I'm running PHPMailer with OpenSSL on XAMPP on Windows.
I'm having trouble establishing TLS-encrypted SMTP connections to our mail gateway.
I've turned on SMTP transcript debugging for PHPMailer. The transcript is not super informative IMO:
[06-Feb-2019 13:48:08 timezone/redacted] SERVER -> CLIENT: 220 redactedmailserver.example.com ESMTP Postfix
[06-Feb-2019 13:48:08 timezone/redacted] CLIENT -> SERVER: EHLO redactedclientname
[06-Feb-2019 13:48:08 timezone/redacted] SERVER -> CLIENT: 250-redactedmailserver.example.com
250-SIZE 52428800
250-ETRN
250-STARTTLS
250-AUTH CRAM-MD5 PLAIN LOGIN DIGEST-MD5
250-AUTH=CRAM-MD5 PLAIN LOGIN DIGEST-MD5
250-ENHANCEDSTATUSCODES
250 8BITMIME
[06-Feb-2019 13:48:08 timezone/redacted] CLIENT -> SERVER: STARTTLS
[06-Feb-2019 13:48:08 timezone/redacted] SERVER -> CLIENT: 220 2.0.0 Ready to start TLS
[06-Feb-2019 13:48:08 timezone/redacted] SMTP Error: Could not connect to SMTP host.
[06-Feb-2019 13:48:08 timezone/redacted] CLIENT -> SERVER: QUIT
[06-Feb-2019 13:48:08 timezone/redacted] SERVER -> CLIENT:
[06-Feb-2019 13:48:08 timezone/redacted] SMTP ERROR: QUIT command failed:
[06-Feb-2019 13:48:08 timezone/redacted] SMTP Error: Could not connect to SMTP host.
[06-Feb-2019 13:48:08 timezone/redacted] SMTP Error: Could not connect to SMTP host.
The transcript does, at least, prove that the error message is misleading; PHPMailer is successfully connecting to the SMTP server, but something is going wrong with STARTTLS. The error message and transcript give no hint as to what the specific TLS problem might be, though.
Similar symptoms are described in a closed issue on the PHPMailer Github, but the issue resolution there involved troubleshooting the connection using the OpenSSL command line client, as described in the PHPMailer troubleshooting page. This page gives some instructions on how to test the underlying OpenSSL connection outside of the PHP context, which should give details of why the connection might be failing. It says to run the following command:
echo QUIT | openssl s_client -starttls smtp -crlf -connect redactedemailserver.example.com:587
I imagine this works in bash on Linux, but I'm running XAMPP on Windows. I tried running a hopefully-equivalent PowerShell command:
echo QUIT | C:\xampp\php\extras\openssl\openssl.exe s_client -starttls smtp -crlf -connect redactedemailserver.example.com:587
But nothing seems to happen. A fresh PowerShell prompt reappears, and there is no apparent output from openssl.
I also tried running the command without the echo QUIT |. Still, nothing happened.
On Windows, what PowerShell/openssl.exe commands can I use to determine why the STARTTLS is failing?
Version numbers:
XAMPP 7.1.7
PHP 7.1.7
PHPMailer 6.0.6
OpenSSL 1.0.2l
XAMPP 7.1.7 includes two copies of openssl.exe.
The copy located in C:\xampp\php\extras\openssl doesn't work. When launched from PowerShell, nothing happens. When launched from Command Prompt, an error message box appears that says The ordinal 4070 could not be located in the dynamic link library. This appears to possibly be the result of a bad build.
The copy located in C:\xampp\apache\bin, however, works as described in the PHPMailer troubleshooting guide.
So the answer to my original question is to just run the command as given in the troubleshooting guide, but using the not-broken copy of openssl.exe:
echo QUIT | C:\xampp\apache\bin\openssl.exe s_client -starttls smtp -crlf -connect redactedemailserver.example.com:587
Related
I am trying to access the Outlook mail server via IMAP using PHP. As this is not working as intended and the error messages are not helping, I looked up ways to test the basic connectivity and came across the following line of code:
openssl s_client -connect outlook.office365.com:993
This should, supposedly, let me connect to the mail server using an encrypted connection, so that I can then issue some commands to actually log in etc.
However, the command only generates the following output:
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 313 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
I have tried researching the error message (write:errno=104), which lead to some suggestions like enforcing TLSv1.2 using the -tls1_2 parameter, neither of which made any difference.
Can someone point me in the right direction? I already ran this command on Ubuntu and Windows 10 using the latest version of OpenSSL.
I can connect using your command, but I needed to force \r\n line ending characters using the -crlf option when connecting in order to be able to type commands and have the server recognise them.
You can also add -quiet to reduce the amount of output:
openssl s_client -connect outlook.office365.com:993 -crlf -quiet
However, it seems the connection is getting reset in your case. This means there's some sort of network issue. There might be a firewall blocking your access to port 993 on outlook.office365.com. e.g. this might be the case if you normally have to connect via a proxy server.
Recent versions of openssl s_client have a -proxy option, but don't seem to allow specifying a proxy username and password. Also it might not work with your proxy even if you don't need to authenticate to the proxy server. One workaround might be to use http://ntlmaps.sourceforge.net/. I have tried it in the past, but it was over 15 years ago.
You could also try using cURL's IMAP support instead of openssl s_client, since it has better proxy support.
Another possibility is to connect to port 143 and use STARTTLS instead of connecting to port 993. Obviously if port 993 is firewalled then port 143 might also be, but in your case it seems like it is allowed:
openssl s_client -connect outlook.office365.com:143 -starttls imap -crlf -quiet
If you are behind a proxy and can't connect to the IMAP server directly, then you can also use something like EmailEngine that handles connections itself and allows access mailbox contents via a REST API.
I have a "vsftpd" server running on a RHEL machine which is configured for anonymous communication.
I am trying to connect to it from a AIX 7.1 machine using ftp client.
ftp -snv host 8043
Connected to host
220 secure FTP service
ftp> user anonymous mypass
234 Proceed with negotiation.
TLS Auth Entered.
Certificate:
....
....
TLSv1/SSLv3 ( ECDHE-RSA-AES256-GCM-SHA384 ), 256 bits
331 Please specify the password.
230 Login successful.
200 PBSZ set to 0.
200 PROT now Private.
ftp> passive
Passive mode on.
ftp> cd /incoming
250 Directory successfully changed.
ftp> quote pwd
257 "/incoming"
ftp> ls -r
227 Entering Passive Mode (XXX,XXX,XXX,XX,XXX,XX).
ftp: connect: Connection timed out
ftp>
As seen above, the cd and quote pwd command seems to work fine. But ls -r and mput commands fail with Connection timed out error.
No real helpful messages on the server logs also.
Please help on debugging and identifying the issue.
PS: The lftp clients from RHEL work fine connecting to the server.
FTP needs to open two connections to work properly. One for control and one for data.
Whenever you get "cd works but ls doesn't", the data connection is not getting established.
Troubleshooting tips:
look for any firewalls/NATs along the way
try toggling active/passive mode, this opens the data connection from the other side
look at what is happening using network debugging tools like tcpdump/wireshark
I'm using command line on Windows 7 or Windows Command Processor. I'm trying to connect to gmail pop server (pop.gmail.com) on port 995 because that is what I have seen on other Web sites. I want at least to get an "+OK Hello there" message. This is the command I wrote:
telnet pop.gmail.com 995
I'm not getting any answer. What am I doing wrong?
Port 995 is for SSL connection. You cannot do it with telnet.
You could probably try OpenSSL and to test it that way.
openssl s_client -connect pop.gmail.com:995 -quiet
More info on OpenSSL for Windows is here:
OpenSSL for Windows
ADDED:
I have just tested with openssl command I gave you above. It works like a charm:
user#localhost$ openssl s_client -connect pop.gmail.com:995 -quiet
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
+OK Gpop ready for requests from 11.11.111.11 v45pf1517914yhk.21
I'm trying to connect to a FTPS (explicit TLS FTP) server within a shell script and i'm kinda confused.
I tried using the regular FTP command, but i get 534 error "policy requires SSL" and 504 "Security mechanism not implemented"
ftp -inuv myhost
Returns 504 then
quote USER myuser
Returns 534
I also tried sftp but i get "couldn't read packet: connection reset by peer".
That damn peer is making my life a nightmare since IRC ;)
sftp myuser#myhost:mydirectory/ -P21
Connexion reset by peer and it says it can't connect to port 22, which is weird since i specified port 21...
Thanks for your help
There is a diference between ftps and sftp : sftp is ftp over ssh, so in your case you cannot use sftp. ftps is ftp that use ssl/tls
You need an ftp client that manages TLS, for instance http://lftp.yar.ru/ (found on the net)
I want to send IMAP commands via Mac OS X Terminal to server and get response. I can connect to the server using this line:
openssl s_client -connect imap.gmail.com:993
And I can successfully login:
? LOGIN m.client2 passwordhere
But all other commands do not work, no response from server. I tried for instance this:
? LIST "" "*"
? SELECT INBOX
Found an error by help of a friend:
openssl s_client -connect imap.gmail.com:993 -crlf
-crlf is critical
Try this, this should works for you (replace the first line by your
openssl s_client -connect imap.gmail.com:993 -crlf
command (mandatory -crlf) & type only the blue part) :
First thing first, is imap activated on your gmail account???
if you are able to login successfully that means ssl is working fine.
whats the return code that you get for
a1 LOGIN m.client2 passwordhere command.
have you tried the command
a1 capability
try other alternative commands since not all IMAP servers implementa all the IMAP commands.
I have faced this issue while I was creating the data migration tools for different vendors like gmail rediffmail yahoo...
A few more options to consider: You may be connecting to a server offering STARTTLS (esp. for IMAP on port 143) in which case you can tell openssl to proceed in negotiating this, you need to specify which protocol you're using (choose from pop3, imap, smtp, ftp); the -crlf option has been mentioned by others, and I also find the -showcerts option useful if I'm debugging an SSL/TLS configuration. So for example you might end up with,
openssl s_client -showcerts -connect target.server.name.here:143 -starttls imap
More options with the relevant man page if you've got that available,
man s_client