Jenkins SMTP TLS

Question

I'm trying to setup Jenkins to use our company's SMTP server to email build notifications. We are using TLS as the encryption method on port 587. I can not seem to get the email notification to work properly though.

Here is my Hudson.Tasks.Mailer.xml file so you can see my config (I've removed the SMTP auth user and password and changed the smtpHost slightly just in case)

<hudson.tasks.Mailer_-DescriptorImpl>
  <helpRedirect/>
  <defaultSuffix></defaultSuffix>
  <hudsonUrl>http://localhost:8080/</hudsonUrl>
  <smtpAuthUsername></smtpAuthUsername>
  <smtpAuthPassword></smtpAuthPassw$
  <adminAddress></adminAddress>
  <smtpHost>pod#####.outlook.com</smtpHost>
  <useSsl>true</useSsl>
  <smtpPort>587</smtpPort>
  <charset>UTF-8</charset>
</hudson.tasks.Mailer_-DescriptorImpl>

It looks like this is a known issue, from http://issues.hudson-ci.org/browse/HUDSON-2206

I am not very familiar with Apple OS (which is the machine that is running Jenkins) but I thought I could resolve the issue using the workaround mentioned. I wasn't exactly sure where to put that workaround though, so I tried putting it here: /Library/Application Support/Jenkins/jenkins-runner.sh

defaults="defaults read /Library/Preferences/org.jenkins-ci"

war=`$defaults war` || war="/Applications/Jenkins/jenkins.war"

javaArgs="-Dmail.smtp.starttls.enable=\"true\""
heapSize=`$defaults heapSize` && javaArgs="$javaArgs -Xmx${heapSize}"
permGen=`$defaults permGen` && javaArgs="$javaArgs -XX:MaxPermSize=${permGen}"

home=`$defaults JENKINS_HOME` && export JENKINS_HOME="$home"

add_to_args() {
  val=`$defaults $1` && args="$args --${1}=${val}"
}

args=""
add_to_args prefix
add_to_args httpPort
add_to_args httpListenAddress
add_to_args httpsPort
add_to_args httpsListenAddress
add_to_args ajp13Port
add_to_args ajp13ListenAddress

echo "JENKINS_HOME=$JENKINS_HOME"
echo "Jenkins command line for execution"
echo /usr/bin/java $javaArgs -jar "$war" $args
exec /usr/bin/java $javaArgs -jar "$war" $args

That didn't appear to resolve it. I can see that call in the console when Jenkins is started up, but when I try a test configuration email I get the following error:

Failed to send out e-mail

javax.mail.MessagingException: Could not connect to SMTP host: pod#####.outlook.com, port: 587;
nested exception is:
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1934)
at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:638)
at javax.mail.Service.connect(Service.java:317)
at javax.mail.Service.connect(Service.java:176)
at javax.mail.Service.connect(Service.java:125)
at javax.mail.Transport.send0(Transport.java:194)

Any ideas on what else I can try? I've tried switching the email account to use gmail's smtp server and that works fine, but I'd rather have it using our smtp server if I can.

score 26 · Answer 1 · edited Jun 20 '20 at 09:12

enter image description here

Changing the SMTP port from 587 to 465 resolved this issue for me:

SMTP server:               smtp.mandrill.com
Use SMTP Authentication:   true
Use SSL:                   true
SMTP Port:                 465

From what I can tell (disclaimer: I am by no means a Hudson/Jenkins expert) the Hudson/Jenkins email plugin supports SSL encrypted SMTP communication - however this implementation requires that communications are encrypted from the get go.

When connecting on port 587, the server on the other end may expect a STARTTLS command (see this SSL vs TLS vs STARTTLS article). This command is sent using plain-text to 'upgrade' the connection to use SSL/TLS.

Hudson/Jenkins instead attempts to start negotiating SSL on port 587, which is promptly rejected, resulting in the following error:

javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?

I tried adding the suggested JAVA options "-Dmail.smtp.starttls.enable=true" to enable TLS:

JENKINS_JAVA_OPTIONS="-Djava.awt.headless=true -Dmail.smtp.starttls.enable=true"

Unfortunately this didn't resolve the issue for me.

After changing the port to 465, the SSL negotiation occurred correctly and the communication succeeded.

Hope that helps.

Note: Jenkins email plugin always needs SMTP credentials that are often sender's email credentials when you checkmark "Use SMTP Authentication" option for any "SSL - port 465" or "non SSL - port 587" configuration.

I regret that I have only one upvote to give. What a silly error — Cfreak, Jun 01 '17 at 18:02
to get TLS working Cancel the “Use SSL“, choose the “Test configuration by sending test e-mail” to test. — podarok, Jun 29 '18 at 16:47

score 23 · Answer 2 · answered May 23 '13 at 14:40

23

I had the same issue with Jenkins but mine is installed on Centos rather than Apple OS. I still thought to post the solution here because A) you might be able to make the needed adjustments to the solution and B) Linux & Jenkins users might benefit from this.

Anyhow, find the Jenkins configuration file (in CENTOS its in /etc/sysconfig/jenkins)

In it locate the JENKINS_JAVA_OPTIONS variable and add the following option "-Dmail.smtp.starttls.enable=true" In my case this is what I had before:

JENKINS_JAVA_OPTIONS="-Djava.awt.headless=true"

And this is after;

JENKINS_JAVA_OPTIONS="-Djava.awt.headless=true -Dmail.smtp.starttls.enable=true"

restart Jenkins server (in Linux)

/etc/init.d/jenkins restart

answered May 23 '13 at 14:40

nsof

2,299
1
20
28

5

in Ubuntu, the jenkins configuration file is in /etc/default/jenkins – Stefan Aug 28 '13 at 12:14
2

I tried that I am getting the following error now. - Failed to send out e-mail com.sun.mail.smtp.SMTPSendFailedException: 550 5.7.1 Client does not have permissions to send as this sender at com.sun.mail.smtp.SMTPTransport.issueSendCommand(SMTPTransport.java:2057) at com.sun.mail.smtp.SMTPTransport.finishData(SMTPTransport.java:1862) atcom.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java:1100)at javax.mail.Transport.send0(Transport.java:195) at javax.mail.Transport.send(Transport.java:124) at hudson.tasks.Mailer$DescriptorImpl.doSendTestMail(Mailer.java:499) – dexterous Nov 26 '13 at 05:27
5

The "Client does not have permissions to send as" bothered me untill I realized that I had not set the "System Admin e-mail address" – espenalb Jul 28 '15 at 10:50

score 12 · Answer 3 · edited Apr 01 '16 at 05:37

12

For Jenkins on Windows

Open jenkins.xml and modify the arguments node

-Xrs -Xmx256m -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -Dmail.smtp.starttls.enable=true -jar "%BASE%\jenkins.war" --httpPort=8080

For smtp.live.com:

Set the SMTP port to 587 and uncheck Use SSL

edited Apr 01 '16 at 05:37

Kory Gill

6,993
1
25
33

answered Feb 03 '14 at 12:15

kaloyan

429
5
4

score 3 · Answer 4 · answered Jan 01 '16 at 04:54

3

Even after setting -Dmail.smtp.starttls.enable=true as mentioned in @nsof's answers in the file /etc/default/jenkins (debian/ubuntu), it did not work for me.

The trick was to set the SMTP port to 587 and uncheck Use SSL as show below, then the email was sent successfully.

answered Jan 01 '16 at 04:54

iTech

18,192
4
57
80

For some reason, that's the only way it worked for me. Jenkins 2.28 + OpenJDK 8 – Rafael Kassner Nov 13 '16 at 09:24
This gives me `javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate` maybe some additional configuration is needed? – zygimantus Sep 04 '19 at 21:30

score 1 · Answer 5 · answered Mar 14 '13 at 08:47

1

Try out the workaround mentioned in the bug itself:

http://issues.hudson-ci.org/browse/HUDSON-2206

In Java:

props.put("mail.smtp.starttls.enable","true");

In Tomcat:

Add JAVA_OPTS=-Dmail.smtp.starttls.enable="true" to tomcat config file.

answered Mar 14 '13 at 08:47

ATOzTOA

34,814
22
96
117

score 0 · Answer 6 · answered Sep 02 '14 at 14:03

Adding -Dmail.smtp.starttls.enable=true as arguments of JAVA_OPTS solved my problem

If your jenkins is running in stand alone mode update JAVA_OPTS in /etc/sysconfig/jenkins If your jenkins is running in tomcat update JAVA_OPTS

catalina.sh for unix
catalina.bat for windows

score 0 · Answer 7 · answered May 04 '17 at 14:11

For Jenkins on Ubuntu 16.04:

1 - Edit the config file:

sudo nano /etc/default/jenkins

2 - Comment out existing JAVA_ARGS, add new one shown below:

#JAVA_ARGS="-Djava.awt.headless=true"
JAVA_ARGS="-Djava.awt.headless=true -Dmail.smtp.starttls.enable=true"

3 - Restart Jenkins

sudo service jenkins restart

score 0 · Answer 8 · answered Nov 07 '17 at 21:27

For Jenkins on Red Hat Enterprise Linux Server release 7.4 (Maipo) edit /etc/sysconfig/jenkins to add

The Jenkins service configuration file requires root access to the machine. In CloudBees Jenkins Enterprise, you can find this file under:

/etc/default/jenkins: location for most of the Linux distributions.
/etc/sysconfig/jenkins: location for RedHat/CentOS distribution.
C:\Program Files\Jenkins\jenkins.xml: default location for Windows

score 0 · Answer 9 · answered Sep 11 '18 at 09:23

0

With Jenkins 2.134 the following worked for me:

JAVA_TOOL_OPTIONS=-Dmail.smtp.starttls.enable=true
Uncheck Use SSL!

answered Sep 11 '18 at 09:23

schnatterer

7,525
7
61
80

score 0 · Answer 10 · answered Jul 16 '19 at 10:06

0

This is the best possible solution in case none of the above solutions work.

https://issues.jenkins-ci.org/browse/JENKINS-47939

answered Jul 16 '19 at 10:06

user11791348

1

1

While your link may contain information relevant to the question, you should always answer directly and add links as a reference/further reading. See https://meta.stackexchange.com/questions/7656/how-do-i-write-a-good-answer-to-a-question – pablo285 Jul 16 '19 at 10:15

score 0 · Answer 11 · answered Jan 13 '21 at 11:42

Following a statement in @user11791348 's answer resolved the issue for me.

The statement was: "It is IMPORTANT to note that BOTH the "E-mail Notification" section User Name AND the "Jenkins Location" section System Admin e-mail address must be valid smtp.office365.com users. If either one is not found in smtp.office365.com, you will get a "Client does not have permissions to send as this sender" error"

So, I configured System Admin e-mail address in Jenkins, Also my Jenkins.xml contains the line:

<arguments>-Xrs -Xmx256m -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -Djava.awt.headless=true -Dmail.smtp.starttls.enable=true -jar "C:\Program Files\Jenkins\jenkins.war" --httpPort=8080 --webroot="%LocalAppData%\Jenkins\war"</arguments>

Use SSL: Unchecked Use TLS: Unchecked SMTP Port: 587

If you have the **Jenkins Email Extension plugin**, you must set the SMTP `User Name` under both the `Extended E-mail Notification` section and again under `E-mail Notification`. Click **Advanced** under _each_ of these headings and set the various values — MikeOnline, Feb 07 '23 at 04:10

score 0 · Answer 12 · answered Apr 30 '22 at 16:42

If Jenkins is configured as a systemd service, it seems that the $JAVA_OPTS are not picked up from /etc/default/jenkins, but rather from the systemd unit file itself.

On Debian, I edited /lib/systemd/system/jenkins.service and modified the JAVA_OPTS environment variable to the following:

Environment="JAVA_OPTS=-Djava.awt.headless=true -Dmail.smtp.starttls.enable=true"

Then flush systemd and restart the Jenkins service:

sudo systemctl daemon-reload
sudo systemctl restart jenkins

You can verify that the correct options were picked up by navigating to ${JENKINS_BASE_URL}/systemInfo and searching for mail.smtp.starttls.enable

mirekphd · Answer 13 · 2022-10-23T12:56:35.043

0

Fast forward 9 years and no workarounds are needed anymore thanks to Basil Crow.

The E-mail Extension plugin has support for SMTP over TLS and the additional "TLS" configuration checkbox (revealed by clicking on the Advanced button) since v2.83 released in May 2021 (see its release notes). I verified it works with Gmail under latest Jenkins and plugin versions.

edited Oct 23 '22 at 12:56

answered Oct 20 '22 at 06:55

mirekphd

4,799
3
38
59

Jenkins SMTP TLS

13 Answers13

Linked