it seems to be 
forcing itself to use TLS1.0 instead. Also if you notice right after the 
line where it states that it is using TLS, the next line is it failing to 
connect so I am confident that this is issue. As for the link they provided 
about account made before 2011, this is just in reference as to what the 
mail server name will be for your account. Our legacy accounts use a 
different naming schema then our newer group hosted accounts. Your account 
is the newer group account so this doesn't apply to your account. One 
positive thing I can say is that your operating system itself DOES support 
TLS1.2 so if there is a way to force the program to always use at least 
TLS1.1 then you should be able to connect fine. Just let us know if you 
need any more log entries or anything to help get this resolved. We do have 
a proxy server that I can setup for you that will allow that program to 
connect however it is only a temporary thing we have in place to give 
customers time to upgrade. 

Apr 30 00:30:32 mail2.g18.pair.com dovecot: imap-login: Login: 
user=<[email protected]>, method=PLAIN, rip=219.100.188.64, 
lip=216.92.2.7, mpid=89646, TLS, session=<E6WG3LeHu9HbZLxA> 
Apr 30 00:30:41 mail2.g18.pair.com dovecot: 
imap([email protected])<89658><2ux83LeHuNHbZLxA>: Connection closed 
(SELECT finished 8.643 secs ago) in=56 out=1579 deleted=0 expunged=0 
trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 
Apr 30 00:30:43 mail2.g18.pair.com dovecot: 
imap([email protected])<89646><E6WG3LeHu9HbZLxA>: Connection closed 
(SELECT finished 10.038 secs ago) in=56 out=1579 deleted=0 expunged=0 
trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 


If you require any further assistance from us, feel free to contact us anytime, we offer 24/7 support. 

Sincerely, 

Bob 
pair Networks, Inc. 
[email protected] 

360Plug-ins_FMAdvanced.log

Edited April 30, 2019 by elipsett

[elipsett]

Just in from pair.com:

Interestingly enough, on this log entry for that time it says that you ARE 
connecting via TLS1.2, however I saw other log entries still saying TLS1.0. 
I assume you are trying to connect using various different methods i.e. 
phone, mail client, this program, webmail ect? 

Apr 30 00:24:31 mail2.g18.pair.com dovecot: imap-login: Login: 
user=<[email protected]>, method=PLAIN, rip=219.100.188.64, 
lip=216.92.2.7, mpid=88411, TLS, session=<MW0Cx7eHEdHbZLxA> 
Apr 30 00:24:31 mail2.g18.pair.com dovecot: auth: Debug: client in: AUTH  
103720 PLAIN service=imap secured=tls session=NjMFx7eHFtHbZLxA  
lip=216.92.2.7 rip=219.100.188.64 lport=993 rport=53526  
local_name=kiyomasa.mail.pairserver.com 
ssl_cipher=ECDHE-RSA-AES256-GCM-SHA384 ssl_cipher_bits=256  
ssl_pfs=ECDH ssl_protocol=TLSv1.2 

Note on this log line how it specifies TLSv1.2. Thoughts on setting up the 
proxy server to see if that allows it to connect that way we can be 100 
percent sure that it is not related to this change? There is no harm/cost 
in setting this up then you will just have to plug in a different host name 
and see if it connects. However setting that up does take about an hour for 
DNS to resolve so just let me know if you'd be interested in trying this. 

[elipsett]

Additional email from pair.com. Since I sent no email from sales@ directly, this must have been from 360Works>Airmail.
===================
I managed to find another piece of evidence that shows the TLS error from 
the other log which is for outgoing side of things. 

Apr 30 00:27:33 mail2.g18.pair.com postfix-out/smtpd[89439]: connect from 
64-188-100-219.extride.ad.jp[219.100.188.64] Apr 30 00:27:33 
mail2.g18.pair.com postfix-out/smtpd[89439]: SSL_accept error from 
64-188-100-219.extride.ad.jp[219.100.188.64]: -1 Apr 30 00:27:33 
mail2.g18.pair.com postfix-out/smtpd[89439]: warning: TLS library problem: 
error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown 
protocol:s23_srvr.c:643: 

If you look at the log entry, this is your IP trying to connect to the 
outgoing server and is throwing the SSL23 error which is indicative of whichever program this 
connection is from (it does not specify). So I can say for sure that 
something here is trying to connect using the TLS1.0 protocol.

[sean360Works]

Hello,

I just sent you an e-mail through the support ticket you initiated with our support service. I sent you an e-mail through our support service because I requested your e-mail creds for testing on our end. If you did not receive it, please send me an e-mail at [email protected] with those creds. I've run some openssl tests, and confirmed that kiyomasa.mail.pairserver.com:587 will only allow TLSv1.2 and TLSv1.1. I'm not certain why TLSv1 is ever getting used.

Your logs indicate SMTP connections, but the log snippets pair server sent you are mostly for IMAP. If their logs are a bottleneck, meaning we can't get more information than they snip into an e-mail, could you please send me logs capturing activity that matches whatever activity captured in the logs they send you?

I tried connecting to the mail server via openssl command over a connection that didn't use TLS protocols 1.2 or 1.1, and I didn't get the same connection report as if I had connected using those protocols. It still said 'Connected', but no other details beyond that, so I can't confirm if SSLv3 is enabled on that server. Could you try connecting using only the STARTTLS and ForceTrust(do not select SSL) secure connection parameters? I see in the logs that you tried enabling all three, and that failed. Enabling SSL may prevent Email from establishing a connection over TLS.

Let me know how that goes. I'll also keep an eye out for your reply e-mail in our support service.

[sean360Works]

Hi Edward,

Thank you for sending me test credentials to use.

I produced a SocketException using Email 3.1 (from the store), in FileMaker 17 on Mac High Sierra. I then used Email 3.108, a developer build, and was able to successfully establish connections to the email server.

Using our demo solution that comes with the plugin download, I was able to establish a connection to both the SMTP and IMAP servers, and I could send an e-mail from FileMaker, and pull e-mails into FileMaker. I used the following settings.

SMTP (settings from https://www.pair.com/support/kb/smtp-service-at-pair-networks/)
kiyomasa.mail.pairserver.com:587
STARTTLS enabled

IMAP (https://www.pair.com/support/kb/e-mail-encryption/)
kiyomasa.mail.pairserver.com:143
STARTTLS enabled

Please download our most recent build from the link below and let me know if you can establish a connection with your mail server.

http://sc.360works.com/SuperContainer/RawData/pro/360/plugins/email/latest