Closed herbdool closed 6 years ago
I've made a PR https://github.com/backdrop-contrib/smtp/pull/10
The D7 maintainer used a "stripped-down" version of the PHPMailer library, which he claims is not vulnerable to security issues of the full library. See https://www.drupal.org/node/2711559. But it still sounds like a crazy approach given that this old version now doesn't work with TLS.
From what I understand we might want to keep this branch on 5.2.x so it works with older version of PHP. However, there have been attempts to bump it up to 6.x https://www.drupal.org/project/smtp/issues/2295773.
I agree with the suggested approach of just having one smtp module so it'll be good to keep this similar to the PHPMailer module (which so far has no release) so we can remove the latter.
If we want to be conservative we could put this PR into a new branch for SMTP and instead patch the current version with https://www.drupal.org/files/issues/2018-07-26/smtp-tlsv1_1-2983132-17.patch. And once the new branch is working well enough, make it official.
@jenlampton @oadaeh
merged.
Sparkpost turned off TLS 1.0 support https://www.sparkpost.com/blog/tls-v1-0-deprecation. Other services are probably also turning off TLS 1.0 support. I think SMTP uses an old, 5.1.x version of PHPMailer. Here's the equivalent Drupal issue: https://www.drupal.org/project/smtp/issues/2983132.
Perhaps use this patch https://www.drupal.org/files/issues/2018-07-26/smtp-tlsv1_1-2983132-17.patch from the thread above.