Clarity

Looking to integrate clarity to a secure smtp (ie. startTLS) service. So far there not much documentation and CSA does not provided options to enable secure smtp.

Has anyone been able to config clarity with secure smtp service ?

Best guess – not supported. I look at how the jelly email tag is coded and I am assuming that the gel email tag follows the same logic.

The jelly email tag builds up a properties object base off the attributes configure on that email tag and there isn’t an attribute for mail.smtp.starttls.enable (along with the needed mail.smtp.socketFactory properties).

My assumption is that the same thing happens within the gel email tag except it builds the properties object off the values in the properties.xml file.

So if you are trying to email within a gel script, you could invoke necessary javax.mail classes to use StartTLS.  Here is a post that uses javax.mail to send an outlook invite but it will give you the idea of setting up the properties object where you would add the mail.smtp.starttls.enable to true.

https://communities.ca.com/thread/241694180

Another option (if not OnDemand) is you could setup a small email server on the same host as PPM that provides a store a forward queue.  PPM sends the email to the local email server (the local server just forwards email and doesn’t except any request from outside - firewall inbound port 25/465 to just the localhost).  In the forward configuration setup your TLS to the correct email host.

V/r,

Gene

Thanks Gene,  CA support confirmed that secure smtp is not supported. Since my is on-prem, I'm going to give stunnel a try to handle the TLS and port redirection.

Kim

If you get it to work (thanks for pointing out stunnel -- look like a nice toolbox addition), can you let me know.  We are moving to a way tighter security environment in the future and I am sure I am going to face this same problem.

Thanks,

Gene

Gene, I got stunnel installed and working, as getting it connected to clarity is another issue.

The setup of stunnel was bit tricky on linux compared to windows but doable on linux.  As the windows version will provision the self-signed cert for you and give you examples of stunnel config. Below is a simple stunnel config that I'm using and is configured to listen on 127.0.0.1 on port 2525 and for the reason it's using 2525 is due to a sendmail is configured to port 25 already. (which is a different issue)

========stunnel.conf============

cert = /etc/stunnel/stunnel.pem

debug = 3

client = yes

output = /etc/stunnel/stunnel.log

sslVersion = all

[smtp]

accept = 127.0.0.1:2525

protocol = smtp

connect = securesmtp.xxxxx.xx:587

========stunnel.conf============

To verify stunnel is redirecting/connection to the secure email system, you can telnet to the 127.0.0.1 over port 2525 to receive  the smtp welcome message. additionally I also use a simple email script that connect to 127.0.0.1 over port 2525 and to sent myself an email to verify.

Setup Clairty to the local stunnel service, however Clarity is hard coded to use port 25, which in my case is used for sendmail for other application. So my options are setup stunnel on another server or look into getting another ip and bind stunnel to that ip only. So that will look into that before I can fully test clarity.

Side Note: other issue I might run into is email spoofing. I've notice that some of the Clairty email notification are composing email using the username email setting as the "From Address field". My service does not allow email spoofing and will reject the email. I'll need to investigate this further but there must be a way to change the Clarity Jobs it to use the CSA default email settings value as the "From email address"

Kim