More info about this.
In the messages that Amazon sent, the list of clients that don't use the proper TLS version according to them includes the EC2 instance's IP address and also my own IP, because last month I used SFS2X v2.13 standalone on a Windows computer running the same code as above to send marketing e-mails, through the same credentials and SES endpoint.
So that's actually 2 different sources not using the right protocol and it might be easier to figure out on Windows what's going on.
My JRE release file on it has: JAVA_VERSION="1.8.0_102" OS_NAME="Windows" OS_VERSION="5.2" OS_ARCH="amd64" (the EC2 server's has JAVA_VERSION="1.8.0_222" OS_NAME="Linux" OS_VERSION="2.6" OS_ARCH="amd64")
Adding those lines of codes in the extension program:
Code: Select all
ext.trace("mail.smtp.ssl.protocols=" + props.get("mail.smtp.ssl.protocols"));
try {
ext.trace(String.join(" ", SSLContext.getDefault().getSupportedSSLParameters().getProtocols()));
}
catch(NoSuchAlgorithmException fff) {
ext.trace(fff.getMessage());
}
Prints:
mail.smtp.ssl.protocols=TLSv1.2
SSLv2Hello SSLv3 TLSv1 TLSv1.1 TLSv1.2
In C:\SmartFoxServer_2X\jre\lib\security\java.security around line 537 there is
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
if I add TLSv1 at the end, then restart the standalone SFS2X app and try to send the e-mail with it, it produces this exception
14:04:29,398 INFO [pool-1-thread-3] Extensions - {MyExt}: Sending...
14:04:29,584 INFO [pool-1-thread-3] Extensions - {MyExt}: A Messaging Error occurred: Can't send command to SMTP host;
nested exception is:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
This exception DOES NOT happen if instead of adding TLSv1 to the disabled algorithms in java.security, I add TLSv1.1 or TLSv1.2. It sends the e-mail successfully in those cases.
So definitely, it still tries to use v1 instead of v1.2 despite the props.put("mail.smtp.ssl.protocols", "TLSv1.2"); line.
There seems to be something in the Java environment not set properly, or I may be using the wrong parameters or port to connect to SES.
Their (Amazon SES) SMTP Settings page says to use this:
--------------
SMTP endpoint
email-smtp.us-east-1.amazonaws.com
Transport Layer Security (TLS)
Required
STARTTLS Port
25, 587 or 2587
Custom SSL client support
-
TLS Wrapper Port
465 or 2465
--------------
The code above uses STARTTLS, I connect on port 587. 2587 also works. 25 will timeout if I try it.