Project

General

Profile

Actions

Bug #5604

closed

SSL/TLS SMTP notfications not working

Added by Ivor Kreso over 8 years ago. Updated about 8 years ago.

Status:
Resolved
Priority:
Normal
Category:
Notifications
Target version:
Start date:
12/05/2015
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3
Affected Architecture:
All

Description

On the latest snapshot SMTP notifications are not working. System log shows:

/system_advanced_notifications.php: Could not send the message to -- Error: could not connect to the host "smtp.domain.com": ??

Actions #1

Updated by Ivor Kreso over 8 years ago

  • Assignee deleted (Jim Pingle)
Actions #2

Updated by Chris Buechler over 8 years ago

It has bidirectional with gmail on 465 when trying to send a notification, but fails to send anything.

Actions #3

Updated by Jim Pingle over 8 years ago

Works for me on 25 with no auth.

SSL verification failing perhaps?

Actions #4

Updated by Ivor Kreso over 8 years ago

I don't think so, settings were not changed prior the update. I got "Firmware upgrade in progress..." email on 2.2.5, but upon reboot I did not get any email.

Actions #5

Updated by Ivor Kreso over 8 years ago

I've just verified the settings with another 2.2.5 box using the same settings, no issues there. It's definitely something with 2.3 that's preventing SMTP notifications.

Actions #6

Updated by Jim Pingle over 8 years ago

No, not user/pass auth - just SSL certificate verification.

It works for me on mail severs I can access if I use:
  • No auth via port 25 (from an IP I can relay through)
  • Plain auth on port 587 (no encryption)

If it fails for you with either "SMTP over SSL/TLS" or "STARTTLS" checked in the GUI that would suggest a problem in the SSL certificate negotiation or verification. We've enabled a lot more of those things on 2.3, the mail library that's in use might need a nudge toward /etc/ssl/cert.pem or some other similar adjustment, and perhaps a checkbox to disable verification in the GUI.

Actions #7

Updated by Jim Thompson over 8 years ago

  • Assignee set to Renato Botelho
Actions #8

Updated by Kill Bill over 8 years ago

Jim P wrote:

and perhaps a checkbox to disable verification in the GUI.

I'd say any verification should be just disabled by default. Vast majority of mailservers has either self-signed, crappy, non-matching or even expired certificates.

Actions #9

Updated by Doug Dimick over 8 years ago

It fails using gmail's smtp server, I tried both SSL and STARTTLS. My guess is that it isn't due to a bad server cert.

Actions #10

Updated by Chris Buechler about 8 years ago

  • Subject changed from SMTP notfications not working to SSL/TLS SMTP notfications not working
  • Status changed from New to Confirmed

It is because of certificate validation failures. PHP 5.6 openssl enabled verification by default, it was disabled for notifications previously. Looks like gmail's cert should validate though, seems it's somehow missing ca_root_nss.

Actions #11

Updated by Chris Buechler about 8 years ago

still missing something after setting openssl.cafile in php.ini

Actions #12

Updated by Renato Botelho about 8 years ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100
Actions #13

Updated by Jim Pingle about 8 years ago

  • Status changed from Feedback to Assigned

It appears to work fine now when the SSL certificate validates. When it doesn't, however, a PHP error occurs:

Starting TLS cryptograpic protocol

Warning: stream_socket_enable_crypto(): Peer certificate CN=`www.example.com' did not match expected CN=`192.0.2.22' in /etc/inc/smtp.inc on line 1269

Call Stack:
    0.0001     238824   1. {main}() /usr/local/www/system_advanced_notifications.php:0
    0.2545    2086080   2. notify_via_smtp() /usr/local/www/system_advanced_notifications.php:212
    0.2661    2086544   3. send_smtp_message() /etc/inc/notices.inc:333
    0.2665    2117048   4. smtp_class->SendMessage() /etc/inc/notices.inc:392
    0.2665    2117688   5. smtp_class->Connect() /etc/inc/smtp.inc:1845
    0.4152    2130512   6. stream_socket_enable_crypto() /etc/inc/smtp.inc:1269

Cert CN/server IP changed but the rest of the error is verbatim.

Actions #14

Updated by Renato Botelho about 8 years ago

  • Status changed from Assigned to Feedback
Actions #15

Updated by Renato Botelho about 8 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF