Configure Confluence SMTP with TLS via JNDI for Office 365 Relay

or

How To Fix: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection in Confluence JNDI

I’ve been doing Exchange to Office 365 migrations lately and that means on-premises applications and devices can’t use the local Exchange server to send mail anymore.

Your options are to use the credentials of an Office 365 mailbox to send mail, set up a local SMTP relayer, or use a third-party SMTP service.

If you’ve opted to use an Office 365 login to send mail via SMTP, then you must use TLS, so the applications/devices sending mail must support sending mail with TLS on port 587.

This article focuses on Atlassian Confluence but may apply to other java applications using JNDI to configure mail.

Atlassian Confluence, Secure SMTP, and JNDI

Confluence has no way to set up secure SMTP with SSL or TLS from within the administration, so unfortunately you’re forced to configure Confluence to use a JNDI Location for SMTP. This involves moving around JARs and changing configuration files, which will end up slowing down your upgrades (see my script to make Confluence upgrades easier).

Start with the existing GMail configuration:

Most of what you need is already written for using gmail, but gmail uses SSL on SMTP, and these exact settings will fail if you use it with SMTP that starts plain and changes to secure with STARTTLS.

If you use it directly, you’ll get an error like you see at the top of the article:

javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection

This is because the existing settings include this line:

mail.smtp.socketFactory.class="javax.net.ssl.SSLSocketFactory"

That line specifically forces SSL to be used, so you end up trying to connect to an SMTP server expecting plain text, and sending encrypted data to it so it doesn’t know what you’re talking about.

Removing that line is all you need to do differently aside from changing the SMTP host, port, etc. So if you’ve done those steps, you don’t need what you see below.

Step by Step

The entire process (mostly copied from the above article) goes like this:

  1. Stop Confluence.
  2. Move (don’t copyactivation-1.0.2.jar and mail-1.4.1.jar from <confluence-install>/confluence/WEB-INF/lib to <confluence-install>/lib.
    Note: The version numbers on these jar files may vary, but that should not matter.
    As of Confluence 5.2.3, activation-1.0.2.jar no longer exists, and does not need to be moved or downloaded.
  3. Add the following to your server.xml file found in <confluence-install>/conf/ (add it just before the </Context> tag — This is the modified version for Office 365):
    <Resource name="mail/Office365"
    auth="Container"
    type="javax.mail.Session"
    mail.smtp.host="smtp.office365.com"
    mail.smtp.port="587"
    mail.smtp.auth="true"
    mail.smtp.user="[email protected]"
    password="yourPassword"
    mail.smtp.starttls.enable="true"
    mail.transport.protocol="smtps"
    />
  4. Restart Confluence.
  5. Choose the cog icon  at top right of the screen, then choose Confluence Admin.
  6. Choose Mail Servers.
  7. Choose either Edit an existing configuration, or Add a new SMTP mail server.
  8. Edit the server settings as necessary, and set the JNDI Location as:
    java:comp/env/mail/Office365

    Note that the JNDI Location is case sensitive and must match the resource name specified in server.xml.

  9. Submit, and send a test email.

That should be it!

Using this info for a different application? Please tell me!

If you found this useful for something other than Confluence, I’m interested in hearing about it and probably listing it in the article.

 

Comments

  1. Dear,
    Thank you for your post, but unfortunately, it doesn’t work for me.
    Do you have any other idea?
    Regards.

    • Hi Jesús,

      Are you trying to send through Office 365 or through a different SMTP server with TLS?

      Can you post your version of the tag that I show in step 3?

      • Hi Brian,

        I’m trying to send it through Office 365. My confluence version is 5.4.
        Here you have my own version:

        Thanks.

        • <Resource name="mail/Office365"
          auth="Container"
          type="javax.mail.Session"
          mail.smtp.host="smtp.office365.com"
          mail.smtp.port="587"
          mail.smtp.auth="true"
          mail.smtp.user="********@siotic.net"
          password="**********"
          mail.smtp.starttls.enable="true"
          mail.transport.protocol="smtps"
          />

          • Well that all looks right. One thing I noticed is that the domain siotic.net doesn’t quite match the domain of your email address (visible to me but not on this page). If you have multiple accepted domains, there is a chance that for login purposes, Office 365 will only accept the primary domain set for that user.

            So if that user happens to be set using @siotic.onmicrosoft.com (for example), then @siotic.net may not work. The place where you set this is in the Office 365 Admin (rather than the Exchange admin), under Details for a particular user. Next to the User name box is a drop down that lets you select the domain.

            This is separate from setting the SMTP reply address for the recipient in Exchange admin.

            If this isn’t the issue, then I would suggest looking at the logs from Confluence to get a better idea of what’s happening.

            Also of note, the instance where I’m using this configuration is running 5.1.2; we’re not up to 5.4 yet so maybe something changed.

            I’m interested in seeing what you find in the logs, or what the solution is if you end up fixing it.

  2. Hi Brian,
    As far as I know, it is not a problem of the domain. I have the same email address configured in my Jira smtp server, and it is working perfectly.
    At Confluence version 5.4, I can see that some things has been changed, for example, you can’t move the 2 jar files (activation…jar and mail…jar) because they don’t exist.
    Related to the logs, I have been trying to review them, but I don’t know how to do it. At catalina.out I can’t see anything. Do you know to what classes must I change the log level?
    Thanks & Regards.

    • It’s good to know that it’s working in JIRA. Maybe Mail-x.x.x.jar is required for this functionality (this is just a guess, not tested)? Could you take a copy of that .jar from an older install and see if that helps it?

      There are several logs for Confluence, and actually I’m not sure which is the right one to look at. I’ll see if I can find out tomorrow.

  3. I did the same config:
    props.put(“mail.transport.protocol”, “smtp”);
    props.put(“mail.smtp.starttls.enable”, “true”);
    props.put(“mail.smtp.port”, 587);
    props.put(“mail.smtp.host”, “smtp.office365.com”);
    props.put(“mail.smtp.auth”, “true”);

    But i have this error:
    com.sun.mail.smtp.SMTPSendFailedException: 550 5.7.1 Client does not have permissions to send as this sender
    at com.sun.mail.smtp.SMTPTransport.issueSendCommand(SMTPTransport.java:1668)
    at com.sun.mail.smtp.SMTPTransport.finishData(SMTPTransport.java:1473)
    at com.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java:738)

    • Make sure that the user (mail.smtp.user) has a mailbox on Office 365. Shared mailboxes/public folders cannot send mail through SMTP; it has to be an actual licensed user.

      If that’s not the issue, let me know.

Speak Your Mind

*