Send Email from OCI Email Delivery Service Through UTL_SMTP

Recently, we had a requirement to implement email notifications from services running in OCI. The customer requested email notifications from the DBCS and Operating systems (RHEL 7.9). In this article, I will explain how we achieved it.

OCI Email Delivery Service

OCI’s Email Delivery Service is a cloud-based, reliable, scalable email-sending service provided by Oracle Cloud Infrastructure (OCI). It is designed to allow applications and users to send large volumes of transactional emails to customers or recipients over the Internet. The service is primarily used for sending notifications, alerts, or transactional emails (such as order confirmations, password resets, or promotional messages). It integrates with various services, such as Oracle databases, and other Oracle cloud services, allowing seamless and secure email sending.

To send an email from an Oracle Database System (DB System) on OCI using the UTL_SMTP package, you need to set up and configure your database to use OCI’s Email Delivery Service.

Below are the steps to achieve this, including enabling SSL for secure communication.

1. Set Up the IAM Policy

A user must be assigned to a group with permission to manage approved senders

Allow group <group name> to use approved senders in compartment <compartment name>

2. Generate SMTP credentials for a User

SMTP credentials are necessary to send emails through Email Delivery. Each user is limited to a maximum of two SMTP credentials.

1. Open the navigation menu. Go to Identity and click Domains. Click on the current domain. Under the Users, locate the user in the list that has permission to manage email, and then click the user's name to view the details.         
2. Under the Resources, click SMTP Credentials.
3. Click Generate SMTP Credentials.
4. Enter a Description of the SMTP Credentials in the dialog box.
5. Click Generate SMTP Credentials. A user name and password is displayed.
6. Copy the user name and password for your records and click Close.

3. Create an Approved Sender

You must set up an approved sender for all “From:” addresses sending mail via Oracle Cloud Infrastructure or mail will be rejected. An approved sender is associated with a compartment and only exists in the region where the approved sender was configured.

1. Go to OCI Console → Developer Services → Application Integration → Email Delivery.
2. Create an approved sender email address under Approved Senders.

Click on the Configuration and note the SMTP Sending Information

4. Configure Oracle Wallet for SSL

If you're sending emails over a secure connection (SSL/TLS), you need to configure an Oracle Wallet that stores the trusted certificates for secure communication.

1. Download the SSL Root and Intermediate Certificates (.crt format) directly from https://www.digicert.com/kb/digicert-root-certificates.htm.

Root Certificate                 - DigiCert Global Root G2

Intermediate Certificate     - DigiCert Global G2 TLS RSA SHA256 2020 CA1

2. Create an auto-login Oracle Wallet

orapki wallet create -wallet /home/oracle/wallet -auto_login

3. Add Certs (Root and Intermediate), downloaded in step 1.  to the Wallet.

 orapki wallet add -wallet /home/oracle/wallet -trusted_cert -cert "/home/oracle /DigiCertGlobalRootCA.crt"

 orapki wallet add -wallet /home/oracle/wallet -trusted_cert -cert "/home/oracle/DigiCertSHA2SecureServerCA.crt"

Verify the Wallet

orapki wallet display -wallet /home/oracle/wallet

You may verify the certs using "echo |openssl s_client -starttls smtp -crlf -showcerts -connect <SMTP Server for e.g smtp.email.ca-toronto-1.oci.oraclecloud.com >:587"

5. Send email through UTL_SMTP

Below is an example PL/SQL block to send an email using UTL_SMTP. It includes authentication and uses SSL/TLS.

6. Configure Mailx to Send Email Through Email Delivery

1. Install mailx: If mailx is not already installed.

sudo yum install mailx -y

2. Configure /etc/mail.rc:

Edit the mailx configuration file /etc/mail.rc to set up the SMTP server and credentials for OCI Email Delivery

           From email address is the one that we registered as an approved sender.

           The smtp-auth-user and smtp-auth-password are the credentials we saved in step 2.

3. Test Sending an Email: Now, test if mailx is properly configured by sending a test email:

Possible errors

If you get an error(s) while running the above PLSQL code, below are the possible causes.

ORA-29024: Certificate validation failure: This error occurs if the SSL certificate isn't trusted by the Oracle Wallet. Ensure the proper CA certificates are imported.

ORA-24263: The certificate of the remote server does not match the target address: This happens if the SSL certificate name doesn’t match the server’s hostname.

1. Missing Trusted Certificate: Oracle does not have the trusted certificate authority (CA) certificate for the SMTP server in its wallet.
2. Expired or Invalid Certificate: The certificate presented by the SMTP server is expired or invalid.
3. Incorrect Wallet Configuration: Oracle's wallet, which stores trusted CA certificates, is misconfigured or missing.
4. DNS Mismatch: The domain name used to connect to the SMTP server does not match the Common Name (CN) or Subject Alternative Name (SAN) in the certificate.
5. SSL/TLS Version Mismatch: The Oracle client is using an incompatible version of SSL/TLS for the SMTP server.
6. Ensure the OCI Email Delivery service has the correct approved sender address.
7. Check for any firewall issues or email service blocks.
8. Verify SMTP credentials.

Summary

By following these steps, you'll be able to send emails securely from your OCI DB system using the UTL_SMTP package, with SSL enabled.