SMTP without SSL/TLS is not working

Hey there!

I’m trying to setup n8n to work via IMAP and SMTP with our Exchange server. But I can not get it work with via unencrypted SMTP port 25 basic setup.

Allthough I disabled SSL/TLS I get an error

ERROR: 140161915472744:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_lib.c:1922:
Error: 140161915472744:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_lib.c:1922:

I have the same account setup in a PHP project where I can send mails. I have no abillity yet to setup TLS on the server and therefore thought unencrypted SMTP in house is fine anyway.

Any pointers how to resolve this?

P.S. I’m running n8n via the docker image. I thought of passing the --tls-min-v1.0 flag to node but I could not get it to work in the docker image.
https://github.com/nodejs/node/issues/27384#issuecomment-486200711

Edit: I digged into the project and found that it uses nodemailer. I spun up a small project to look into it and I was able to connect to the server when I used the tls.rejectUnauthorized setting set to false

const transport = nodemailer.createTransport({
  host: 'smtp.domain.host',
  port: 25,
  secure: false,
  auth: {
    user: '<user>',
    pass: '<pass>'
  },
  tls: {
    rejectUnauthorized: false
  }
})

transport.verify((error, success) => {
  if (error)
    console.error(error)
  else
    console.log('works?', success)
})

// yields 'works? true

So maybe we could expose this setting to the UI and I’d be adjustable. I could maybe create a PR.

Regards Sebastian

Hello!
Did you test the above code in the same base-docker image? Because I have the feeling that the docker-image n8n depends on could be the problem as it is Alpine Linux (node:12.9.1-alpine) and I think that there were issues at some point.
So make sure you test the above code in the same container or install n8n in a Ubuntu-Node-Container. Just to be sure that your fix actually fixes the problem.

Hey @jan!

Good catch!

I tried the code in the docker image and got this error:

/data/nodemailer # node index.js
[Error: 140212030229352:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_lib.c:1922:
] {
  library: 'SSL routines',
  function: 'ssl_choose_client_version',
  reason: 'unsupported protocol',
  code: 'ESOCKET',
  command: 'CONN'
}

So yeah the error is still there and could mean a much more underlying problem in the base image.

What could I do about that?

Regards Sebastian

Hm you could create your own image. But that is not really a great solution as it would still cause problems for all other users. So I guess I have to do something. Either fix the container somehow (sadly not the slightes idea about Alpine Linux), replace the base container or publish at least a second ubuntu based one.

Willl do the second thing now manually that it at least works for you now. Then will think some more what to do. Will write you once it is available.

Ok, released now an ubuntu image: n8nio/n8n:0.24.0-ubuntu

I managed to get the container running. Now there is no editor in the image so I can not edit the Imap and Email nodes to accept unauthorized certs

What do you mean exactly with there is no “editor in the image”? Because tested the container before pushing and now just again. For me, the editor starts just fine.

Something like Ed, Vim or Nano

I picked this topic up again today. I use the 0.28.0. or to be precise I ran

 docker run -it --rm   --name n8n   -p 5678:5678   n8nio/n8n:0.28.0-ubuntu

I also put the .pem file of our self-signed internal Root CA into the docker image via docker cp ca.pem n8n:/etc/ssl/certs

The update-ca-certificates yields

Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.

In the Frontend I now get:

ERROR: unable to verify the first certificate
Error: unable to verify the first certificate
    at TLSSocket.onConnectSecure (_tls_wrap.js:1058:34)
    at TLSSocket.emit (events.js:198:13)
    at TLSSocket._finishInit (_tls_wrap.js:636:8)
    at Socket.ondata (internal/wrap_js_stream.js:64:22)
    at Socket.emit (events.js:198:13)
    at addChunk (_stream_readable.js:288:12)
    at readableAddChunk (_stream_readable.js:269:11)
    at Socket.Readable.push (_stream_readable.js:224:10)
    at TCP.onStreamRead (internal/stream_base_commons.js:94:17)

Anymore ideas @jan?

Hey once again!

In the Ubuntu image I was able to get it to work with the EmailReadImap and EmailSend nodes.

I set the rejectUnauthorized property on the tls settings for both objects to false. So this should either be solvable via certificates on Ubuntu atleast, right?

// EmailSend.node.js
const transporter = nodemailer_1.createTransport({
            host: credentials.host,
            port: credentials.port,
            secure: credentials.secure,
            auth: {
                user: credentials.user,
                pass: credentials.password,
            },
            tls: {
                rejectUnauthorized: false
            }
        });
        const mailOptions = {
            from: fromEmail,
            to: toEmail,
            cc: ccEmail,
            subject,
            text,
            html,
        };

// EmailReadImap.node.js
 const config = {
            imap: {
                user: credentials.user,
                password: credentials.password,
                host: credentials.host,
                port: credentials.port,
                tls: credentials.secure,
                // autoTls: 'required',
                tlsOptions: {
                        rejectUnauthorized: false
                },
                authTimeout: 5000
            },
            onmail: async () => {
                const returnData = await getNewEmails(connection);
                if (returnData.length) {
                    this.emit([returnData]);
                }
            },
        };
        connection = await imap_simple_1.connect(config);

Thanks for the update! I will try to release a version of n8n later in the day which allows setting that options on the node (like on the HTTP Request Node).

Is it possible to save the attachments from the imap node?

Can you please create a separate question for that. It is never good to mix not related questions. It makes the current one more confusing and also causes the problem that the new question will not be found by other users in the future.

Ok released [email protected] which has now an additional option to ignore SSL cert issues.

Hello Jan!

I tried setting this up once more and only got it working with the ubuntu Docker image n8n:0.29.0-ubuntu.

Since I am also struggling with Read/Write/Save attachments from EmailReadImap
Could you release a 0.31.0-ubuntu docker image also?

Regards Sebastian

Ah yes sorry! Really have to automate that. Is still manually right now so I forgot.

Is released.

same problem
ERROR: unable to get local issuer certificate
Error: unable to get local issuer certificate
at TLSSocket.onConnectSecure (_tls_wrap.js:1474:34)
at TLSSocket.emit (events.js:310:20)
at TLSSocket._finishInit (_tls_wrap.js:917:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:687:12)

docker n8nio/n8n:0.74.0-ubuntu

try t send email via non-tls smtp server on 25 port

We have the same issue

Hey @EnCz!

Are you using the latest version of n8n? Did you try the Ignore SSL Issues option?

Screenshot 2021-07-07 at 4.17.40 PM451×963 29 KB

yea we just installed the latest version today and I have the option unchecked.

When I activate the SSL/TLS option I get this:

image1149×331 25.2 KB

(Basically the reason why I disabled SSL in the first place)

I need to check if there’s something else wrong (network-wise, maybe our docker container can’t connnect to our mail server) but our rocketchat instance works with the exact same credentials (and disabled ssl).

And did you try the option SSL option in the credentials?