Issue Summary

When trying to create an outgoing mail server that does not contain a username of password, the authentication will fail when testing the connection even though the SMTP Mail Server does not require a username and password combination.

Rather than not attempting auth, Jira attempts auth using fabricated details - the username and password corresponding to the OS level Jira service account name.

Steps to Reproduce

Have a mail server that uses EHLO (extended hello), advertises authentication (sends an AUTH header) but doesn't require it to send mail. Steps to replicate this using nc are available in JRASERVER-78939

• Configure an outgoing mail server with the parameters below:
  • Service Provider: Custom
  • Protocol: SMTPS
  • Hostname: smtp.gmail.com (or use a custom SMTP Mail Server of your choice)
  • SMTP Port: 465
  • Username: (keep empty)
  • Password: (keep empty)
    
• Test the connection  

Make sure that the Mail Server that you are using does not need a username/password combination to login.

Expected Results

Mail connection test succeeds.

Actual Results

Mail server connection fails and cannot be added.

Note 1

On further inspection the change password flag is passed in the verify mail server request:

name: test
description: test
from: test@gmail.com
prefix: Jira
serviceProvider: custom
protocol: smtps
serverName: smtp.gmail.com
port: 465
timeout: 10000
authenticationMethod: password
username: test@gmail.com
changePassword: true
type: smtp

This results in a failure when trying to verify the connection, as it expects a password to be provided:

WRMCB = function(e) {
    var c = console;
    if (c && c.log && c.error) {
        c.log('Error running batched script.');
        c.error(e);
    }
}
;
try {
    /* module-key = 'com.atlassian.jira.jira-mail-plugin:verifymailserverconnection', location = 'javascript/verifymailserverconnection.js' */
    (k => {
        k.set('admin.mailservers.password.usernamechanged.description', 'You need to provide the new password when changing the username.');
    }
    )(WRM.I18n.km);
    define("jira/mail/email", ["exports", "jquery"], function(c, a) {
        c.dialogInitializer = function() {
            a("#verifyServer").hide();
            var b = a("#changePassword");
            if (0 < b.length) {
                var d = a("input[name\x3dpassword]").parents("tr").first()
                  , e = a('\x3cdiv class\x3d"fieldDescription" /\x3e').html(AJS.I18n.getText("admin.mailservers.password.usernamechanged.description")).hide().insertAfter(b);
                b.change(function() {
                    d.toggle(a(this).prop("checked"))
                }).change();
                var f = a("#originalUsername").val();
                a("input[name\x3dusername]").bind("change input", function() {
                    f == a(this).val() ? (b.removeAttr("disabled"),
                    e.hide()) : (b.attr("disabled", "disabled").attr("checked", "checked").change(),
                    e.show())
                })
            }
        }
        ;
        c.verifyServerConnection = function(b, d) {
            a("#verifyServer").show();
            a("#verifyMessages").hide();
            document.forms.jiraform.action = d;
            a(document.forms.jiraform).submit()
        }
        ;
        a(c.dialogInitializer)
    });
    AJS.namespace("JIRA.app.admin.email", null, require("jira/mail/email"));
} catch (e) {
    WRMCB(e)
}
;

Note 2

The bug is coming from the Java Mail Library that Jira uses to connect to the Mail Server. Basically, what happens when Jira tests the SMTP server connection is the following:

• The Java Mail library sends a EHLO command to ask the SMTP server for more information about its capabilities, what it supports, etc...

  EHLO bb3f49c371fa
  

• The SMTP server responds that it supports the AUTH methods below:

  DEBUG SMTP: Found extension "AUTH", arg "LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH"
  

• The Java Mail library (used by Jira) sees that the SMTP Mail Server supports AUTH, and tries to authenticate using the Jira Service Account as the username and some password, even though no username/password combination was provided in the Outgoing Mail form. In a lot of cases, jira is used as the service account running Jira, so it will be very common to see "jira" as the user:

  DEBUG SMTP: protocolConnect login, host=smtp.gmail.com, user=jira, password=<non-null>
  DEBUG SMTP: Attempt to authenticate using mechanisms: LOGIN PLAIN DIGEST-MD5 NTLM XOAUTH2
  

• Ultimately, the login fails since an incorrect username/password is passed while the SMTP mail server was not expected any

Workaround

Add the following JVM parameters to your setenv.sh file and then proceed with a restart of Jira (you can find detailed instructions here):

In case SMTP is used as the protocol in the Outgoing Mail Configuration

-Dmail.smtp.ehlo=false -Dmail.smtp.auth=false

Notes:

• mail.smtp.ehlo=false will prevent java from trying to connect and issue a EHLO command to connect to the mail system
• mail.smpt.auth=false will reinforce no authentication to your smtp system.

In case SMTPS is used as the protocol in the Outgoing Mail Configuration

-Dmail.smtps.ehlo=false -Dmail.smtps.auth=false 

 
Note:

• mail.smtps.ehlo=false will prevent java from trying to connect and issue a EHLO command to connect to the mail system
• mail.smpts.auth=false will reinforce no authentication to your smtp system.