Jump to content
  • 1

SMTP issues - Blesta 4.1


George A.

Question

Hello,

 

I'm testing the latest Blesta version 4.1. I have configured the SMTP login details but when I'm sending a test e-mail the error is as follows:

Sep 24 20:25:03 ***** postfix/submission/smtpd[22156]: connect from *****[*****]
Sep 24 20:25:03 ***** postfix/submission/smtpd[22156]: SSL_accept error from *****[*****]: lost connection
Sep 24 20:25:03 ***** postfix/submission/smtpd[22156]: lost connection after STARTTLS from *****[*****]

 

Which means the application is not establishing a proper TLS connection, even tough in SMTP Settings the SMTP Security is set to "TLS".

What's the solution to make TLS work?

 

Kind regards,

George.

Link to comment
Share on other sites

15 answers to this question

Recommended Posts

  • 0
1 hour ago, George A. said:

Hello,

 

I'm testing the latest Blesta version 4.1. I have configured the SMTP login details but when I'm sending a test e-mail the error is as follows:

Sep 24 20:25:03 ***** postfix/submission/smtpd[22156]: connect from *****[*****]
Sep 24 20:25:03 ***** postfix/submission/smtpd[22156]: SSL_accept error from *****[*****]: lost connection
Sep 24 20:25:03 ***** postfix/submission/smtpd[22156]: lost connection after STARTTLS from *****[*****]

 

Which means the application is not establishing a proper TLS connection, even tough in SMTP Settings the SMTP Security is set to "TLS".

What's the solution to make TLS work?

 

Kind regards,

George.

what mail server are you running?

as I use zimbra ose as my mail server stack and don't have any problems currently with blesta & tls smtp encryption.

Link to comment
Share on other sites

  • 0

Hello,

 

10 hours ago, timnboys said:

what mail server are you running?

as I use zimbra ose as my mail server stack and don't have any problems currently with blesta & tls smtp encryption.

I'm using postfix with enforced TLS connection on submission.

 

10 hours ago, gosuhost said:

No issue here either, must be something on your server side

If it was a server side issue then all other websites would have the same problem, but it's not the case.

 

Kind regards,

George.

Link to comment
Share on other sites

  • 0
8 hours ago, George A. said:

Hello,

 

I'm using postfix with enforced TLS connection on submission.

 

If it was a server side issue then all other websites would have the same problem, but it's not the case.

 

Kind regards,

George.

more debug logs from blesta then?

as I would check to see what blesta is saying when sending it for your answer.

Link to comment
Share on other sites

  • 0

Hello,

This is from postfix with log level 3.

Sep 25 17:26:39 ***censored*** postfix/submission/smtpd[4558]: initializing the server-side TLS engine
Sep 25 17:26:39 ***censored*** postfix/submission/smtpd[4558]: connect from ***censored***[***censored***]
Sep 25 17:26:39 ***censored*** postfix/submission/smtpd[4558]: setting up TLS connection from ***censored***[***censored***]
Sep 25 17:26:39 ***censored*** postfix/submission/smtpd[4558]: ***censored***[***censored***]: TLS cipher list "aNULL:-aNULL:HIGH:@STRENGTH"
Sep 25 17:26:39 ***censored*** postfix/submission/smtpd[4558]: SSL_accept:before SSL initialization
Sep 25 17:26:39 ***censored*** postfix/submission/smtpd[4558]: read from 555C190F59F0 [555C192035E3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Sep 25 17:26:39 ***censored*** postfix/submission/smtpd[4558]: read from 555C190F59F0 [555C192035E3] (5 bytes => 0 (0x0))
Sep 25 17:26:39 ***censored*** postfix/submission/smtpd[4558]: SSL_accept:error in before SSL initialization
Sep 25 17:26:39 ***censored*** postfix/submission/smtpd[4558]: SSL_accept error from ***censored***[***censored***]: lost connection
Sep 25 17:26:39 ***censored*** postfix/submission/smtpd[4558]: lost connection after STARTTLS from ***censored***[***censored***]
Sep 25 17:26:39 ***censored*** postfix/submission/smtpd[4558]: disconnect from ***censored***[***censored***] ehlo=1 starttls=0/1 commands=1/2

 

This is the log showing a success e-mail delivery using SMTP TLS with other php applications:

Sep 25 17:37:05 ***censored*** postfix/submission/smtpd[4824]: initializing the server-side TLS engine
Sep 25 17:37:05 ***censored*** postfix/submission/smtpd[4824]: connect from ***censored***[***censored***]
Sep 25 17:37:05 ***censored*** postfix/submission/smtpd[4824]: setting up TLS connection from ***censored***[***censored***]
Sep 25 17:37:05 ***censored*** postfix/submission/smtpd[4824]: ***censored***[***censored***]: TLS cipher list "aNULL:-aNULL:HIGH:@STRENGTH"
Sep 25 17:37:05 ***censored*** postfix/submission/smtpd[4824]: SSL_accept:before SSL initialization
Sep 25 17:37:05 ***censored*** postfix/submission/smtpd[4824]: SSL_accept:before SSL initialization
Sep 25 17:37:05 ***censored*** postfix/submission/smtpd[4824]: SSL_accept:SSLv3/TLS read client hello
Sep 25 17:37:05 ***censored*** postfix/submission/smtpd[4824]: SSL_accept:SSLv3/TLS write server hello
Sep 25 17:37:05 ***censored*** postfix/submission/smtpd[4824]: SSL_accept:SSLv3/TLS write certificate
Sep 25 17:37:05 ***censored*** postfix/submission/smtpd[4824]: SSL_accept:SSLv3/TLS write key exchange
Sep 25 17:37:05 ***censored*** postfix/submission/smtpd[4824]: SSL_accept:SSLv3/TLS write server done
Sep 25 17:37:05 ***censored*** postfix/submission/smtpd[4824]: SSL_accept:SSLv3/TLS write server done
Sep 25 17:37:05 ***censored*** postfix/submission/smtpd[4824]: SSL_accept:SSLv3/TLS read client key exchange
Sep 25 17:37:05 ***censored*** postfix/submission/smtpd[4824]: SSL_accept:SSLv3/TLS read change cipher spec
Sep 25 17:37:05 ***censored*** postfix/submission/smtpd[4824]: SSL_accept:SSLv3/TLS read finished
Sep 25 17:37:05 ***censored*** postfix/submission/smtpd[4824]: ***censored***[***censored***]: Issuing session ticket, key expiration: 1506352024
Sep 25 17:37:05 ***censored*** postfix/submission/smtpd[4824]: SSL_accept:SSLv3/TLS write session ticket
Sep 25 17:37:05 ***censored*** postfix/submission/smtpd[4824]: SSL_accept:SSLv3/TLS write change cipher spec
Sep 25 17:37:05 ***censored*** postfix/submission/smtpd[4824]: SSL_accept:SSLv3/TLS write finished
Sep 25 17:37:05 ***censored*** postfix/submission/smtpd[4824]: Anonymous TLS connection established from ***censored***[***censored***]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Sep 25 17:37:06 ***censored*** postfix/submission/smtpd[4824]: 1E1EC1605E3: client=***censored***[***censored***], sasl_method=PLAIN, sasl_username=***censored***
Sep 25 17:37:06 ***censored*** postfix/cleanup[4829]: 1E1EC1605E3: message-id=<0acc08fa8eced2bcdf9546ddb58093bb@***censored***>
Sep 25 17:37:06 ***censored*** postfix/qmgr[4821]: 1E1EC1605E3: from=<***censored***>, size=4899, nrcpt=1 (queue active)
Sep 25 17:37:06 ***censored*** postfix/submission/smtpd[4824]: disconnect from ***censored***[***censored***] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
Sep 25 17:37:06 ***censored*** dovecot[559]: imap(***censored***): Logged out in=4603 out=499
Sep 25 17:37:06 ***censored*** postfix/virtual[4830]: 1E1EC1605E3: to=<***censored***>, relay=virtual, delay=0.21, delays=0.17/0.02/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)
Sep 25 17:37:06 ***censored*** postfix/qmgr[4821]: 1E1EC1605E3: removed

 

I'm still not convinced it's a server-side issue. I have tried to find the blesta file that handles the email sending to see how is everything wrapped, but after going back the stream I bumped into an encrypted file. 

The system environment is entirely built, customised and validated as working by myself. 

 

Kind regards,

George.

Link to comment
Share on other sites

  • 0

Blesta uses the Swiftmailer library for outgoing mail. None of that is encoded. The only thing I can think of is that if you have a strict set of CipherSuites and Protocols that Swiftmailer may not be able to communicate with them. For example, if you're running a web server that only allows TLS 1.2 with a specific set of CipherSuites, even a browser that's capable of communicating with TLS 1.2 may not find a cipher they have in common... or, the browser may only be able to communicate with TLS 1.0/1.1. The same rules would apply for mail servers.

Link to comment
Share on other sites

  • 0
3 minutes ago, George A. said:

Hello,

 

Don't bash me if I'm wrong: is your Swiftmailer not compatible with TLSv1.2?!

 

Kind regards,

George.

I don't know which protocols & ciphers it is or isn't compatible with, I would have to look into it and Monday mornings are really busy. I threw that out as a possibility.

Link to comment
Share on other sites

  • 0
25 minutes ago, George A. said:

Hello,

 

I'm using Postfix with PFS (perfect forward secrecy) and enforcing TLSv1.2.

This comes as a shock if your thrown possibility is true.

 

Kind regards,

George.

It is most likely related to your enforcement of TLS 1.2, whether the issue is with Swiftmailer itself or your PHP & OpenSSL I don't know. I found this though https://github.com/swiftmailer/swiftmailer/issues/598 which seems to indicate (look at the comments) that Swiftmailer does not implement its own crypto but relies on your PHP.

Link to comment
Share on other sites

  • 0
3 hours ago, Paul said:

It is most likely related to your enforcement of TLS 1.2, whether the issue is with Swiftmailer itself or your PHP & OpenSSL I don't know. I found this though https://github.com/swiftmailer/swiftmailer/issues/598 which seems to indicate (look at the comments) that Swiftmailer does not implement its own crypto but relies on your PHP.

possibly they forgot to install php-mcrypt, and other related php extensions like it? as I have them installed and don't have any issues.

Link to comment
Share on other sites

  • 0

Hello,

It's not a server issue but how PHP has implemented the default way to handle a TLS connection: which is TLSv1.

Found something. As per php docs:

Before PHP 5.6.7 :
STREAM_CRYPTO_METHOD_SSLv23_CLIENT = STREAM_CRYPTO_METHOD_SSLv2_CLIENT|STREAM_CRYPTO_METHOD_SSLv3_CLIENT
STREAM_CRYPTO_METHOD_TLS_CLIENT = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT

PHP >= 5.6.7
STREAM_CRYPTO_METHOD_SSLv23_CLIENT = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT
STREAM_CRYPTO_METHOD_TLS_CLIENT = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT

From swiftmailer the file /vendors/swiftmailer/swiftmailer/lib/classes/Swift/Transport/StreamBuffer.php. I have commented out line 94 and added:

$crypto_m = STREAM_CRYPTO_METHOD_TLS_CLIENT;

if (defined('STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT')) {
	$crypto_m |= STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT;
	$crypto_m |= STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT;
}

return stream_socket_enable_crypto($this->_stream, true, $crypto_m);

But I still can't make TLSv1.2 work. What am I missing?

 

Kind regards,

George.

Link to comment
Share on other sites

  • 0
1 hour ago, George A. said:

Hello,

It's not a server issue but how PHP has implemented the default way to handle a TLS connection: which is TLSv1.

Found something. As per php docs:


Before PHP 5.6.7 :
STREAM_CRYPTO_METHOD_SSLv23_CLIENT = STREAM_CRYPTO_METHOD_SSLv2_CLIENT|STREAM_CRYPTO_METHOD_SSLv3_CLIENT
STREAM_CRYPTO_METHOD_TLS_CLIENT = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT

PHP >= 5.6.7
STREAM_CRYPTO_METHOD_SSLv23_CLIENT = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT
STREAM_CRYPTO_METHOD_TLS_CLIENT = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT

From swiftmailer the file /vendors/swiftmailer/swiftmailer/lib/classes/Swift/Transport/StreamBuffer.php. I have commented out line 94 and added:


$crypto_m = STREAM_CRYPTO_METHOD_TLS_CLIENT;

if (defined('STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT')) {
	$crypto_m |= STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT;
	$crypto_m |= STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT;
}

return stream_socket_enable_crypto($this->_stream, true, $crypto_m);

But I still can't make TLSv1.2 work. What am I missing?

 

Kind regards,

George.

read the github issues on that:

https://github.com/swiftmailer/swiftmailer/issues/598

which is suggested to do this instead:

https://github.com/swiftmailer/swiftmailer/blob/5.x/lib/classes/Swift/Transport/StreamBuffer.php#L95

change this from:

public function startTLS()

{

return stream_socket_enable_crypto($this->_stream, true, STREAM_CRYPTO_METHOD_TLS_CLIENT);

}

to 

public function startTLS()

{

return stream_socket_enable_crypto($this->_stream, true, STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT);

}

that will force swiftmailer to only use tls v1.2 not any other version.

Link to comment
Share on other sites

  • 0
32 minutes ago, timnboys said:

read the github issues on that:

https://github.com/swiftmailer/swiftmailer/issues/598

which is suggested to do this instead:

https://github.com/swiftmailer/swiftmailer/blob/5.x/lib/classes/Swift/Transport/StreamBuffer.php#L95

change this from:

public function startTLS()

{

return stream_socket_enable_crypto($this->_stream, true, STREAM_CRYPTO_METHOD_TLS_CLIENT);

}

to 

public function startTLS()

{

return stream_socket_enable_crypto($this->_stream, true, STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT);

}

that will force swiftmailer to only use tls v1.2 not any other version.

I have also tried that, but it's not working.

Link to comment
Share on other sites

  • 0
16 minutes ago, George A. said:

I have also tried that, but it's not working.

then talk to the developers of swiftmailer directly then? or use a cc processor that doesn't require you to use tls v1.2? as I usually only use paypal gateway since it handles both and each is handled off on paypal's site so I don't have to deal with no pci compliance which is why I am guessing you are enforcing tls v1.2 only on your mail system.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...