Troubleshooting Certificates In Maileater

Document ID : KB000009880
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Troubleshooting maileater connectivity issues when a TLS connection is enabled can be confusing.  The purpose of this document is to address specific errors that you may encounter, their causes, and how to resolve them.

Environment:
Service Desk Manager 12.9 or 14.1 with any cumulative patchMaileater configured with TLS
Instructions:

If maileater is not connecting when TLS is enabled, the first thing that you should do is to increase the logging level on maileater to get more details during the connection attempt.  You can do this by running this command on the command line: "pdm_logstat -n pdm_maileater_nxd VERBOSE".  You should run this long enough to see a string of messages beginning with "pdm_maileater_nxd    5784 TRACE        pdm_maileater_nxd.c   4767 Scheduled Mail Poll has been signalled.", and ending with "pdm_maileater_nxd    5784 ERROR        pdm_maileater_nxd.c   5009 Mailbox 400002 (address@host.com/Inbox) produced error during Mail Poll."  Once this is complete, you should run "pdm_logstat -n pdm_maileater_nxd" to disable the logging and prevent excessive messages from being written to the logs.  Then you can look for these specific errors in the logs to tell you what issue may be occurring during the connection:

 

  • pdm_maileater_nxd    5784 ERROR        pdm_maileater_nxd.c   9597 Imap Mail: TLS Connection to POP3 Server: VLAPETOS at Port: 143 failed. Error (15) Failed to find the CA certificate 
    This error indicates that maileater is encountering an issue with the issuer of the TLS certificate.  You can confirm this by running Wireshark tracing between the server where Maileater is running and the email server.  You should see entries like this:
    wireshark CA cert error.JPG
    Specifically, we expect to see "Server Hello, Certificate, Server Key Exchange, Server Hello Done", but no further messages regarding the client.  The cause of this issue is described here: 
    https://linux.die.net/man/1/verify X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found.  To resolve this, you should contact the Certificate Authority and ask them to fix the problem with the issuer certificate.

    For reference, here is one example of what a good TLS connection should look like:
    wireshark CA cert good case.JPG

  • pdm_maileater_nxd    6884 ERROR        pdm_maileater_nxd.c   9623 Imap Mail:Authentication failed using (Clear): STARTTLS is required.
    This error indicates that maileater cannot find the certificate on the server.  Make sure that the path is short, does not contain spaces, and that there are no security permissions or antivirus programs that are preventing the certificate file from being read.

  • pdm_maileater_nxd    6804 ERROR        pdm_maileater_nxd.c   9623 Imap Mail:Authentication failed using (Clear): Invalid user name or password.
    This indicates that the username or password that was entered for maileater is invalid, and this does not indicate a specific issue with TLS.
  • pdm_maileater_nxd    3624 ERROR        pdm_maileater_nxd.c   9597 Imap Mail: TLS Connection to POP3 Server: malma21-U158573 at Port: 143 failed. Error (10) Failure in TLS handshake
    This error indicates that the certificate does not match the certificate that the email server is using.  You need the proper public certificate, and the instructions to obtain it are described below.

 

You can verify that the mail server is set up to use STARTTLS over IMAP using the following command: "openssl s_client -starttls imap -connect email_server:143 -showcerts -starttls imap".  This should produce about a page of output, including the certificate that you need to use with maileater for TLS to function properly.  You can verify that the contents of your certificate file match the output of this command starting with "-----BEGIN CERTIFICATE-----", and concluding with "-----END CERTIFICATE-----"

 

If you have additional issues that are not addressed in this document, please open a case with CA Support.