PH66548: CSSMTP FAILS TO DELIVER MAIL IF SERVER NOT CONFIGURED TO REQUIRETLS FOR AUTH WITH APAR PH61015

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• CSSMTP should only attempt to secure a connection to a target
  server if either "Secure" is "Yes" in the TargetServer
  configuration statement or a SYSOUT spool file contains the
  "STARTTLS" command.  However, APAR PH61015 causes CSSMTP to
  attempt a TLS handshake if the target server sends
  "AUTH PLAIN" or "AUTH LOGIN" options  in the EHLO reply before
  the TLS connection is not established,
  even if a secure connection is not requested from CSSMTP.
  
  The CSSMTP log (with logLevel set to 127 or 255) shows that
  after the EHLO reply CSSMTP sets the protocol state to
  ML_PR_StartTLS rather than ML_PR_SendMail.  This leads to an
  SIOCTTLSCTL ioctl() failing with errnojr 77B77317
  (JROptNotSupported) because either TTLS is not enabled in the
  TCPIP stack or there is no TTLSRULE that maps to the TCP
  connection.  The mail fails with an "Undeliverable mail" error
  report.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  * All users of the IBM Communications Server for z/OS 2.5 and  *
  * 3.1 IP:CSSMTP                                                *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  * CSSMTP attempts to do TLS if it receives the AUTH LOGIN or   *
  * PLAIN from the server even if CSSMTP Secure set to "No"  in  *
  * TargetServer statement                                       *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  If the server configured to send AUTH options before
  establishing the TLS connection, CSSMTP attempts  to do TLS even
  if the CSSMTP configuration set to Secure "No".
  

Problem conclusion

• CSSMTP is updated to ignore AUTH PLAIN or LOGIN options and not
  to try TLS, unless AuthEntity is configured in the CSSMTP
  configuration file or either "Secure" is "Yes" in the
  TargetServer configuration statement or a SYSOUT spool file
  contains the "STARTTLS" command
  

Temporary fix

• *********
  * HIPER *
  *********
  

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UO03305 UO03306 PH66815

Modules/Macros

• EZAMLCON
  

Fix information

• Fixed component name

  TCP/IP MVS

• Fixed component ID

  5655HAL00

Applicable component levels

• R250 PSY UO03305

     UP25/06/07 P F506 ¢

• R310 PSY UO03306

     UP25/06/07 P F506 ¢

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.