PHP encryption, stopped receiving emails via 365

[t4Chippy]

Hi Guys, I have a webshop running thirtybees 1.0.7 and around a month ago i stopped receiving "contact us" emails from my site. 

My email account is with microsoft office 365, and is the same domain as my site. My email was configured with "Use PHP's mail() function". This has been working fine since Christmas when the site went live, but as said, just stopped working on the 4th of May. 

I tried switching the customer services email to a gmail account and it comes through just fine, switch back to my domain email with 365 and it stops again. I contacted microsoft and they said to switch it over to SMTP but that refuses to even connect. 

I've read a few bits on bobs online that prestashop used to have a conflict with office 365 and something to do with presta not being STARTTLS compatable, and something to do with the swiftmailer? could this possibly be the issue with thirtybees too?

 

I'm not the most technically gifted individual but i can get a grasp of things and do have a friend who can can fill in the gaps in my knowledge so i thought I'd reach out to you guys and see if we can get this thing going again with your help.

Thanks in advance!

 

[Factor]

I wouldn't use PHP sending.  Alot of places block that as spam.

Use the actually server settings part.

 

 

then put in email server setting here.

 

This link might help for the settings...  Not my site.

https://www.msnoob.com/pop-imap-and-smtp-settings-for-office-365.html

 

 

Edited June 5, 2019 by Brent Dacus

[t4Chippy]

Hi Brent, thanks for the reply, yes thats pretty much what the Microsoft technician said, but for some reason it's not accepting the SMTP details.

 

It says "Unable to connect with TLS encryption"

And i know the username (email) and password are 100% correct.

I used microsoft 365's SMTP's settings of 

Server name: smtp.office365.com
Port: 587
Encryption method: STARTTLS

But obviously I can only select TLS, not STARTTLS 🙂

Edited June 5, 2019 by t4Chippy

[Factor]

https://www.fastmail.com/help/technical/ssltlsstarttls.html

 

Try SSL

STARTTLS is a way to take an existing insecure connection and upgrade it to a secure connection using SSL/TLS. Note that despite having TLS in the name, STARTTLS doesn't mean you have to use TLS, you can use SSL.

[t4Chippy]

1 minute ago, Brent Dacus said:

https://www.fastmail.com/help/technical/ssltlsstarttls.html

 

Try SSL

STARTTLS is a way to take an existing insecure connection and upgrade it to a secure connection using SSL/TLS. Note that despite having TLS in the name, STARTTLS doesn't mean you have to use TLS, you can use SSL.

Hi Brent, just switch to SSL and getting this error now 🙂

Error: Please check your configuration
Connection could not be established with host smtp.office365.com [ #0]

[Factor]

Well you might ask your hosting company to weigh in.  Most hosting services have email included.  A Lot of them does not support 3rd party email either.

 

I found this to 

https://docs.microsoft.com/en-us/Exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-office-3?redirectSourcePath=%2fen-us%2farticle%2fhow-to-set-up-a-multifunction-device-or-application-to-send-email-using-office-365-69f58e99-c550-4274-ad18-c805d654b4c4

[t4Chippy]

 

HI there, yea thats the exact link the MS technician sent me yesterday to try. Today he did a remote session and couldn't get the bottom of it either. 

Seems weird when i switch the email to gmail on PHP it all works fine, switch back to my .co.uk and it spits it's dummy out, also weird why it worked for 5 months then just stopped? 😞

 

Thanks for your help Brent, much appreciated 🙂

[Factor]

You might check your MX records at the domain registrar.

https://docs.microsoft.com/en-us/office365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider?view=o365-worldwide

Edited June 5, 2019 by Brent Dacus

[t4Chippy]

Hi Brent, I'm sure i had to do that to set up the account with 365, just checked and the domain registrar records and the MX records are there. The technician also added the hosting servers IP address to the TXT/SPF record to make doubly sure it would get through but still nothing comes through. CNAME records are also there.

He said it's almost like outlook deletes it as it's coming in, no error record he can see at all. weird 😞

Edited June 5, 2019 by t4Chippy

[Factor]

Well good to know I am on target with my suggestions..

you can check your domain here

https://mxtoolbox.com/

and dns here 

https://intodns.com/

See if that shows you anything.  If you want pm me your domain name and I an look to.

[t4Chippy]

They both seem to check out, but I've PM'd you the domain name 🙂

 

[Factor]

Yeah email is a bit of a black hole sometimes.  

[t4Chippy]

Yea it's a pain in the bum 🙂

I get all emails to that email address except emails from the site, they aren't moved to spam, they just don't arrive at all. 

Even had the MS tech confused 🙂

[dynambee]

As part of a process of elimination, try setting up a mail client on your local PC with the SMTP settings you get from MS. Send some mails and see if it works.

If the local setup works then double-check the credentials you have on your server to make sure they are correct. You also might find this page to be useful with setting up SMTP on Office 365.

If it still isn't working then you may have to try a manual SMTP connection from the shell so you can see what the errors are.

[t4Chippy]

3 hours ago, dynambee said:

As part of a process of elimination, try setting up a mail client on your local PC with the SMTP settings you get from MS. Send some mails and see if it works.

If the local setup works then double-check the credentials you have on your server to make sure they are correct. You also might find this page to be useful with setting up SMTP on Office 365.

If it still isn't working then you may have to try a manual SMTP connection from the shell so you can see what the errors are.

Hi Ian, just tried as you suggested and something interesting has just happened, I entered all the SMTP and IMAP details into outlook to set it up manually and set them both to SSL/TLS and it failed, I changed just the SMTP to  STARTTLS and it went through.

SO as I don't have the option for STARTTLS in thirtybees could this be my problem?

 

I'm wondering if it's this old presta problem https://www.prestashop.com/forums/topic/270220-modification-swift-mailer-upgrade-better-support-for-ssltls/ 

 

Maybe i need this? https://www.bellini-services.com/shop/modifications/39-swift-mailer-upgrade-better-support-for-ssltls.html 

Edited June 6, 2019 by t4Chippy

[dynambee]

According to this Microsoft support page Office 365 uses STARTTLS for SMTP access. However there are other pages like this one that say TLS is also okay. Other pages I have found say that TLS is okay but it must be version 1.2 or higher. You can probably use the first option on this page to check if your server supports TLS 1.2.

This is another Microsoft page that looks like it might be useful. It explains how you can send messages directly to your Office 365 mailbox but your server must be able to send out on port 25. If you have shared hosting or some VPS services (like DO, or so I have heard) that block outbound connections on port 25 then direct send wouldn't work. However if you do have the ability to send out on port 25 then it might be a good solution for your particular problem.

Hope some of this helps.

[t4Chippy]

29 minutes ago, dynambee said:

According to this Microsoft support page Office 365 uses STARTTLS for SMTP access. However there are other pages like this one that say TLS is also okay. Other pages I have found say that TLS is okay but it must be version 1.2 or higher. You can probably use the first option on this page to check if your server supports TLS 1.2.

This is another Microsoft page that looks like it might be useful. It explains how you can send messages directly to your Office 365 mailbox but your server must be able to send out on port 25. If you have shared hosting or some VPS services (like DO, or so I have heard) that block outbound connections on port 25 then direct send wouldn't work. However if you do have the ability to send out on port 25 then it might be a good solution for your particular problem.

Hope some of this helps.

Thanks Ian, seems weird that it was fine at chistmas on PHP and was trouble free untill this time last month then BOOM!, stopped working 😞

I think I'll get my friend to have a look at this page as it's starting to get to the limit of my understanding, I might even send the MS tech a link 😉 

 

Thanks for your help so far all!

[dynambee]

1 hour ago, t4Chippy said:

I'm wondering if it's this old presta problem https://www.prestashop.com/forums/topic/270220-modification-swift-mailer-upgrade-better-support-for-ssltls/ 

 

Maybe i need this? https://www.bellini-services.com/shop/modifications/39-swift-mailer-upgrade-better-support-for-ssltls.html 

I checked the swiftmailer version included with TB 1.0.8 and it is 5.4.12. I'm not sure which version was in 1.0.7 but it is unlikely to be older than 5.4.9 which was released a number of months before TB 1.0.7 was released. You can check the version yourself though, it is located here: 

[your tb top folder] /vendor/swiftmailer/swiftmailer/VERSION

Edit: These are both much newer than the version provided by PS that fixed the STARTTLS issues discussed in the thread you linked to so I don't think changes to the TB swiftmailer will be necessary. Also, TB has moved the location of swiftmailer so I suspect installing that extension would bork TB's ability to send mails at all.

Edited June 6, 2019 by dynambee
As noted.

[t4Chippy]

12 minutes ago, dynambee said:

I checked the swiftmailer version included with TB 1.0.8 and it is 5.4.12. I'm not sure which version was in 1.0.7 but it is unlikely to be older than 5.4.9 which was released a number of months before TB 1.0.7 was released. You can check the version yourself though, it is located here: 

[your tb top folder] /vendor/swiftmailer/swiftmailer/VERSION

 

Hi Ian, my mate just checked (as he does the server side for me) and it's 5.4.12 🙂 

So does that mean that shouldn't be the issue?

Edited June 6, 2019 by t4Chippy

[dynambee]

That is newer than the version that PS added to 1.6.1 to fix the STARTTLS issue. You should be able to test the included swiftmailer version with help from this page.

You should also make sure you have openssl installed and available on your server, you can do that with the info in the link (this link) I provided a couple of replies ago. If you don't have openssl installed on the server then AFAIK you won't be able to connect securely to the remote SMTP server, something that is going to be required in today's world.

[dynambee]

Just a thought, have you updated your SPF record to include the IP of your webserver as being allowed to send emails on behalf of your domain? I don't know how PHP-mailer works but there's a chance 365 is refusing your emails because they are coming from an unauthorized user.

Your SPF record should look something like this:

SPF	v=spf1 ip4:<Webserver IP Address> include:spf.protection.outlook.com ~all

 

[t4Chippy]

57 minutes ago, dynambee said:

That is newer than the version that PS added to 1.6.1 to fix the STARTTLS issue. You should be able to test the included swiftmailer version with help from this page.

You should also make sure you have openssl installed and available on your server, you can do that with the info in the link (this link) I provided a couple of replies ago. If you don't have openssl installed on the server then AFAIK you won't be able to connect securely to the remote SMTP server, something that is going to be required in today's world.

I'll get my friend to check this for me :) 

[t4Chippy]

2 minutes ago, dynambee said:

Just a thought, have you updated your SPF record to include the IP of your webserver as being allowed to send emails on behalf of your domain? I don't know how PHP-mailer works but there's a chance 365 is refusing your emails because they are coming from an unauthorized user.

Your SPF record should look something like this:

SPF	v=spf1 ip4:<Webserver IP Address> include:spf.protection.outlook.com ~all

 

Hi Ian, yes the MS Technician added that yesterday so thats done :) 

[dynambee]

I'd double check the SPF record as small errors can make a huge difference in the meaning.

[t4Chippy]

1 hour ago, dynambee said:

I'd double check the SPF record as small errors can make a huge difference in the meaning.

Hi Ian, just checked and it's v=spf1 ip4:XXX.XXX.XXX.XXX include:spf.protection.outlook.com -all 

Only difference between what is there and your string is the - or ~ just before all?

[dynambee]

The difference between -all and ~all is that -all is a stricter setting. It means that any server that is not included in the SPF data should be automatically refused for delivery. ~all is a bit more flexible in that it means that servers not included in the SPF are allowed to send email on behalf of that domain but they are not officially approved. There are reasons that -all might be preferred over ~all but for general use purposes ~all is probably a better choice. (-all might also explain why your incoming TB messages are vanishing.)

I would also double (or triple) check that the IP in your SPF record is actually the IP of your webserver. No zeros that got entered as the letter O, no mistyped numerals, no commas instead of periods, etc.