/
SMTP Error

SMTP Error

The "Use TLS" setting in FIN does not control whether TLS is enabled or disabled on the actual SMTP server. Instead, it simply reflects the configuration that the user expects to be in place on the SMTP server.

If a user configures the SMTP email settings to receive emails and encounters the error shown below, they should check the recommended solutions to resolve this.

Sample Error Message:

s: 220 J2server.222.com Google ESMTP MAIL Service ready at Mon, 18 Feb 2019 08:23:52 -0500 c: EHLO [192.168.10.10] s: 250-J2server.222.com Hello [192.168.10.10] s: 250-SIZE 36700160 s: 250-PIPELINING s: 250-DSN s: 250-ENHANCEDSTATUSCODES s: 250-STARTTLS s: 250-8BITMIME s: 250-BINARYMIME s: 250 CHUNKING c: STARTTLS s: 220 2.0.0 SMTP server ready *** FAILED! *** sys::IOErr: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target sun.security.ssl.Alerts.getSSLException (Unknown) sun.security.ssl.SSLSocketImpl.fatal (Unknown) sun.security.ssl.Handshaker.fatalSE (Unknown) sun.security.ssl.Handshaker.fatalSE (Unknown) sun.security.ssl.ClientHandshaker.serverCertificate (Unknown) sun.security.ssl.ClientHandshaker.processMessage (Unknown) sun.security.ssl.Handshaker.processLoop (Unknown) sun.security.ssl.Handshaker.process_record (Unknown) sun.security.ssl.SSLSocketImpl.readRecord (Unknown) sun.security.ssl.SSLSocketImpl.performInitialHandshake (Unknown) sun.security.ssl.SSLSocketImpl.startHandshake (Unknown) sun.security.ssl.SSLSocketImpl.startHandshake (Unknown) inet::TcpSocketPeer.makeTls (TcpSocketPeer.java:54) inet::TcpSocket.makeTls (TcpSocket.fan) email::SmtpClient.open (SmtpClient.fan:102) email::SmtpClient.send (SmtpClient.fan:147) emailExt::EmailLib.send (EmailLib.fan:126) emailExt::EmailLib.send (EmailLib.fan) emailExt::EmailLib.emailSendTest (EmailLib.fan:57) java.lang.reflect.Method.invoke (Unknown) fan.sys.Method.invoke (Method.java:559) fan.sys.Method$MethodFunc.callList (Method.java:198) fan.sys.Method.callList (Method.java:138) proj::FanSysFunc.doCall (SysFunc.fan:112) proj::Context.doCall (Context.fan:508) 37 More...

Breaking down the communication between FIN and SMTP server

Below is the communication between an SMTP server ("s:") and a FIN client ("c:"). If TLS is not enabled or supported, the SMTP server should not attempt to initiate "STARTTLS," as shown in the exchange below.

//FIN server has port open for communication s: 220 J2server.222.com Google ESMTP MAIL Service ready at Mon, 18 Feb 2019 08:23:52 -0500 //SMTP server says, I'm so and so c: EHLO [192.168.10.10] //FIN server says hello s: 250-J2server.222.com Hello [192.168.10.10] //SMTP server says hello, setting up for communication channel s: 250-SIZE 36700160 s: 250-PIPELINING s: 250-DSN s: 250-ENHANCEDSTATUSCODES s: 250-STARTTLS //SMTP server says I'm starting a secure layer of communication (TLS for this secure channel) s: 250-8BITMIME s: 250-BINARYMIME s: 250 CHUNKING c: STARTTLS //FIN server agrees to secure communication s: 220 2.0.0 SMTP server ready //SMTP server is ready and extends a handshake //After this point, the FIN server rejects the handshake because it does not trust the SMTP server—there is no valid, authorized certificate to support the secure communication requested by the SMTP server.

Resolving the error

As shown in the communication exchange above, FIN is not initiating TLS—the SMTP server is. The error occurs because the FIN SMTP client does not trust the SMTP server, which is attempting to establish a secure connection. Specifically, the client cannot find or validate a trusted certificate, resulting in the error:

“unable to find valid certification path to requested target.”

This issue is typically related to how the email server is configured—most likely, it is using a self-signed certificate rather than one issued by a trusted Certificate Authority (CA). Users should consult their IT departments to confirm the server’s setup and certificate configuration.

Recommended solutions:

  • Use a Trusted Certificate
    Obtain a valid certificate signed by a recognized Certificate Authority and install it on the SMTP server.

  • Use a Self-Signed Certificate
    Create a self-signed certificate and add it manually by following Add a Certificate.

  • Use the Crypto Page to Trust the Server
    If the SMTP server is reachable, you can use the FIN Crypto page to establish trust: Crypto

  • Disable TLS on the SMTP Server (Not Recommended)
    As a last resort, TLS can be disabled on the SMTP server. However, this is not recommended due to the security risks of transmitting emails without encryption.

Add a Certificate

The user can add a certificate manually to their key store.

Finding Java being used and location

This step is helpful if there are multiple versions of Java on the machine in question. This will affect where the certificates are placed.
There a couple ways to find this info.
Option 1:

  1. In FIN, go to the Host page.

  2. Navigate to Debug > Diagnostics.

  3. Scroll down until you get to the Java section to find it in Home.

image-20251212-225846.png

Option 2:

  1. Stop the FIN service.

  2. Open the Command Prompt as admin.

  3. In the Command Prompt, navigate to the bin folder of FIN.
    Example but with your version and location: C:\Program Files (x86)\FIN Framework\FIN Framework 5.2.0.1920\bin

  4. Then type in fin -version to get the java being used and location from java.home.

image-20251212-230045.png

Creating a Trusted Certificate

Now the user needs to create the certificate.

  1. The first step is to get the address and port info of where you are trying to connect to. In our example, the IP and port are 10.10.10.107:443

  2. Download the InstallCert.java file and place it in a particular folder such as C:\Working.

  3. Using the command prompt as admin, compile it with this command: javac C:\Working\InstallCert.java
    Note how the java compiler takes the name parameter. It takes the .java file and creates the necessary bytecode class files.

  4. Now run this command with your host info: java C:\Working\InstallCert 10.10.10.107:443

  5. If there are multiple certificates, we recommend adding them all. Type "1" after you are asked which certificate you want to save. Then, hit the up arrow, and run InstallCert exactly the same again. Type "2" and repeat the process until all certificates are added. Once done, you should have a jssecacert" file in C:\Working folder.

  6. Place the jssecacerts file in the security folder of the Java installation.
    Following the “Finding Java being used and location” section above, our example would be C:\Program Files\Eclipse Adoptium\jdk-11.0.28.6-hotspot\lib\security

  7. Once this is done, you should be able to connect using the trusted certificates, and the SSL error should go away.