@tgoeg opened this Issue on January 3rd 2022

Expected Behavior

Using password reset or ./console core:test-emails should send out mails.

Current Behavior

I get errors when trying both, but no error messages that hint at the actual problem:

$ ./console core:test-email user<a class='mention' href='https://github.com/example'>@example</a>.org
2022-01-03 13:18:42 SERVER -> CLIENT: 220 mysmtp.example.org Microsoft ESMTP MAIL Service ready at Mon, 3 Jan 2022 14:18:41 +0100
2022-01-03 13:18:42 CLIENT -> SERVER: EHLO localhost.localdomain
2022-01-03 13:18:42 SERVER -> CLIENT: 250-mysmtp.example.org Hello [10.0.0.1]
                                      250-SIZE 37748736
                                      250-PIPELINING
                                      250-DSN
                                      250-ENHANCEDSTATUSCODES
                                      250-STARTTLS
                                      250-8BITMIME
                                      250-BINARYMIME
                                      250 CHUNKING
2022-01-03 13:18:42 CLIENT -> SERVER: STARTTLS
2022-01-03 13:18:42 SERVER -> CLIENT: 220 2.0.0 SMTP server ready
2022-01-03 13:18:42 SMTP Error: Could not connect to SMTP host.
2022-01-03 13:18:42 CLIENT -> SERVER: QUIT
2022-01-03 13:18:42 SERVER -> CLIENT:
2022-01-03 13:18:42 SMTP ERROR: QUIT command failed:
2022-01-03 13:18:42 SMTP Error: Could not connect to SMTP host.
ERROR [2022-01-03 13:18:42] 3635150  Uncaught exception: /var/www/matomo.example.org/vendor/phpmailer/phpmailer/src/PHPMailer.php(2153): SMTP Error: Could not connect to SMTP host. [Query: , CLI mode: 1]

  [PHPMailer\PHPMailer\Exception]
  SMTP Error: Could not connect to SMTP host.

core:test-email emailAddress

Possible Solution

My SMTP server has a self-signed certificate. I'm trying to get people to fix that as well (as this would be the better solution), but wanted to report the problem here anyway.

Another option would be adding the CA's certificate to the matomo host so its self-signed certificates could be trusted.

What makes it work as well is changing vendor/phpmailer/phpmailer/src/PHPMailer.php

 331     /**
 332      * Options array passed to stream_context_create when connecting via SMTP.
 333      *
 334      * <a class='mention' href='https://github.com/var'>@var</a> array
 335      */
 336     // public $SMTPOptions = [];
 337     public $SMTPOptions = [
 338         'ssl' => [
 339             'verify_peer' => false,
 340             'verify_peer_name' => false,
 341             'allow_self_signed' => true,
 342         ]
 343     ];

However, that's a bad location to fix this issue.
My suggestion would be to

  • improve the error message (however, setting public $SMTPDebug = 0; to 4 did not improve it..); I am not a developer, maybe PHPMailer can offer better debugging info and I just do not know how to improve it. Probably at least add a hint in the error messages? echo QUIT | openssl s_client -starttls smtp -crlf -connect mysmtp.example.org:25 quickly showed the error for example

  • provide a config option to allow self-signed certificates

Steps to Reproduce (for Bugs)

  1. Setup mail server with self-signed certificate and STARTTLS capabilities
  2. Configure matomo to use it
  3. Use ./console core:test-email user<a class='mention' href='https://github.com/example'>@example</a>.org or perform a password reset to get the error.

Context

Resetting a user password is currently impossible in this context.

Your Environment

  • Matomo Version: 4.6.2
  • PHP Version: 7.4
  • Server Operating System: Ubuntu 18.04
  • Additionally installed plugins: irrelevant
@crypticrabbit commented on January 19th 2022

Hello,
I'm having a similar issue, as my mail server has a valid TLS cert, however, since Matomo accesses the mail server over the LAN (and I don't use split DNS or anything) the TLS certificate is not seen by Matomo as valid.

The steps in OPs "Possible Solution" resolved the issue for me, but I agree their should be an easier config option for self signed certs. Even if self signed aren't ideal, there are real use cases where a cert won't chain correctly.

Cheers!

Powered by GitHub Issue Mirror