Bug #8313


STARTTLS auto detection not working

Added by David Martin about 6 years ago. Updated 3 months ago.

Not a Bug
Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:


When attempting to setup SMTP notifications to a mailserver which supports STARTTLS the following error occurrs:
Could not send the message to [] -- Error: Failed to set sender: [] [SMTP: Invalid response code received from server (code: 530, response: 5.7.0 Must issue a STARTTLS command first)].

In researching the issue it seems that on August 11th 2016 the web UI element for selecting STARTTLS was removed with the developer who made the change stating that pear-Mail will automatically use STARTTLS when the server supports it (see Packet captures between the pfSense appliance and mail server reveal that the pfSense mail client fails to issue a STARTTLS command even when it has been advertised by the server (see

On a side note, while it is not necessarily a bug it is poor practice to rely on client-side autodetection of STARTTLS. In this situation an attacker positioned between the SMTP client and server can block STARTTLS advertisements thereby preventing the establishment of an encrypted connection, or they could establish an unencrypted connection to the client and an encrypted connection to the server in a replay attack. The user should have the ability to specify that STARTTLS is to always be used in the connection. It should also be noted that this change alone would not prevent a MITM from creating their own TLS connection to the client in a replay attack. Further measures would need to prevent the client from accepting a fraudulent certificate.


packetcapture.cap (2.09 KB) packetcapture.cap Packet Capture of TCP Session David Martin, 02/05/2018 03:23 PM
clipboard-202401171322-82uc9.png (41.7 KB) clipboard-202401171322-82uc9.png Jim Pingle, 01/17/2024 06:22 PM
Actions #1

Updated by Anonymous about 6 years ago

  • Assignee changed from David Martin to Renato Botelho
Actions #2

Updated by Jim Pingle about 6 years ago

That code is not ours but that of the Net_SMTP Pear package: -- That package does not have a means by which STARTTLS can be forced. It's possible that package is not successfully reading the feature list in the server response.

Consider reporting the same issue to them upstream. We typically hesitate to modify included package code unless there is no alternative.

Actions #3

Updated by Renato Botelho almost 2 years ago

  • Assignee deleted (Renato Botelho)
Actions #4

Updated by Jim Pingle 3 months ago

This has apparently been fixed upstream, STARTTLS works automatically for me on port 25 and 587 with auth configured and "Enable SMTP over SSL/TLS" *un*checked.


Also available in: Atom PDF