salesagility / SuiteCRM

SuiteCRM - Open source CRM for the world
https://www.suitecrm.com
GNU Affero General Public License v3.0
4.55k stars 2.1k forks source link

I can't send emails with TLS #2807

Open Jonatanestam opened 7 years ago

Jonatanestam commented 7 years ago

Issue

Hello. SuiteCRM can't send emails when TLS is on. I use my own SMTP server. Perhaps that the problem isn't my server config, because I able to send mails with Outlook, Android (default mail app) and iOs (default mail app). When TLS is off all works fine.

Expected Behavior

Send mails when TLS is on.

Actual Behavior

SuiteCRM error. Error:SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting

Mail log using SSL

  1. setting up TLS connection from localhost.localdomain[127.0.0.1]
  2. TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
  3. SSL_accept:before/accept initialization
  4. SSL_accept:SSLv3 read client hello A
  5. SSL_accept:SSLv3 write server hello A
  6. SSL_accept:SSLv3 write certificate A
  7. SSL_accept:SSLv3 write key exchange A
  8. SSL_accept:SSLv3 write server done A
  9. SSL_accept:SSLv3 flush data
  10. SSL_accept:SSLv3 read client key exchange A
  11. SSL_accept:SSLv3 read finished A
  12. SSL_accept:SSLv3 write session ticket A
  13. SSL_accept:SSLv3 write change cipher spec A
  14. SSL_accept:SSLv3 write finished A
  15. SSL_accept:SSLv3 flush data
  16. Anonymous TLS connection established from localhost.localdomain
  17. TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
  18. lost connection after STARTTLS from localhost.localdomain
  19. disconnect from localhost.localdomain[127.0.0.1]
  20. TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH"

Mail log using TLS

  1. setting up TLS connection from localhost.localdomain[127.0.0.1]
  2. AAC localhost.localdomain[127.0.0.1]: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
  3. AAC SSL_accept:before/accept initialization
  4. AAC SSL_accept:SSLv3 read client hello A
  5. AAC SSL_accept:SSLv3 write server hello A
  6. AAC write to 7F970B9B9050 [7F970B9D9C50] (4096 bytes => 4096 (0x1000))
  7. AAC SSL_accept:SSLv3 write certificate A
  8. AAC SSL_accept:SSLv3 write key exchange A
  9. AAC SSL_accept:SSLv3 write server done A
  10. AAC write to 7F970B9B9050 [7F970B9D9C50] (1734 bytes => 1734 (0x6C6))
  11. AAC SSL_accept:SSLv3 flush data
  12. AAC Anonymous TLS connection established from localhost.localdomain[127.0.0.1]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
  13. AAC lost connection after STARTTLS from localhost.localdomain[127.0.0.1]
  14. AAC disconnect from localhost.localdomain[127.0.0.1]

Mail log using Plain

  1. connect from localhost.localdomain[127.0.0.1]
  2. disconnect from localhost.localdomain[127.0.0.1]

Possible Fix

If I comment out these lines of code on /etc/postfix/main.cf
smtpd_use_tls = yes ssmtpd_tls_auth_only = yes ssmtpd_tls_security_level = encrypt ssmtpd_tls_cert_file = /xx/xxxx/MySuiteCRMDomain_com.crt ssmtpd_tls_key_file = /xxx/xx/server.key ssmtpd_tls_CAfile = /xxx/xxx/cacert.pem All works fine

Context

I can´t send emails.

Your Environment

shogunpol commented 7 years ago

@Jonatanestam , the issue has been tested on recent version of SuiteCRM(7.7.8), and not appear, however, i did test using gmail, and it work in my instance only for SMTP port 587. Also when you click "SEND TEST EMAIL" button, please retype password again and save it. Please let me know if this helps.

Jonatanestam commented 7 years ago

@shogunpol, It's true that when you change the postfix config from plain text to ssl / tsl, the default port changes, but I modified the file /etc/postfix/master.cf, so it won't happen . I can send emails from Outlook, Android and iOs using the same port (25) .

I tried retype password again and saved it, but it still does not work.

Logs

Unsuccessful attempt 1 (TSL). `

  1. AAC SSL_accept: SSLv3 flush data
  2. AAC Anonymous TLS connection established from localhost.localdomain [127.0.0.1]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
  3. AAC lost connection after STARTTLS from localhost.localdomain [127.0.0.1]
  4. AAC disconnect from localhost.localdomain [127.0.0.1]

`

Unsuccessful attempt 2 (Plain Text) `

  1. 00f0 f6 14 a0 c9 31 67 b2 a5 | ca f5 .... 1g .. ..
  2. SSL_accept: SSLv3 flush data
  3. Anonymous TLS connection established from localhost.localdomain [127.0.0.1]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
  4. Lost connection after STARTTLS from localhost.localdomain [127.0.0.1]
  5. Disconnect from localhost.localdomain [127.0.0.1]
  6. Connect from localhost.localdomain [127.0.0.1]
  7. Lost connection after UNKNOWN from localhost.localdomain [127.0.0.1]
  8. Disconnect from localhost.localdomain [127.0.0.1]
  9. Connect from localhost.localdomain [127.0.0.1]
  10. Disconnect from localhost.localdomain [127.0.0.1]

`

Successful attempt 3 (Plain text, whenI disabled TSL/SSL in postfix main.cf configuration file) `

  1. Connect from localhost.localdomain [127.0.0.1]
  2. Dec 21 12:06:21 localhost postfix / smtpd [20246]: 47417384CC: client = localhost.localdomain [127.0.0.1],
  3. Sasl_method = PLAIN, sasl_username=admin@mydomain.com
  4. Dec 21 12:06:21 localhost postfix / cleanup [20273]: 47417384CC: message-
  5. Id = d84021b1bbea6ec7a52fd297d1dbcc53@mydomain.com
  6. Dec 21 12:06:21 localhost postfix / qmgr [20218]: 47417384CC: from = admin@mydomain.com, size = 893, nrcpt = 1 (queue Active)
  7. disconnect from localhost.localdomain [127.0.0.1]
  8. 47417384CC: to = myEmailTest@hotmail.com, relay = mx1.hotmail.com
  9. [65.55.92.184]: 25, delay = 1.6, delays = 0.08 / 0.01 / 0.6 / 0.89, dsn = 2.0.0, status = sent (250
  10. D84021b1bbea6ec7a52fd297d1dbcc53@mydomain.com Queued mail for delivery)
  11. Dec 21 12:06:22 localhost postfix / qmgr [20218]: 47417384CC: removed
supernoveau commented 7 years ago

@Jonatanestam in the Postfix config smtp is used to send email whereas smtpd is used to receive emails.

I have a similar issue using TLS and Postfix smptd- identical message: Error:SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting.

I have a strong email password as suggested as relevant here: https://github.com/salesagility/SuiteCRM/issues/1123.

I have tried the public $SMTPAutoTLS = false; fix in include/phpmailer/class.phpmailer.php suggested there too, with no impact.

pgorod commented 7 years ago

I've had problems with STMP Connect failed, and I have seen they are popping up more frequently in the forums. I've been waiting for a well-defined case to post as an Issue, but I don't have one. I still don't understand exactly what works and what doesn't. Most people (me included) end up solving this by changing email accounts or email authentication methods, but we should be able to use any valid method with proper credentials.

I am sure there's a bug somewhere.

chris001 commented 7 years ago

@Jonatanestam @almccann If you go thru #1123 there are many fixes to try. Especially:

This is a bug, because, the code should be good enough that, "IT JUST WORKS (tm)".

supernoveau commented 7 years ago

I have tried everything in 1123 @chris001 .

If I add $this->SMTPDebug = 2; to line 89/90 of include/SugarPHPMailer.php the log detail is identical: SugarPHPMailer encountered an error: SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting in suitecrm.log. No difference either if I change SMTPDebug = 0 to SMTPDebug = 2 in the parent include/phpmailer/class.phpmailer.php.

I am using TLS and port 587.

I have compiled PHP with openssl support (i.e. --with-openssl=/path/to/openssl in Configure Command and OpenSSL support enabled of phpinfo()).

I have public $SMTPAutoTLS = false; in include/phpmailer/class.phpmailer.php.

Which other fixes do you refer to as "many more"? There is commentary in 1123 about bugs with strong passwords versus weak passwords but I don't see a resolution.

chris001 commented 7 years ago

Strong passwords refers to the issue with using extreme punctuation marks in passwords. Try using a password with only alphanumeric characters. A-Z, a-z, 0-9. Will get back to you about the other fixes.

chris001 commented 7 years ago

@almccann

  1. You're running a local postfix smtp server on the same server as the crm? Does it have a self-signed (considered to be the worst type because it's easy to fake) TLS certificate? If yes can you obtain a free genuine Lets Encrypt TLS cert, install it in your postfix, restart postfix, and try again.
  2. Try resetting your CRM account password, from inside SuiteCRM. Then post the smtp log, after you remove passwords and emails.
  3. Also ask for help here, it may have others in the same boat: https://suitecrm.com/forum/suitecrm-7-0-discussion
supernoveau commented 7 years ago

Thanks @chris001

  1. I am running Postfix on a remote host with Let's Encrypt. The report from openssl s_client -starttls smtp -crlf -connect almccann.almccann.com:587 passes and returns 0 as per suggested external test in troubleshooting PHPMailer link.

  2. If I reset password while logged out via 'forgot password' link response is:

    2017-05-10 01:45:05 SERVER -> CLIENT: 220 almccann.almccann.com ESMTP Postfix (Debian/GNU) 2017-05-10 01:45:05 CLIENT -> SERVER: EHLO suitecrm.almccann.com 2017-05-10 01:45:06 SERVER -> CLIENT: 250-almccann.almccann.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN 2017-05-10 01:45:06 CLIENT -> SERVER: STARTTLS 2017-05-10 01:45:06 SERVER -> CLIENT: 220 2.0.0 Ready to start TLS 2017-05-10 01:45:07 SMTP Error: Could not connect to SMTP host. 2017-05-10 01:45:07 CLIENT -> SERVER: QUIT 2017-05-10 01:45:07 SERVER -> CLIENT: 2017-05-10 01:45:07 SMTP ERROR: QUIT command failed: 2017-05-10 01:45:07 SMTP connect() failed. 
chris001 commented 7 years ago

And when you read the Postfix logs on the remote host, what does the detailed error say, at 2017-05-10 01:45:07.

I can guess what it says. I'll let you post it for the readers here to learn from.

If the postfix log doesn't say enough details, then you need to increase the logging detail level in the postfix config, and do the password reset again, until you get postfix to log the detailed reason for the error.

supernoveau commented 7 years ago

Thanks @chris001

Increasing the log level just logs the encrypted bytes.

Here is the log:

May 10 01:45:05 almccann postfix/submission/smtpd[5160]: connect from d23-16-203-158.bchsia.telus.net[23.16.203.158]
May 10 01:45:06 almccann postfix/submission/smtpd[5160]: Anonymous TLS connection established from d23-16-203-158.bchsia.telus.net[23.16.203.158]: TLSv1.2 with cipher ECDHE-RSA-AES1
28-GCM-SHA256 (128/128 bits)
May 10 01:45:07 almccann postfix/submission/smtpd[5160]: lost connection after STARTTLS from d23-16-203-158.bchsia.telus.net[23.16.203.158]
May 10 01:45:07 almccann postfix/submission/smtpd[5160]: disconnect from d23-16-203-158.bchsia.telus.net[23.16.203.158]
chris001 commented 7 years ago

@almccann

  1. Which server management software are you using to configure postfix?
  2. Could you compare your postfix config to this working one and share any differences: https://skippy.org.uk/lets-encrypt-postfix-and-dovecot/
supernoveau commented 7 years ago

@chris001

  1. I'm not using any management software, I'm editing the configuration files.
  2. Dovecot SSL conf is identical. smtp_use_tls and smtpd_use_tls are deprecated for smtp_tls_security_level and smtpd_tls_security_level. I use these with may which is equivalent. I'm not caching nor insisting on high ciphers. The Dovecot SASL configurations are the same. I also include the path to the CA directory smtpd_tls_CApath which is an improvement.
chris001 commented 7 years ago

@almccann Did you mean Postfix? Dovecot, the IMAP server, is for reading email. Postfix, the SMTP server, is for sending email, which is what this issue is about. I suggest you do this, to set a known good baseline Postfix configuration:

  1. Make a backup copy of your Postfix and Dovecot SSL and SASL .conf configuration files in /etc to a folder ~/etc/ located in your home folder.
  2. Install Virtualmin free server management software - it'll check and verify your Postfix configuration, and gives you a web interface control panel to help you modify any settings. a. wget http://software.virtualmin.com/gpl/scripts/install.sh b. Are you sure you set a fully qualified domain name for your system? This one is really important. Find out with the following command: hostname -f If it is fully qualified, continue to the next step. If not, read up on fully qualified domain names before proceeding. You'll thank me later. c. sudo /bin/sh install.sh
supernoveau commented 7 years ago

Hi @chris001

Why do you think the mail configuration is the issue and not PHPMailer or another class?

  1. The mail server is working on port 587 using TLS. The response from openssl s_client -starttls smtp -crlf -connect almccann.almccann.com:587 returns 0 as expected, and according to the PHPMailer troubleshooting guide the verify error:num=20:unable to get local issuer certificate is not a problem for PHPMailer.

  2. I send using mac mail and openssl connects.

No, I meant Dovecot. Postfix uses Dovecot to implement SASL: http://www.postfix.org/SASL_README.html.

I use the FQDN- that's the FQDN I am connecting to when I verify using openssl.

Using another piece of software relying on shell scripts to edit configuration files just adds another layer of complexity to the mail server I don't want. When I see your suggestion I ask:

supernoveau commented 7 years ago

Further to the above, I have tested my mail server connection with nodemailer and this service is able to connect and send email, only if tsl.rejectUnauthorized:false is set because the TLS certificate is self-signed.

This is the nodemailer test code I used: https://github.com/almccann/nodemailer-example.

Does this type of flag exist in PHPMailer or your codebase for self-signed certificates? Does this clarify the mail server is configured adequately?

@chris001

supernoveau commented 7 years ago

Finally, thanks for all your help @chris001

The issue ended up being not including the FQDN as a domain to the certificate.

chris001 commented 7 years ago

@almccann

  1. Your choice whether you install Virtualmin. It's optional, but it's very helpful. It runs on nearly all Unix based OS. It's probably the most popular GPL free open source server control panel. It maintains your working baseline smtp server config, and alerts you when the config is not good, which'd make adjusting your smtp server's security config easier for you to work with than manually editing config files blindly, but if you don't want to install any server control panel software, that's fine.

  2. Next, about your TLS cert. Self-signed certs are highly frowned upon, insecure, worthless, garbage, and totally unnecessary now that we have Let's Encrypt ("LE"). You said you're running postfix with a genuine LE TLS cert, now you say "the TLS certificate is self-signed". It can't be both. Which one is it? It's possible your LE cert expired and therefore is rejected. LE certs expire after 3 months. You must run a script to auto renew it. "The correct fix for this is to replace the invalid, misconfigured or self-signed certificate with a good one. " References: https://github.com/PHPMailer/PHPMailer/issues/540 https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting

Another bonus point to use Virtualmin is, it automatically renews your LE cert every 90 days when they're about to expire.

chris001 commented 7 years ago

@almccann If Virtualmin control panel had been managing your server, you wouldn't have even had this issue. Virtualmin automatically generates, and renews, the LE TLS cert for you, and includes the FQDN automatically on the cert. @Jonatanestam Are you running your smtp mail server with a self-signed TLS cert?

Jonatanestam commented 7 years ago

@chris001 I´m running smtp mail server with a Comodo Cert, it is active and works fine.

I only use strong passwords (upper and lower case letters, numbers and special characters), I've decided to quit using insecure passwords. cert

chris001 commented 7 years ago

@Jonatanestam Can you increase the php.ini log_errors setting, try resetting your password as described above, try sending sending a mail with TLS. Is it still failing for you. Post your php error log entries showing the error while sending mail, with personal information redacted.

This error and many others like it, will be far easier to solve, when an onscreen error report will be added to the app.

pgorod commented 7 years ago

I'm seeing 2 or 3 posts a week on the forums with this issue. It seems we still don't have a complete diagnosis and a solution. I wonder if we should try to enlist any of those people from the forums to get them to contribute some testing on their systems? What should we ask?

chris001 commented 7 years ago

That's a great question... for the SuiteCRM developers.

chris001 commented 7 years ago

@mattlorimer Many related issues for SMTP #1123 #3423 #3647 #2895

sergio91pt commented 7 years ago

@Jonatanestam

I'm assuming the ssmtpd_ options you posted are typos, and they're correct in the configuration file.

You should set smtpd_tls_security_level to may. According to the documentation, encrypt is not standards-compliant:

You can ENFORCE the use of TLS, so that the Postfix SMTP server announces STARTTLS and accepts no mail without TLS encryption, by setting "smtpd_tls_security_level = encrypt". According to RFC 2487 this MUST NOT be applied in case of a publicly-referenced Postfix SMTP server. This option is off by default and should only seldom be used.

Is the mail server and the crm on the same machine? Your logs, on the first post, imply so. Or are you sing some sort of proxy?

Normally there's no point in using TLS on the loopback. Unless you want to force authenticated email, since your server supposedly has smtpd_tls_auth_only = yes.

Is that the case? If so, are you sure it is correctly configured? What are your smtpd_sender_restrictions and mynetworks?

Now, it is clear that you don't have a proper hostname configured on your server. Run postconf myhostname Does it match your certificate or is it localhost.localdomain? This was also almccann's problem.

Jonatanestam commented 7 years ago

@chris001 Sorry for my late reply. I changed server and I was busy.

Php log error: [Fri Jun 23 10:04:07.661381 2017] [:error] [pid 26271] [client xxx.xxx.xxx.xx:50481] PHP Warning: stream_socket_enable_crypto(): Peer certificate CN=mydomain.com' did not match expected CN=localhost' in /var/www/html/mydomain.com/crm/include/phpmailer/class.smtp.php on line 369, referer: https://mydomain.com/crm/index.php?module=EmailMan&action=config


@sergio91pt I set smtpd_tls_security_level to may: /etc/postfix/main.cf -smtpd_tls_security_level = may /etc/postfix/master.cf -o smtpd_tls_security_level = may

Then I restarted the service systemctl restart postfix.service

Php error: PHP Warning: stream_socket_enable_crypto(): Peer certificate CN=mydomain.com' did not match expected CN=localhost' in /var/www/html/mydomain.com/crm/include/phpmailer/class.smtp.php on line 369, referer: https://mydomain.com/crm/index.php?module=EmailMan&action=config

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination mynetworks = myPublicIP.0/28, 127.0.0.0/8

I don’t have smtpd_sender_restrictions

postconf myhostname myhostname = server.myDomain.com

sergio91pt commented 7 years ago

@Jonatanestam If you're running the email server in the same machine, you don't need TLS. In the CRM, disable TLS and don't use authentication and it will work because of mynetworks.

With that configuration, you can't force authenticated email anyway. Any CRM user can use 127.0.0.1 as their SMTP server and send email using whatever they want in the From field (which is used for the MAIL FROM command). Any compromised account can transform your CRM in an open mail relay.

Did you use localhost as the SMTP server? Change it to mydomain.com. TLS should work now.

chris001 commented 7 years ago

@Jonatanestam Thanks for providing the php error log message.

Jonatanestam commented 7 years ago

@chris001 @sergio91pt

Finally I can send emails.

I saw the error log "CN=mydomain.com' did not match expected CN=localhost'" and I understood that I had to replace localhost by mydomain in SMTP Mail Server.

Then I didn't see any errors in the php log, but it doesn't worked. I retypeed mail password and saved it. Now I can send mails.

Thanks alot for your help.

sergio91pt commented 7 years ago

@chris001 Regarding point 2, the correct way is to use /etc/hosts.

Let's face it, if we take into account the current state of SuiteCRM there's no reasonable use case. If you require SSL/TLS for localhost, you're not running an authenticated relay for SuiteCRM but, probably, a full fledged mail server with open ports. That is a huge red flag. Threat model? Both services are probably accessible from the internet.

Out of the box SuiteCRM is very susceptible to brute force attacks:

Also Module loader cannot be easily disabled (although this is available - haven't tested it yet). Compromise an admin account and you have a trivial way to install a backdoor.

And if you think nobody knows about your CRM... public

public2

I just don't know how hacking only amounts to #3423 for now, could be much worse. A CRM stores sensitive customer information and is probably a very enticing target for hackers.

chris001 commented 7 years ago

Thanks @sergio91pt The weak password hash issue is also mentioned in #1197 @JimMackin reason for raising the issue is confirmed here: http://php.net/manual/en/faq.passwords.php#faq.passwords.bestpractice Sugar 6.5 made a big deal of upgrading from md5() to crypt(), but the password_hash() method from #1197 is better yet than crypt(): Plus, there's an official php.net compatibility library for PHP < 5.5. https://developer.sugarcrm.com/2012/05/16/new-for-sugar-6-5-stronger-password-storage-encryption/

@salesagility @gregsoper Is the brand name SuiteCRM trademarked? You should do a trademark claim and get all of the SuiteCRM squatter domains taken down. It's unethical/illegal for them to run a website using the brand name in the URL, that reflects badly on the software. http://suitecrm.co http://suitecrm.no http://suitecrm.fr http://suitecrm.se http://suitecrm.dk http://suitecrm.be http://suitecrm.ro http://suitecrm.cn 90 found! Most are surely squatters. See all of them here: https://www.tcpiputils.com/domain-search You'll need to type the keyword "suitecrm" and click GO.

pgorod commented 7 years ago

Very good points.

While we're discussing Security, let's not forget this SugarCRM 6.5.25 update is waiting to be merged: #3226. On their site they say this is a security update and "we strongly recommend that you install this update at the earliest opportunity."

And if everybody on this thread goes into this Trello suggestion and votes for it, it will surely climb to the top of the backlog list.

chris001 commented 7 years ago

@pgorod Sales Agility Ltd is currently working on customizing SuiteCRM for rich clients located in 7 wealthy first-world countries. Their team currently stands at only 32 engineers, architects, business analysts and support engineers. They just aren't devoting enough resources to timely update the product here on girhub! Very little incentive!

gregsoper commented 7 years ago

@chris001

How exactly do you expect us to finance the 5 person full-time product team?

A magic money tree perhaps?

I get terribly exasperated by comments like this. Unwarranted, ungrateful, unnecessary and most of all unknowing.

If you are aware of a different business model that enables us to keep innovating, keep updating, keep supporting and keep improving SuiteCRM, then I'd be interested to hear it.

Otherwise, less noise and more light would be appreciated.

pgorod commented 7 years ago

@chris001 I was going to come here and write more or less what Greg wrote. Of course they're trying to make money, I hope they make tons of it. It would only benefit SuiteCRM, the powerful open-source project we're all enjoying for free.

If somebody spends, say, $10.000 a month on something which benefits me, do I go and complain that they should be spending $20.000 a month on it? Or complain if they can recover that amount and make some profit, when business goes well? I really think all I can say is "thank you". This is not taking sides, it's not flattery or boot-licking, it's plain and simple justice - and logic.

I realize you're frustrated and bitter; how could I not realize it when you've been airing it in every post, every comment for the past month? But please, deal with it in a more productive way, because frankly you're making these online communities a bit like those offices where one doesn't want to walk into in the morning, because one knows there will be people there "angry by default".

I share with you some of the technical objectives you've been asking for and promoting. I highly value your input into this project. But I don't see how you feel this attitude is going to be productive. You're not bringing SalesAgility in your direction, you're alienating them and making them tired of your constant repetition.

At this point it really doesn't matter how right you are, because you lose your reason because of the tone, because of the way you address SA employees. I see them working hard. I see them passionate and involved with the project. I see them sensitive to code quality issues. I see them setting up their team and their processes. Ok, then a lot is still left undone, unchanged, and delayed. They are not perfect, they are not omnipotent, but neither are we, right? Can we now team up work together to the best of our abilities and resources? Can we now cut each other some slack, and be polite, and friendly, and patient?

SuiteCRM doesn't just need a better SalesAgility, it also needs a better Chris. I think both are needed for this project. Let's keep people wanting to walk into this "office" every morning, we all benefit in the long run.

Sorry if I'm being unjust in any way - if I was too aggressive calling for less aggressiveness, I evidently failed and I apologize... Peace.

chris001 commented 7 years ago

@gregsoper Thanks for your reply. Sorry if you felt exasperated. I could say the same thing, and I think I'm speaking for many from the community here, we/I've felt terribly exasperated, many times. Grateful at many times as well.

Let's see what we can do to reduce the amount of exasperation and increase the amount of good times.

  1. Activate Google AdSsense on all pages of the community forum. This should bring in between several hundred to 1000 pounds per month, maybe more, depending on total number of visitors and other factors. Enough to fund 10-30 developer hours per month. This would make a nice positive impact on product development. And suitable because AdSense funds are generated directly by community user activity in the forum.

  2. Start another crowd funding campaign. As I mentioned in Nov 2014, after the Oct 2014 campaign https://www.kickstarter.com/projects/1212639306/100-enhancements-to-suitecrm-in-400-days-open-sour funding was unsuccessful due to goal not reached, do it again right away, yet this time AVOID KICKSTARTER it's terribly unsuitable because you either reach goal, or you get nothing, and your amount sought was too high and the campaign length too short and your visibility not large enough, to get there in time. Instead of KS you must use one of the many crowd fund raising platforms which allow you to receive every pound, dollar, euro contributed (IndieGogo is one example but there are many others) regardless of goal reached or not. Then, obviously, fund the app development as you go, based on quantity of funds received. Let the fundraising campaign never end, it can and should go on and on until the product quality performance and features are perfect and fully caught up to and surpassing competing modern CRM software quality and feature standards, fully able to install and run Sugar 7 modules, etc.

  3. Form a separate entity similar to Joomla's Open Source Matters organization, which receives contributions, AdSense revenue, donations, and contributions toward software development. It's important to keep the commercial interests of your company separate from the pure product development interests of the software. More donations will be forthcoming as companies and individual donors will get the assurance they're giving to the non profit organization whose purpose is to better the open source software and not giving to a commercial company.

gregsoper commented 7 years ago

@chris001

Thank you for a more positive tone. It would be appreciated if this was maintained going forward.

chris001 commented 7 years ago

@gregsoper

Thank you for everything you do Greg.

Now, let's get to the action and make this better. Of the 3 action items mentioned above which are for the benefit of the better funding and more community-driven development of the software - 1. Google AdSense on the Community Forum, 2. Start a new crowd funding campaign on an open ended platform such as IndieGogo to fund developing the software, and 3. Establish a not for profit corp to govern the project software development much like Joomla has done to great success with OSM, could you please comment. Agree with time frame, disagree with your fully detailed reasons, etc. Speaking on behalf of the community and with an understanding of how community driven open source works, 1 and 2 need done as soon as possible Friday if you have free time, 3 needs done as soon as about $2-3000 in funds become available from crowd funding and/or adsense revenues.

gregsoper commented 7 years ago

@chris001

With respect: We have a business plan and a strategic plan that are designed to deliver more and better community services and code to the project. It does not include any of the above. I won't discuss these in public or outside of SalesAgility and our trusted advisers. I appreciate your enthusiasm and input but ask you to trust us to deliver on our plans. We have made huge progress in the 3.5 years since we forked SugarCRM. We intend to continue on a path that we confidently expect will deliver community and code we can all be proud of and can all be part of.

chris001 commented 7 years ago

@gregsoper Interesting. Why the "won't discuss these in public" secrecy about your strategic plan not including fund raising thru AdSense, Crowdfunding, and formation of a not for profit entity to govern the software development? Is it because of your concerns related to your commercial business? Please provide detailed explanation of the nature why you don't want to share your strategic plan to help the software grow without external funding or community software development governance, to the github community here watching this thread.

gregsoper commented 7 years ago

@chris001

  1. I am not in the habit of repeating myself.
  2. I am not answerable to you.
  3. This thread stops here for me.
chris001 commented 7 years ago

Thank you @gregsoper for your two snaps and a twirl, heard across github. two snaps and a twirl In reply to your points above:

  1. Not asking you to repeat. Asking you to elaborate on your brief comment.
  2. We get it, you have the right to choose to not speak with the community of contributors, and when you make that choice, you remain only "answerable" to your employee-shareholders, to your paying customers, and to the Queen. Yet, this conversation right here right now is about your (self appointed) role as maintainer of this open source software project, and in light of which, your chosen responsibility to talk freely with the people in the community of users developers and contributors. In taking this role, you've accepted the duties which go along with it, the most important of which are, A) open two-way communication and B) transparency ie no secrets (except about newly discovered security holes in the software). If you feel there's a legitimate justfication for holding secrets other than recent security flaws, by all means, share your reasoning with us now.
  3. Don't feel that you have to talk with anyone ever, for any reason. Yet, such behavior - which could be described as hermit-like, or autistic - is inappropriate behavior for the maintainer of an open source software project. Daily open 2-way communication is essential.

As always, all are welcome to join in the conversation.

samus-aran commented 7 years ago

@chris001

You've missed the point Chris and choosing not to listen again. You did ask him to repeat – repeat to disclose information and strategies that don't need to be provided to an individual member who requests it because they demand it. We have told you, with respect and professionalism which you seem to be lacking more day by day, that we don't answer to you specifically. You are a member that chooses not to listen and rage personal attacks to 'get attention'. You're attitude is terrible and you have stepped over the line with the above post. Your comment is not progressing the discussion, not respecting an opinion, and you are pulling insults (seriously, autistic..) to make a 'point' which is simply an opinion not fact. When we do declare strategies they are publicly announced and discussed then and have been but you are choosing to not see them or want everything done immediately. This project is not a foundation and therefore doesn't have community members head of their departments or have even established anything of that magnitude. You are pulling these big projects whom have again had more years and footing than most open source projects do and where did they started off at may I ask? Pretty sure they held their strategies internally until they decided it it was logical to open it out to the community... You come across has having a very narrow view of what an OS project is and that its one way or the other. Strategies and company information are not a term anyone would deem as a 'secret' so claiming we hold them is not true and another wrongful accusation to suit your argument.

So with that Chris, its pretty disheartening that you have stooped that low to voice your opinion with petty insults and don't appear to be accepting anything we say. You've purposely twisting our words to suit your agenda which is using the wrong attitude to 'helping' the community by firing an attack over things that you know are in progress, you know that are in discussions and you know we don't feel we need to address you individually. To that conclusion we have decided to place a temporary ban on you for a 3 month period and have released a Code of Conduct along with the project. Please review and hopefully you'll reflect on your inappropriate approach on trying to 'help' the project and return with a better attitude and better ways to communicate.

muratyaman commented 7 years ago

You've just lost a huge contributor! Pity! I'm not sure who has a "hidden" agenda here! What's so sensitive in your roadmap you cannot share with the community?!

You focused on 7.9 for email client, some people decided that it had the highest priority, instead of fixing hundreds of bugs here or merging so many pull requests waiting in the queue, and yet you have "successfully" created so many more bugs on 7.9!!

You write code, and you don't test it?! and then expect the community sort out the mess for you?! If so, at this rate, you will lose many more contributors and it can only get worse.

I understand you expectations from community, like constructive criticism, politeness, positive tone, etc. Your attitude has to change as well.

This codebase itself is already a very big source of stress for everyone involved! We don't need extra stress, right?

If it's a huge responsibility, let's act like it is.

Cheers.

pgorod commented 7 years ago

@muratyaman I understand your frustration, and I'm not happy with the way things went, but also - maybe this my portuguese character coming up, we are mellow and typically don't opt for conflict - I am completely unable to understand what kind of positive result Chris could expect from his stance.

I am subscribed on almost every thread in the forums and tons of Issues and PR's here, and there were literally dozens of posts by Chris insisting on the same things, asking for "detailed clarifications" where people were obviously not interested in giving them. It was very tiresome even for me, and I was not the target of his insistence. It was truly a collision course, deliberately chosen, and in my view very poisoning for the community.

This doesn't mean that I would have banned him, but it means I've been scratching my head over this in the past weeks, wondering how could he be calmed down and especially, how could he adapt his expectations and his demands to what the other side expects and demands. Because I wasn't seeing that attitude of really trying to see things from the other side's perspective and position, and trying to build from there, not from some idealized vision of what open-source should be.

PR's should be merged - fine. Bugs should be fixed - fine. New versions shouldn't introduce many new bugs - fine. Repeat all this thirty times and try to force a company into changing into what you think it should be - NOT fine.

I am speaking on my own behalf, I have my opinion. I am with Chris on many of his technical opinions, I am not with him on his chosen collision course with SalesAgility. So it is important to point out he doesn't speak for the Community (and obviously neither do I).

This could all have gone so much better, with just a bit more patience and understanding...

horus68 commented 7 years ago

I considered this ban an overreaction if only based on the public words by @chris001 3 months for a ban? Also find it strange that a code of conduct was written after the ban, not before it.

As I already posted in the forum https://suitecrm.com/forum/announcements/14874-suitecrm-7-9-2-maintenance-patch-now-available#49989 Salesagility has been losing community power users. But that's their option to do so. We are seeing here is a company planning things differently from some of their support community. It's their right and if users don't like it they must leave and create a fork or stay but quiet. As for now, I will wait to see those promised plans from SalesAgility. But you all know what happens when things come to this point, no software stays the same.

samus-aran commented 7 years ago

Hi @horus68

We had the code of conduct discussed internally due to Chris attitude in the prior weeks. But no the code of conduct didn't come after, it came at the same time.

Of course we don't feel it was an overreaction and you are free to discuss that, but we felt it was justified. We had spoken to chris on a number of occasions, and it looked as though he was calming down and taking a more positive tone to express his opinions. However the latest post was not and sadly we didn't feel he was going to get any better unless we do everything (disclose and implement) he expected. We felt that his choice of words were extremely poor and insulting and no one, not a SA team member or the member of Community, should or would stand for. He wasn't providing a positive attitude in the way he was voicing his opinion and thus felt a temporary ban was a suitable action.

I know you have address the forum post to which I have responded and so we can only go from here on the plans put into place to resolve bugs etc, but that doesn't deter the fact that chris, as a member of the community, was not something that was a benefit to the project unless his attitude changes.

samus-aran commented 7 years ago

Sorry @muratyaman I didn't see your post.

We don't have a 'hidden' anything. What we were referring to was the funding aspect and disclosing a public management team. The roadmap is public (not very much we admit at the moment) and will be but that isn't the issue here.

Regards to this release, we completely agree. Learning from the short 3 month release cycle we felt the amount we took on was highly underestimated and thus here we are. The decision to tackle that email client was briefly discussed in the forum stating that we also underestimated the use of it a mistake we won't re-do again.

That is why we have re-focused on the stability of the instance on 7.10 and agreed that the product can not continue the way it is going if we don't tackle a serious dent on the bugs. We felt we weren't able to do so as we had already schedule 7.9 to be email client and there was no way we would've done both feature and bug fixing-athon during those small 3 months on our then team's resources (smaller than they were now).

That's not exactly true, we don't expect the community to sort out the mess not at all - I don't think I actually said anything like that. What we would like is the community to help us test the PRs that the community supplies and lets be honest that not all the bugs are our - alot are legacy.

Its a shame that you feel we view the Community differently than we actually do. We are always positive to the community but honest - we don't think we have addressed the community as anything rude or faulting without taking on criticism ourselves. I would honestly be interested in how that can be addressed because that is clearly something that is perhaps we are not open with.

However we felt a ban of a single member was required for a foul and insulting attitude to a team member and highly doubt that it would've improved. It is a temporary ban and any ban is not a thought taken lightly - considering we haven't had on in the 3+ years of actually beginning the project.

gregsoper commented 7 years ago

For Everyone:

It may help if you understood a little about us:

We are growing up in public. Nobody in SalesAgility has led an open source project before. We are learning as we go. This is not easy.

When we forked SugarCRM 3.5 years ago, there were 8 of us. It was a brave thing to do. Some might say foolish. There are now 34 of us and we expect there to be 40 by the end of this year.

We have to maintain a balance between the commercial projects that we do and the full-time SuiteCRM Product team. The commercial work that we do is what pays for the Product team to work exclusively on code for the community.

There are now 5 members of that team. Put that in context: When we forked, there were none. We developed code in the gaps between commercial projects. We have made a lot of progress and we continue to invest. We expect the Product team to double in size over the next 12 months and probably double again the year after.

This is a big project, with a big code base and a big community. To service that very well requires more resource than we have today. We tread a fine line in trying to balance all our objectives within a constrained resource pool. We don't always tread that line perfectly.

Our commitment to open source and to community is at the heart of what we do and who we are. Please do not expect everything to be perfect today, or even this year. We are a learning organisation. We fail, learn succeed. The difference when you're running an open source project is that everyone sees every mistake we make.

It would be appreciated if you could reflect on what we are doing and have done:

We have created a great product and we continue to invest in the product. We have created a great Product team and we continue to expand the team. We have created a large and vibrant community and we continue to invest in that community. We have made a commitment to being a completely open source project and we continue to articulate that commitment.

Put that into a big picture:

This is a project that is improving and at its core has a burning desire to improve. This is a project that is growing. This is a project that IS committed to the community.

Once you have done that, then I hope you will assist us in our mission to create the world's best CRM application and have every line of code as free and open source.

We can't do it without you. We are not perfect, we don't have infinite resources to resolve every PR quickly, we don't have infinite resources to fix every bug tomorrow ... but our aim is to get there.

As far as Chris001 is concerned, I support the ban. His final post contained insulting comments made about us being "autistic" that were deeply hurtful to at least one member of our team including one who has a child on the autism spectrum. That is not acceptable. We are time constrained. I would rather the Product team was working on issues, PRs, new code and community than being sidelined for hours by a persistently and aggressively argumentative community member who didn't want to listen to the answers we provided.

rainolf commented 7 years ago

I've added around line 79 in include/SugarPHPMailer.php

$this->SMTPOptions = array( 'ssl' => array( 'verify_peer' => false, 'verify_peer_name' => false, 'allow_self_signed' => true ) );

Works like a charm....for further reading: https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting#php-56-certificate-verification-failure

Of course...better to add a valid ssl certificate.

Hope it Helps....