search

fmbiete / Z-Push-contrib

Z-Push fork with changes that I will try to contrib
GNU Affero General Public License v3.0
134 stars 62 forks source link

smtp error with SSL #219

Open PhilPhonic opened 9 years ago

PhilPhonic commented 9 years ago

Hi,

I'm unable to send mails via backend-combined /w imap and smtp. Any ideas regarding this problem?

This is from backend/imap/config.php

$imap_smtp_params = array('host' => 'ssl://smtp.example.com', 'port' => 465, 'auth' => true, 'username' => 'imap_username', 'password' => 'imap_password', 'verify_peer' => true, 'verify_peer_name' => true, 'allow_self_signed' => true, 'debug' => true);

This is my /var/log/mail.log:

Aug 9 17:02:14 example postfix/smtpd[8995]: SSL_accept error from example.com[ip-address]: Connection reset by peer Aug 9 17:02:14 example postfix/smtpd[8995]: lost connection after CONNECT from example.com[ip-address] Aug 9 17:02:14 example postfix/smtpd[8995]: disconnect from example.com[ip-address]

This is my z-push.log:

09/08/2015 17:02:14 [ 8951] [WARN] [mail@example.com] /var/www/z-push/include/Net/Socket.php:177 stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (2) 09/08/2015 17:02:14 [ 8951] [WARN] [mail@example.com] /var/www/z-push/include/Net/Socket.php:177 stream_socket_client(): Failed to enable crypto (2) 09/08/2015 17:02:14 [ 8951] [WARN] [mail@example.com] /var/www/z-push/include/Net/Socket.php:177 stream_socket_client(): unable to connect to ssl://smtp.example.com:465 (Unknown error) (2) 09/08/2015 17:02:14 [ 8951] [ERROR] [mail@example.com] Net_Socket error: 09/08/2015 17:02:14 [ 8951] [ERROR] [mail@example.com] Net_SMTP error: Failed to connect socket: 09/08/2015 17:02:14 [ 8951] [ERROR] [mail@example.com] Mail error: Failed to connect to ssl://smtp.example.com:465 [SMTP: (code: -1, response: )] 09/08/2015 17:02:14 [ 8951] [WARN] [mail@example.com] /var/www/z-push/include/Mail/smtp.php:413 Only variable references should be returned by reference (8) 09/08/2015 17:02:14 [ 8951] [INFO] [mail@example.com] StatusException: BackendIMAP->sendMessage(): The email could not be sent - code: 120 - file: /var/www/z-push/backend/imap/imap.php:2446 09/08/2015 17:02:14 [ 8951] [ERROR] [mail@example.com] Net_Socket error: not connected 09/08/2015 17:02:14 [ 8951] [ERROR] [mail@example.com] Net_SMTP error: Failed to write to socket:

fmbiete commented 9 years ago

Your log is showing a certificate verification error. So the problem is a certificate not valid, not matching your server name or a non trusted CA. Use "verify_peer" => false, "verify_peer_name" => false to bypass it.

PhilPhonic commented 9 years ago

That's weird. I'm quite sure the certificates are valid.. Same error with "verify_peer" => false, "verify_peer_name" => false

Does "SSL3_GET_SERVER_CERTIFICATE" mean, php is trying to use SSL3? Because SSL3 is rejected by my mailserver.

fmbiete commented 9 years ago

That message will also appear when using TLS 1.x, so that shouldn't be a problem.

Try setting either the openssl.cafile or openssl.capath parameters in your php.ini to your CA file. Maybe it's trusted in web browsers but not yet in the system (for example Startcom).

PhilPhonic commented 9 years ago

openssl.cafile is already set. it is a self signed cert.

//Edit: commented ";openssl.cafile" in php.ini and set "verify_peer" => false, "verify_peer_name" => false in imap/config.php it works with this settings. I think this is related to the latest php update cause it worked a few days ago before i updated php

basbebe commented 8 years ago

I've got quite a similar error:

28/12/2015 20:13:23 [14606] [DEBUG] [xxx@zzz.yy] [vra7la9o317nf6lq0hsookk77k] BackendIMAP->sendMessage(): SendingMail with smtp
28/12/2015 20:13:23 [14606] [ WARN] [xxx@zzz.yy] [vra7la9o317nf6lq0hsookk77k] /usr/local/www/push/include/Net/Socket.php:177 stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages:
error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (2)
28/12/2015 20:13:23 [14606] [ WARN] [xxx@zzz.yy] [vra7la9o317nf6lq0hsookk77k] /usr/local/www/push/include/Net/Socket.php:177 stream_socket_client(): Failed to enable crypto (2)
28/12/2015 20:13:23 [14606] [ WARN] [xxx@zzz.yy] [vra7la9o317nf6lq0hsookk77k] /usr/local/www/push/include/Net/Socket.php:177 stream_socket_client(): unable to connect to ssl://10.0.0.3:587 (Unknown error) (2)
28/12/2015 20:13:23 [14606] [ERROR] [xxx@zzz.yy] [vra7la9o317nf6lq0hsookk77k] Net_Socket error: 
28/12/2015 20:13:23 [14606] [ERROR] [xxx@zzz.yy] [vra7la9o317nf6lq0hsookk77k] Net_SMTP error: Failed to connect socket: 
28/12/2015 20:13:23 [14606] [ERROR] [xxx@zzz.yy] [vra7la9o317nf6lq0hsookk77k] Mail<smtp> error: Failed to connect to ssl://10.0.0.3:587 [SMTP:  (code: -1, response: )]
28/12/2015 20:13:23 [14606] [ WARN] [xxx@zzz.yy] [vra7la9o317nf6lq0hsookk77k] /usr/local/www/push/include/Mail/smtp.php:413 Only variable references should be returned by reference (8)
28/12/2015 20:13:23 [14606] [DEBUG] [xxx@zzz.yy] [vra7la9o317nf6lq0hsookk77k] BackendIMAP->sendMessage(): send return value 
28/12/2015 20:13:23 [14606] [ INFO] [xxx@zzz.yy] [vra7la9o317nf6lq0hsookk77k] StatusException: BackendIMAP->sendMessage(): The email could not be sent - code: 120 - file: /usr/local/www/push/backend/imap/imap.php:2490

My settings:

$imap_smtp_params = array('host' => 'ssl://10.0.0.3', 'port' => 587, 'auth' => true, 'username' => 'imap_username', 'password' => 'imap_password', 'localhost' => 'push.zzz.yy', 'debug' => true, 'verify_peer' => false, 'verify_peer_name' => false, 'allow_self_signed' => true);
PhilPhonic commented 8 years ago

is "openssl.cafile" set in your php.ini ? i had to remove it to get it to work

basbebe commented 8 years ago

It was already commented out.

PhilPhonic commented 8 years ago

this message is weird:

28/12/2015 20:13:23 [14606] [ WARN] [xxx@zzz.yy] [vra7la9o317nf6lq0hsookk77k] /usr/local/www/push/include/Net/Socket.php:177 stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (2)

have you checked if ssl/tls is configured correctly? you can do this here for example:

basbebe commented 8 years ago

I already checked and everything works as expected. Regular IMAP and SMTP work fine on the server thats's why I expected it to have something to do with Z-Push or my PHP / NGINX setup.

fmbiete commented 8 years ago

@bax- Try to replace "ssl://10.0.0.3" with "sslv3://10.0.0.3" or "tls://10.0.0.3"

I think those errors could happen by various reasons:

morganseznec commented 8 years ago

Hi, As bax I had: "error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (2)" I had to replace "ssl://" by "tcp://" to get it worked. tls:// didn't work for me

basbebe commented 8 years ago

I also had to change it to tcp:// to make it work. I can't say if it is a problem with PHP, openssl or the fact that SMTPS uses STARTTLS. I then had a postfix configuration problem (it didn't offer AUTH to mynetworks) but now everything works as expected.

Thank you!

fmbiete commented 8 years ago

STARTTLS?? That could explain the problem...

STARTTLS uses a TCP/plain connection. From wikipedia

STARTTLS is an extension to plain text communication protocols, which offers a way to upgrade a plain text connection to an encrypted (TLS or SSL) connection

You have to use tcp:// for STARTTLS or non encryption at all. You have to use ssl:// for SSL.

Looking at ports it would be (for SMTP although it depends of the server configuration): 25 - tcp:// 587 - tcp:// 465 - ssl://

basbebe commented 8 years ago

@fmbiete exactly. Thanks for the summary. My culprits were the tcp:// and Postfix only allowing auth to external IPs.