Email errors when using Jenkins only

Good day, I hope this finds you well. I am fairly new to Jenkins I am struggling to figure out an issue with email needing to be sent by my script in Jenkins. The script need to perform a few tasks and then send an email to the user or set of users with the console output of the events.

Everything seems to be working quite well besides the email portion. I am using the email extension plugin and have configured the mail to make use of the local postfix mail server which uses a smarthost for sending emails. when I select the test email option, it passes and I get the test email. When I send mails from local os scripts or other tests from the OS then the mails go through without any issues. However, when I try to send the email from the pipeline using the mailext option , it shows in the console that it is successful, however on postfix side I get the following error and mails are not received. `warning: TLS library problem: error:0A000416:SSL routines::sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1599:SSL alert number 46`

This issue only seems to be happening when trying to send email via the pipeline using the mailext option (I need to attach the build logs to the mail). Does anybody perhaps know what I can look at to get this resolved ? I have tried using the letsencrypt certificates as well, however as this is configured for the nginx proxy, it breaks the mails completely.

Jenkins: 2.516.3
OS: Linux - 6.8.0-83-generic
Java: 17.0.16 - Ubuntu (OpenJDK 64-Bit Server VM)
analysis-model-api:13.8.0-902.v26f80296f743

ant:518.v8d8dc7945eca_

antisamy-markup-formatter:173.v680e3a_b_69ff3

apache-httpcomponents-client-4-api:4.5.14-269.vfa_2321039a_83

apache-httpcomponents-client-5-api:5.5-166.v870a_96374f91

asm-api:9.8-163.vb_2a_96d3f9c3c

bootstrap5-api:5.3.8-876.vb_c62a_27d9a_77

bouncycastle-api:2.30.1.81-264.v95c79c0e772c

branch-api:2.1244.vf95c81f1641c

build-timeout:1.38

caffeine-api:3.2.2-178.v353b_8428ed56

checks-api:373.vfe7645102093

cloudbees-folder:6.1040.v8a_e6330a_54e3

commons-lang3-api:3.18.0-98.v3a_674c06072d

commons-text-api:1.14.0-194.v804a_dc3a_1b_d8

credentials:1447.v4cb_b_539b_5321

credentials-binding:702.vfe613e537e88

dark-theme:574.va_19f05d54df5

data-tables-api:2.3.4-1400.vb_1e3e3c4dfc8

display-url-api:2.217.va_6b_de84cc74b_

durable-task:595.ve87b_f1318d67

echarts-api:6.0.0-1146.v5c8f3b_8f0573

eddsa-api:0.3.0.1-19.vc432d923e5ee

email-ext:1925.v1598902b_58dd

emailext-template:233.v1eb_88fc160b_5

font-awesome-api:7.0.1-859.v128d3a_efb_6e5

forensics-api:3.1754.v2a_6613b_77002

git:5.7.0

git-client:6.4.0

github:1.45.0

github-api:1.330-492.v3941a_032db_2a_

github-branch-source:1864.v411feec5e78e

gradle:2.16.1149.v711b_998b_0532

gson-api:2.13.2-173.va_a_092315913c

instance-identity:203.v15e81a_1b_7a_38

ionicons-api:94.vcc3065403257

jackson2-api:2.20.0-411.v6ef8fdee4fe9

jakarta-activation-api:2.1.3-2

jakarta-mail-api:2.1.3-3

javax-activation-api:1.2.0-8

javax-mail-api:1.6.2-11

jaxb:2.3.9-133.vb_ec76a_73f706

jdk-tool:83.v417146707a_3d

jjwt-api:0.11.5-120.v0268cf544b_89

joda-time-api:2.14.0-149.v1c3ce991d1b_9

jquery3-api:3.7.1-594.vb_3864f326cf0

json-api:20250517-173.v596efb_962a_31

json-path-api:2.9.0-190.veefca_05d5477

jsoup:1.21.2-66.v6ea_38164b_8a_2

junit:1355.v45e2ea_65863c

ldap:780.vcb_33c9a_e4332

mailer:522.va_995fa_cfb_8b_d

matrix-auth:3.2.8

matrix-project:858.vb_b_eb_9a_7ea_99e

metrics:4.2.33-484.v2fcd689980d1

mina-sshd-api-common:2.16.0-167.va_269f38cc024

mina-sshd-api-core:2.16.0-167.va_269f38cc024

okhttp-api:4.11.0-189.v976fa_d3379d6

pam-auth:1.12

pipeline-build-step:571.v08a_fffd4b_0ce

pipeline-github-lib:65.v203688e7727e

pipeline-graph-view:642.v39f37c8e1e70

pipeline-groovy-lib:752.vdddedf804e72

pipeline-input-step:534.v352f0a_e98918

pipeline-milestone-step:138.v78ca_76831a_43

pipeline-model-api:2.2273.v643f36ed9e94

pipeline-model-definition:2.2273.v643f36ed9e94

pipeline-model-extensions:2.2273.v643f36ed9e94

pipeline-stage-step:322.vecffa_99f371c

pipeline-stage-tags-metadata:2.2273.v643f36ed9e94

plain-credentials:199.v9f8e1f741799

plugin-util-api:6.1167.v022176c7e0ca_

prism-api:1.30.0-609.vf0a_df102d9a_f

resource-disposer:0.25

role-strategy:799.v5b_e7b_ecc231e

scm-api:707.v749f968369d4

script-security:1378.vf25626395f49

snakeyaml-api:2.3-125.v4d77857a_b_402

ssh-agent:386.v36cc0c7582f0

ssh-credentials:361.vb_f6760818e8c

ssh-slaves:3.1071.v0d059c7b_c555

sshd:3.374.v19b_d59ce6610

structs:353.v261ea_40a_80fb_

theme-manager:319.v9193461f9671

timestamper:1.30

token-macro:477.vd4f0dc3cb_cf1

trilead-api:2.209.v0e69b_c43c245

variant:70.va_d9f17f859e0

warnings-ng:12.9783.ve1cb_9f060738

workflow-aggregator:608.v67378e9d3db_1

workflow-api:1384.vdc05a_48f535f

workflow-basic-steps:1079.vce64b_a_929c5a_

workflow-cps:4183.v94b_6fd39da_c1

workflow-durable-task-step:1464.v2d3f5c68f84c

workflow-job:1546.v62a_c59c112dd

workflow-multibranch:821.vc3b_4ea_780798

workflow-scm-step:452.vdf1ca_c8d3a_87

workflow-step-api:706.v518c5dcb_24c0

workflow-support:989.va_20a_1a_57710a_

ws-cleanup:0.49

Hello and welcome to this community, @Machiel!

It looks like the issue boils down to a TLS/SSL trust problem between Jenkins (running on Java) and your Postfix smarthost. The interesting bit is that the test email works, but pipeline emails fail, and I guess that’s because the pipeline goes through JavaMail (via the Email Extension plugin), which is stricter about certificates.

Here are a few things you might try:

1. Make sure Jenkins’ Java trusts the certificate

• If your smarthost uses a self-signed cert or an internal CA, Java won’t accept it out of the box.
• You’ll need to import the CA cert into the Java truststore Jenkins is using. For example:

keytool -import -alias mysmarthost \
  -keystore $JAVA_HOME/lib/security/cacerts \
  -file /path/to/ca.crt

(default password is changeit)

Then restart Jenkins so it picks up the change.

2. Double-check your Email Extension plugin settings

• Make sure SMTP host/port/TLS options match exactly what works at the OS level.
• If your smarthost expects STARTTLS, uncheck “Use SSL” and enable “Use TLS” instead.

3. Look at your pipeline config
A minimal example would be:

emailext(
  subject: "Build log",
  body: "See attached log.",
  to: "user@example.com",
  attachLog: true
)

4. If you’re using Let’s Encrypt

• Grab the full certificate chain and make sure the root CA is present in the Java truststore. Sometimes Java needs a little help recognizing the whole chain.

In short: it’s almost always a missing CA cert in the Java truststore. Once you import the right CA and restart Jenkins, your pipeline emails should work just like the test emails.

Here’s a small diagnostic pipeline snippet you should be able to drop into a freestyle or multibranch pipeline to check whether Jenkins (via JavaMail) can actually connect to your SMTP server before a “real” email step runs:

pipeline {
    agent any
    stages {
        stage('Check SMTP') {
            steps {
                script {
                    try {
                        // Try to send a minimal test email
                        emailext(
                            subject: "Jenkins SMTP test",
                            body: "This is a test email sent from Jenkins pipeline at ${new Date()}",
                            to: "your.email@example.com"
                        )
                        echo "✅ SMTP test email sent successfully."
                    } catch (err) {
                        echo "❌ Failed to send SMTP test email."
                        echo "Error: ${err}"
                        error("SMTP connectivity or trust issue detected.")
                    }
                }
            }
        }
    }
}

What this gives you:

• If the email succeeds → you’ll see the “ SMTP test email sent successfully.” message.
• If it fails → you’ll see the full JavaMail error in the build log, which helps confirm whether it’s a truststore/certificate issue or something else (wrong TLS/port/credentials).

Thank you very much for the suggestions.

I tried the setup at first but this still did not work. I figured it must be because it is a self signed cert, so I used the letsencrypt certificate instead and also configured postfix.

Then when testing with tls option enabled, I got an error on test email :
java.security.cert.CertificateException: No subject alternative DNS name matching localhost found

the certificate was for the fqdn so was strange to have received this, then eventually realized I specified localhost as my mail server.

Added an /etc/hosts entry for localhost aliasing it to the fqdn locally and then it was happy again.
Tested email via pipeline and this is now working , thank you.

Well done!
Thanks a lot for the feedback.