Still mail problem

[Havouza]

We still have mail problems

 

When trying to send a testmail iI get this error

Failed to send email: SMTP Error: Could not connect to SMTP host. Connection failed. stream_socket_enable_crypto(): Peer certificate CN=`mail.mxmail.pro' did not match expected CN=`mail.jv80.se'

The smtp host is fully working I can use it with both webmail and the mail client

I dont know where it get mail.mxmail.pro from, the smtp server used is mail.jv80.se

[datakick]

That is not an application issue, but server issue. Check this: 

https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting#certificate-verification-failure

Most likely, your hosting providet is redirection all smtp traffic to their own smtp server.

[Havouza]

@datakick my hosting provider is a dedicated server over wihich I have 100% control. The second dedicated server we have is our own email server with postfix and dovecot. I have 100% control on that also. So your assumtion is totally wrong

[Havouza]

and that old post has no meaning for our problem. And still I dont understand why it works everywhere else with the exact same settings

[Havouza]

Just one more thing. We also have an opencart shop with 7 services we sell. The contact for on that shop which is a virtual domain on the same server as TB use exactly the same settings and works flawless. The mail arrive 10 sec after I press the send button

[the.rampage.rado]

Misconfiguration of your app or your server is not thirty bees' fault.

I would strongly suggest triple checking your setup and settings and if you can't find the issue search for paid support.

[Havouza]

Not much to misconfigure in the php mailer. And still it works everywhere except tb. 

[the.rampage.rado]

So check your thirty bees settings then. Be sure that the app is working, yes, there are unfortunately many ways you can misconfigure it (I had similar issues a while back and it was totally my fault).

[datakick]

I've checked the SSL certificate for your mail server:

openssl s_client -connect mail.jv80.se:587 -starttls smtp -crlf

outputs

Connecting to 156.67.80.139
CONNECTED(00000005)
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=R11
verify return:1
depth=0 CN=mail.mxmail.pro
verify return:1
---
Certificate chain
 0 s:CN=mail.mxmail.pro
   i:C=US, O=Let's Encrypt, CN=R11
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Oct  7 10:04:49 2024 GMT; NotAfter: Jan  5 10:04:48 2025 GMT
 1 s:C=US, O=Let's Encrypt, CN=R11
   i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFUjCCBDqgAwIBAgISA3dwbr6Y61zugeXx1GxKELtmMA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTEwHhcNMjQxMDA3MTAwNDQ5WhcNMjUwMTA1MTAwNDQ4WjAaMRgwFgYDVQQD
Ew9tYWlsLm14bWFpbC5wcm8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCSQ1HbHGiBbou7GOZhL0jYk2D3IK3Al48pX/OioRQJL57c0HFCFRGrJgJ523qQ
gt9yHwmeSjr+JdsAedOw0evb2rKf3CaKfW7ECMkW0cUvM8yhOs2LyC8o+DLhhFGQ
gh1VsfOetKN05zM11vLfqWpuRsLa7nqJTE1ZIxYLpe1pG1zVY2N36FqVdw06ptOw
UxTxDzhdi5BbAsdjC8rVweo0Ja0pTUb9F+nmQV5F1U0g/eLsyjzQvyhFVhJdc1sH
8YlDTw9NnSPm84GUlT/Gxzo3u7tMPYRh4KSE6i+uYUm21phRDZeUzzzYFGY4nfX1
SoP/9Qqjg51T2xuv0Dgg5MpLAgMBAAGjggJ3MIICczAOBgNVHQ8BAf8EBAMCBaAw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYD
VR0OBBYEFDk9g01mxaxjoVTkhDGc59225HJQMB8GA1UdIwQYMBaAFMXPRqTq9MPA
emyVxC2wXpIvJuO5MFcGCCsGAQUFBwEBBEswSTAiBggrBgEFBQcwAYYWaHR0cDov
L3IxMS5vLmxlbmNyLm9yZzAjBggrBgEFBQcwAoYXaHR0cDovL3IxMS5pLmxlbmNy
Lm9yZy8wfQYDVR0RBHYwdIIMbWFpbC5qdjgwLnNlghxtYWlsLmt0aW1hdGhlb3Bo
YW5vdXMuY29tLmN5ghJtYWlsLm1lZGlhc2FmZS5wcm+CD21haWwubXhtYWlsLnBy
b4IObWFpbC5teG1haWwuc2WCEW1haWwucGlzc291cmkub3JnMBMGA1UdIAQMMAow
CAYGZ4EMAQIBMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHcAzxFW7tUufK/zh1vZ
aS6b6RpxZ0qwF+ysAdJbd87MOwgAAAGSZqXgAAAABAMASDBGAiEAiQZplHsW+AXR
C5g1d1yuPRiPiIGACuOZn8ZBgQPB7z0CIQCwTvKO+VMaeOq8rRXaNiLdiqKlz7lk
RH704XdJjJWIAgB2AD8XS0/XIkdYlB1lHIS+DRLtkDd/H4Vq68G/KIXs+GRuAAAB
kmal54wAAAQDAEcwRQIgZqd3CmlCk+h6p8HfSW+SzmlfgwyENhHl4JbqdPZvKboC
IQDJ762uDxba1ZT2GibDQn87EO/TVJaQh2uol0i9FG+NpjANBgkqhkiG9w0BAQsF
AAOCAQEAVHukoNoGdJwB6urbDbq0tzCoK1RfdQK/IjZoiGPK6IiQS6SQH8tG8g+X
HhFfsnSdpPLK4UHB/e1KnGD0YuHXrYhBSsF4wSsq4bwNp6o+123P8fIblEVZStZG
Wyfhj/mpmpN86LPs7sJRSrZREmU2txdSx0F930AgDrPZ3sdTYuEs4SQnyymdRcbo
P+iERwxCnOX5SFuEEYWW75WSOWGIY34L8py+mFLdy+C/l4rv/yXNLOT9HuT+FbP5
1/VewuSEp/gCDTxQT9PqgwGDuX7KWcp77iho6zqgNyPyW1SU3qhvfpg0AeT1XHU5
iAcmR7M8XMqDOpv+4p5XhY//5gREqQ==
-----END CERTIFICATE-----
subject=CN=mail.mxmail.pro
issuer=C=US, O=Let's Encrypt, CN=R11
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3408 bytes and written 433 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 DSN
DONE

The SSL certificate was issued primarily for domain mail.mxmail.pro and not for mail.jv80.se

However, when you decode certificate (for example by https://www.sslshopper.com/certificate-decoder.html), you will see that the certificate CAN be used by mail.jv80.se, because this domain is listed in Subject Alternative Names section. So, the SSL handshake should be successful. Hower, it looks like php native SSL method does check SAN when verifying peer name -- it expects peer CN to match the requested hostname, and does not check SAN list as well.

Fortunately, it might be possible to force PHP to accept SAN if your provide the peer name in SSL options, as described here: https://github.com/PHPMailer/PHPMailer/issues/1113

You can test this by editing file 

/modules/tbphpmailer/src/PhpMailerTransport.php

and insert this code.

$message->SMTPOptions = [ 
	'ssl' => [ 
		'peer_name' => 'mail.jv80.se' 
	] 
];

Result should look something like this: 

Let us know if this helped. 

[Havouza]

@datakick Late answer

Its very common when you have many domains on your mailserver that you create one cert for all the domains by making lets encrypt create the same cert for multiple domains. its nothing that compromize security but when you get 20-30 domains on the email server it a pain in the but to keep track of all the different serts if you create them one by one.

The problem here seems not to be the same. The php mailer works without a problem sendig out mails to customers, but the mail alerts, which I assume also use Php Mailer does not. So hardly the cert cant be the problem
I will test the code change

Edited October 9 by Havouza

[Havouza]

@datakick

I just noticed that the change say ssl. SSL is really depreaced so we use TLS. But perhaps it does not matter, it mostly a name change