Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to send mails through SMTP server with self-signed cert (and undescriptive error msg) #18563

Closed
tgoeg opened this issue Jan 3, 2022 · 10 comments · Fixed by #20046
Closed

Unable to send mails through SMTP server with self-signed cert (and undescriptive error msg) #18563

tgoeg opened this issue Jan 3, 2022 · 10 comments · Fixed by #20046
Assignees
@peterhashair
Labels
Potential Bug Something that might be a bug, but needs validation and confirmation it can be reproduced.
Milestone
4.13.1

Comments

@tgoeg
Copy link

tgoeg commented Jan 3, 2022

Expected Behavior

Using password reset or ./console core:test-emails should send out mails.

Current Behavior

I get errors when trying both, but no error messages that hint at the actual problem:

$ ./console core:test-email user@example.org
2022-01-03 13:18:42	SERVER -> CLIENT: 220 mysmtp.example.org Microsoft ESMTP MAIL Service ready at Mon, 3 Jan 2022 14:18:41 +0100
2022-01-03 13:18:42	CLIENT -> SERVER: EHLO localhost.localdomain
2022-01-03 13:18:42	SERVER -> CLIENT: 250-mysmtp.example.org Hello [10.0.0.1]
                   	                  250-SIZE 37748736
                   	                  250-PIPELINING
                   	                  250-DSN
                   	                  250-ENHANCEDSTATUSCODES
                   	                  250-STARTTLS
                   	                  250-8BITMIME
                   	                  250-BINARYMIME
                   	                  250 CHUNKING
2022-01-03 13:18:42	CLIENT -> SERVER: STARTTLS
2022-01-03 13:18:42	SERVER -> CLIENT: 220 2.0.0 SMTP server ready
2022-01-03 13:18:42	SMTP Error: Could not connect to SMTP host.
2022-01-03 13:18:42	CLIENT -> SERVER: QUIT
2022-01-03 13:18:42	SERVER -> CLIENT:
2022-01-03 13:18:42	SMTP ERROR: QUIT command failed:
2022-01-03 13:18:42	SMTP Error: Could not connect to SMTP host.
ERROR [2022-01-03 13:18:42] 3635150  Uncaught exception: /var/www/matomo.example.org/vendor/phpmailer/phpmailer/src/PHPMailer.php(2153): SMTP Error: Could not connect to SMTP host. [Query: , CLI mode: 1]



  [PHPMailer\PHPMailer\Exception]
  SMTP Error: Could not connect to SMTP host.



core:test-email emailAddress

Possible Solution

My SMTP server has a self-signed certificate. I'm trying to get people to fix that as well (as this would be the better solution), but wanted to report the problem here anyway.

Another option would be adding the CA's certificate to the matomo host so its self-signed certificates could be trusted.

What makes it work as well is changing vendor/phpmailer/phpmailer/src/PHPMailer.php

 331     /**
 332      * Options array passed to stream_context_create when connecting via SMTP.
 333      *
 334      * @var array
 335      */
 336     // public $SMTPOptions = [];
 337     public $SMTPOptions = [
 338         'ssl' => [
 339             'verify_peer' => false,
 340             'verify_peer_name' => false,
 341             'allow_self_signed' => true,
 342         ]
 343     ];

However, that's a bad location to fix this issue.
My suggestion would be to

  • improve the error message (however, setting public $SMTPDebug = 0; to 4 did not improve it..); I am not a developer, maybe PHPMailer can offer better debugging info and I just do not know how to improve it. Probably at least add a hint in the error messages? echo QUIT | openssl s_client -starttls smtp -crlf -connect mysmtp.example.org:25 quickly showed the error for example

  • provide a config option to allow self-signed certificates

Steps to Reproduce (for Bugs)

  1. Setup mail server with self-signed certificate and STARTTLS capabilities
  2. Configure matomo to use it
  3. Use ./console core:test-email user@example.org or perform a password reset to get the error.

Context

Resetting a user password is currently impossible in this context.

Your Environment

  • Matomo Version: 4.6.2
  • PHP Version: 7.4
  • Server Operating System: Ubuntu 18.04
  • Additionally installed plugins: irrelevant
@tgoeg tgoeg added the Potential Bug Something that might be a bug, but needs validation and confirmation it can be reproduced. label Jan 3, 2022
@jscottbranson
Copy link

Hello,
I'm having a similar issue, as my mail server has a valid TLS cert, however, since Matomo accesses the mail server over the LAN (and I don't use split DNS or anything) the TLS certificate is not seen by Matomo as valid.

The steps in OPs "Possible Solution" resolved the issue for me, but I agree their should be an easier config option for self signed certs. Even if self signed aren't ideal, there are real use cases where a cert won't chain correctly.

Cheers!

@kenji-fire
Copy link

Hi,
I had the exact same issue and changing the settings in the vendor folder helped solving the issue.
Still a better way managing this would be over the main conf.ini.php file because the vendor folder can be overwritten upon updating.
I hope that this will get an official fix soon.
Cheers!

@atom-box

This comment was marked as off-topic.

Sign in to view
@MatomoForumNotifications
Copy link

This issue has been mentioned on Matomo forums. There might be relevant details there:

https://forum.matomo.org/t/scheduler-error-missing-parameter-displayformat-for-task/45239/2

@Starker3
Copy link
Contributor

We have users who are still experiencing this issue. At present they need to manually overwrite the PHPMailer files in the vendor folder every time they update.

@mattab mattab added this to the 4.12.5 milestone Nov 13, 2022
@mattab
Copy link
Member

mattab commented Nov 13, 2022

Proposed steps:

  • improve the error message in console command (hopefully it's possible)
  • introduce INI settings under [mail] section in global INI file
; set to 0 to allow email server with self signed cert
ssl_disallow_self_signed = 1
; set to 0 to ... 
ssl_verify_peer = 1
; set to 0 to ... (not recommended)
ssl_verify_peer_name = 1
  • Create a FAQ that mentions the console error message + the solution with the new INI setting (so that people searching for the error will find it) eg. "How do I configure Matomo to send emails when a self-served certificate is used, or SSL doesn't work?" or so

@tgoeg
Copy link
Author

tgoeg commented Nov 14, 2022

Sounds reasonable, thanks in advance!

@peterhashair
Copy link
Contributor

@mattab just clear the, we just do a simple INI for this, or do we do an event as @sgiehl suggests?

@peterhashair peterhashair self-assigned this Nov 16, 2022
@mattab
Copy link
Member

mattab commented Nov 18, 2022

simple INI sounds good for now

@peterhashair peterhashair mentioned this issue Nov 25, 2022
Merged
11 tasks
@justinvelluppillai justinvelluppillai modified the milestones: 4.12.5, 4.13.2 Nov 28, 2022
@sgiehl sgiehl modified the milestones: 4.13.2, 4.13.1 Jan 16, 2023
@Manlikevee
Copy link

gfffffffffffffffff

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@peterhashair peterhashair

Labels
Potential Bug Something that might be a bug, but needs validation and confirmation it can be reproduced.
Projects
None yet
Milestone
4.13.1
Development

Successfully merging a pull request may close this issue.

Add allow self singed in mail setting matomo-org/matomo