Problem z email powitalnym intertele.pl

Instalacja i tematy techniczne
1

Witam, serdecznie, problem dotyczy maili powitalnych, przy ustawieniu skrzynki na onet.pl:

smtp.poczta.onet.pl
465
nazwa@onet.pl
nazwa@onet.pl
hasło

maile wysyłają się bez problemu,

ale przy próbie ustawienia skrzynki nadawczej intertele.pl (którą ma wykupiony urząd i wypadałoby z niej skorzystać):

smtp.intertele.pl
465/587 (testowałem obie opcje)
nazwa@intertele.pl
nazwa (“nazwa@intertele.pl” też testowałem, widziałem na forum że czasem pomaga)
hasło

po każdej próbie usuwałem poda kuip-api aby nowy mail “zaskoczył”

maile nie chcą wychodzić, zawsze z tym samym błędem w podzie kuip-api, tak jakby aplikacja EZD RP źle ustawiała ssl/tls/starttls do połączenia z dostawcą maila albo na odwrót:

{“@t”:“2025-06-24T13:25:11.4969536Z”,“@mt”:“Blad podczas wysylania email: “,”@l”:“Error”,“@x”:“MailKit.Security.SslHandshakeException: An error occurred while attempting to establish an SSL or TLS connection.\n\nThis usually means that the SSL certificate presented by the server is not trusted by the system for one or more of\nthe following reasons:\n\n1. The server is using a self-signed certificate which cannot be verified.\n2. The local system is missing a Root or Intermediate certificate needed to verify the server’s certificate.\n3. A Certificate Authority CRL server for one or more of the certificates in the chain is temporarily unavailable.\n4. The certificate presented by the server is expired or invalid.\n5. The set of SSL/TLS protocols supported by the client and server do not match.\n6. You are trying to connect to a port which does not support SSL/TLS.\n\nSee MailKit/FAQ.md at master · jstedfast/MailKit · GitHub for possible solutions.\n\n —> System.IO.IOException: Received an unexpected EOF or 0 bytes from the transport stream.\n at System.Net.Security.SslStream.ReceiveHandshakeFrameAsync[TIOAdapter](CancellationToken cancellationToken)\n at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte reAuthenticationData, CancellationToken cancellationToken)\n at MailKit.Net.Smtp.SmtpClient.SslHandshakeAsync(SslStream ssl, String host, CancellationToken cancellationToken)\n at MailKit.Net.Smtp.SmtpClient.ConnectAsync(String host, Int32 port, SecureSocketOptions options, CancellationToken cancellationToken)\n — End of inner exception stack trace —\n at MailKit.Net.Smtp.SmtpClient.ConnectAsync(String host, Int32 port, SecureSocketOptions options, CancellationToken cancellationToken)\n at KUIP.COMMON.Email.MailKitSmtpClient.ConnectAsync()\n at KUIP.COMMON.Email.EmailSender.Send(EmailMessage message)”,“@tr”:“ef9a26def6fc63428418688496445037”,“@sp”:“6b292e7e86c19109”,“SourceContext”:“EmailSender”,“ApplicationName”:“KUIP”,“UID”:“root”,“PID”:“system”,“RequestId”:“0HNDJ49NV5AR4:00000005”,“RequestPath”:“/utworz-uzytkownika”,“ConnectionId”:“0HNDJ49NV5AR4”,“MachineName”:“kuip-api-797d98995d-l74qw”,“ExceptionDetail”:{“HelpLink”:“MailKit/FAQ.md at master · jstedfast/MailKit · GitHub error occurred while attempting to establish an SSL or TLS connection.\n\nThis usually means that the SSL certificate presented by the server is not trusted by the system for one or more of\nthe following reasons:\n\n1. The server is using a self-signed certificate which cannot be verified.\n2. The local system is missing a Root or Intermediate certificate needed to verify the server’s certificate.\n3. A Certificate Authority CRL server for one or more of the certificates in the chain is temporarily unavailable.\n4. The certificate presented by the server is expired or invalid.\n5. The set of SSL/TLS protocols supported by the client and server do not match.\n6. You are trying to connect to a port which does not support SSL/TLS.\n\nSee MailKit/FAQ.md at master · jstedfast/MailKit · GitHub for possible solutions.\n”,“Source”:“MailKit”,“TargetSite”:“Void MoveNext()”,“InnerException”:{“Type”:“System.IO.IOException”,“HResult”:-2146232800,“Message”:“Received an unexpected EOF or 0 bytes from the transport stream.”,“Source”:“System.Net.Security”,“TargetSite”:“Void MoveNext()”},“ServerCertificate”:null,“RootCertificateAuthority”:null,“Type”:“MailKit.Security.SslHandshakeException”},“ConsoleLogger”:“true”,“IceHost”:“KUIP”,“InstanceName”:“strzyzow.eu”,“SeqLogger”:“true”}

ktoś ma jakiś pomysł?

2

Wg mnie problem polega na tym, następuje próba połączenia z wykorzystaniem TLS 1.3, a tego ten server smtp.intertele.pl nie obsługuje:

openssl s_client -connect smtp.intertele.pl:587 -tls1_3 -starttls smtp

Connecting to 194.42.120.38

CONNECTED(00000005)

009FF30B02000000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:696:

---

no peer certificate available

---

No client certificate CA names sent

Negotiated TLS1.3 group: <NULL>

---

SSL handshake has read 259 bytes and written 1517 bytes

Verification: OK

---

New, (NONE), Cipher is (NONE)

Protocol: TLSv1.3

This TLS version forbids renegotiation.

Compression: NONE

Expansion: NONE

No ALPN negotiated

Early data was not sent

Verify return code: 0 (ok)

Jeśli byłoby połączenie za pomocą TLS 1.2 to wtedy bangla:

openssl s_client -connect smtp.intertele.pl:587 -tls1_2 -starttls smtp
Connecting to 194.42.120.38
CONNECTED(00000005)
depth=2 C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA
verify return:1
depth=1 C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Domain Validation CA SHA2
verify return:1
depth=0 CN=*.intertele.pl
verify return:1
---
Certificate chain
 0 s:CN=*.intertele.pl
   i:C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Domain Validation CA SHA2
   a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
   v:NotBefore: Apr  9 12:11:59 2025 GMT; NotAfter: Apr  9 12:11:58 2026 GMT
 1 s:C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Domain Validation CA SHA2
   i:C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA
   a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
   v:NotBefore: Sep 11 12:00:00 2014 GMT; NotAfter: Jun  9 10:46:39 2027 GMT
 2 s:C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA
   i:C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA
   a:PKEY: RSA, 2048 (bit); sigalg: sha1WithRSAEncryption
   v:NotBefore: Oct 22 12:07:37 2008 GMT; NotAfter: Dec 31 12:07:37 2029 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGazCCBVOgAwIBAgIQUpSNOWdkB3Cw33Adpvl1ljANBgkqhkiG9w0BAQsFADCB
hTELMAkGA1UEBhMCUEwxIjAgBgNVBAoTGVVuaXpldG8gVGVjaG5vbG9naWVzIFMu
QS4xJzAlBgNVBAsTHkNlcnR1bSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEpMCcG
A1UEAxMgQ2VydHVtIERvbWFpbiBWYWxpZGF0aW9uIENBIFNIQTIwHhcNMjUwNDA5
MTIxMTU5WhcNMjYwNDA5MTIxMTU4WjAZMRcwFQYDVQQDDA4qLmludGVydGVsZS5w
bDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMPKW8lVL+LFCM0piJ5L
+9/8jPCGExmIIcNm/5hvme1KJXx61umuga+ERNENihROQCOzswmVmkP9VGo+JZV4
s6uUpvrIqQXQHlF822123nttPvPcS6frk/MMKRO0ysKXJFhNtTFE+jBrKBZ1R3a+
Y3HLFkprTJqlEg9tvAd5wiMPcH1uy7cST81xnNXaHL8Ez5DTzNiC3+onCCx5bqaw
248yTklGcR3Z9UAMiwXH2fuCo+Irh1wpspwLk6Vl+6E+aRsflIkU56NF5qCwQqbO
9noBn7yoiXjMRk4TKOqUvmJ5sguou5f5yM18aqWNiOjSqT+ORJTkXjPiPlpxihx1
x+UCAwEAAaOCA0AwggM8MAwGA1UdEwEB/wQCMAAwMgYDVR0fBCswKTAnoCWgI4Yh
aHR0cDovL2NybC5jZXJ0dW0ucGwvZHZjYXNoYTIuY3JsMHEGCCsGAQUFBwEBBGUw
YzArBggrBgEFBQcwAYYfaHR0cDovL2R2Y2FzaGEyLm9jc3AtY2VydHVtLmNvbTA0
BggrBgEFBQcwAoYoaHR0cDovL3JlcG9zaXRvcnkuY2VydHVtLnBsL2R2Y2FzaGEy
LmNlcjAfBgNVHSMEGDAWgBTlMa2/OhGW9IO8UDzUt5CbkO7eJTAdBgNVHQ4EFgQU
2mhxFSpl1peVgekccvJLlCni+y0wHQYDVR0SBBYwFIESZHZjYXNoYTJAY2VydHVt
LnBsMEsGA1UdIAREMEIwCAYGZ4EMAQIBMDYGCyqEaAGG9ncCBQEDMCcwJQYIKwYB
BQUHAgEWGWh0dHBzOi8vd3d3LmNlcnR1bS5wbC9DUFMwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDAnBgNVHREEIDAegg4qLmlu
dGVydGVsZS5wbIIMaW50ZXJ0ZWxlLnBsMIIBfwYKKwYBBAHWeQIEAgSCAW8EggFr
AWkAdgAZhtTHKKpv/roDb3gqTQGRqs4tcjEPrs5dcEEtJUzH1AAAAZYaduKFAAAE
AwBHMEUCIChqN8qSkgoXmmQKygxO3uJ8WMnFyg1p8DNio+UYIlbYAiEAr0ubd/gw
SkbhZh3yfDmJwRxayt1x46XlZRspDbzrLP8AdwAOV5S8866pPjMbLJkHs/eQ35vC
PXEyJd0hqSWsYcVOIQAAAZYaduM9AAAEAwBIMEYCIQDGYeGDQ0XdWhE7DJAmNQqI
pjN02TVIRtJbR83BK2FiTwIhANLt3PP8tbS9MJoIBXj5V9gci3Z8HubgsXXnzWxi
0gp5AHYAZBHEbKQS7KeJHKICLgC8q08oB9QeNSer6v7VA8l9zfAAAAGWGnbingAA
BAMARzBFAiBkWc8w3zLC2a8Q1MDXMupc7mE1IGC8p2i5xfMmtUWizwIhAPhdKutq
qqtff7R92m9PyBRUpblW+JzhKLJthKdfO98xMA0GCSqGSIb3DQEBCwUAA4IBAQAI
i7yjrvAyR+1id8BHoLDmJd/3DUPHVWK9zJZrl+rupsYhX6VbPUvCtX0V/VmYFoW8
5gGklRtNvLlvIhd0NjKtrUC3Mz+VkQcVAiFszO1Kv3llFjJA4rZMxDptPb3fx/tC
Cc3Mh6iFpgkx1pe70EZUFKaGH4sFxQG2LUNK/Hk1L868jYhYYbahTXfoLWwdAWMo
BHuY3WNiqQj0evBD5kU7d8c7MeGAOanqCRhSqo5FgM/yTtndrUbIM5F+DBaDKI35
zaLVrMry7wMtICczUVQ45L731tXoZ7wzo9vKfnTBEhrV3+GVRGO1BIJAPOdSP/Ic
twHra2ZHGA5vFoffhN5d
-----END CERTIFICATE-----
subject=CN=*.intertele.pl
issuer=C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Domain Validation CA SHA2
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: rsa_pkcs1_sha256
Peer Temp Key: DH, 2048 bits
---
SSL handshake has read 5233 bytes and written 568 bytes
Verification: OK
---
New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384
Protocol: TLSv1.2
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: B304186A0B3D8E103AC0625C2A7B2753D3D6FA691D1C0D7922CF607EF1E9B22C
    Session-ID-ctx: 
    Master-Key: 72F93F6C812BEE3F2AD8479923BBC95EE47AE2446F09E67037D1CF23FB22B6730B4294E6BE454AF7924249F81D872C83
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 3600 (seconds)
    TLS session ticket:
    0000 - c5 dd c0 1f 15 e1 ae c1-ab a7 e5 a4 12 a8 b0 fb   ................
    0010 - 2e 64 d2 fd 29 e2 d9 ce-4a 2e c2 c7 8e 80 06 81   .d..)...J.......
    0020 - b8 d1 bf 0f 5c 8c 69 1b-d1 8a f3 83 74 4f be 97   ....\.i.....tO..
    0030 - 08 41 a5 49 7a 1a 2b 0e-9f 86 af a3 66 3c 1a ae   .A.Iz.+.....f<..
    0040 - 5c 85 12 32 5d 5f a0 65-40 7a 0d 59 5e 35 2a 00   \..2]_.e@z.Y^5*.
    0050 - 23 c6 61 19 86 01 ae 5e-ec b7 ae a9 d0 a5 84 d1   #.a....^........
    0060 - fb 48 81 d2 f8 19 f8 38-3e 39 55 c1 37 e8 4a 39   .H.....8>9U.7.J9
    0070 - 8c fa 19 7e c9 86 92 4a-70 2e 6d 94 76 e2 0e 9f   ...~...Jp.m.v...
    0080 - ca 77 55 3d bc b7 d3 04-34 51 84 7f 6a f4 29 39   .wU=....4Q..j.)9
    0090 - 1c 37 23 4c 84 0e 93 63-62 2e 29 5c 84 ca 8e 1c   .7#L...cb.)\....
    00a0 - 1f 66 c1 a7 88 11 cc f0-eb 54 8d 1b bf 02 a6 97   .f.......T......
    00b0 - 92 33 96 1a 9a c0 5f 29-6f d8 01 cd f7 8a bd 0e   .3...._)o.......

    Start Time: 1750780964
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
250 DSN
3

Choć to takie zgadywanie. Trzeba by było wykonywać testy po stronie serwera inicjującego połączenie.

4

Dzień dobry.
Podepnę się do tematu.
Jak ustawić, żeby klient ezdrp łączył się za przy pomocy tls 1.2?

5

Wysłałem maila do zespołu ezdrp z propozycją dodania mechanizmu fallback który w przypadku braku handshake’a na tls 1.3 przechodził na tls 1.2.
Póki co zrezygnowałem z intertele i używam poczty onet która bez problemu łączy się z ezd rp.
edit: Podobno można podpiąć domenę zarejestrowaną na intertele do onet, co pewnie będę musiał zrobić.

6

No, ale czy to na pewno jest ta przyczyna?

7

Witam, klient powinien współpracować z tls 1.3.
W cloudadmin dodajemy zmienną jak na zrzucie:

image
image1304×626 23.8 KB

ustawiamy dla niej wartość: StartTls

Po zmianach restartujemy kuip-api oraz ezdrp-api.

1 polubienie