SMTP: STARTTLS failed (code: 220, response: 2.0.0 Ready to start TLS)

[nerkaid]

Suddenly my web start to give this error when trying to send an email:

[SMTP: STARTTLS failed (code: 220, response: 2.0.0 Ready to start TLS)]

If enabling debug mode I'm getting this info:

DEBUG: Recv: 220 mail-node-smtp-02.dondominio.com ESMTP DD Mail System
DEBUG: Send: EHLO localhost
DEBUG: Recv: 250-mail-node.dondominio.com
DEBUG: Recv: 250-PIPELINING
DEBUG: Recv: 250-SIZE 51200000
DEBUG: Recv: 250-ETRN
DEBUG: Recv: 250-STARTTLS
DEBUG: Recv: 250-AUTH PLAIN LOGIN
DEBUG: Recv: 250-AUTH=PLAIN LOGIN
DEBUG: Recv: 250-ENHANCEDSTATUSCODES
DEBUG: Recv: 250-8BITMIME
DEBUG: Recv: 250-DSN
DEBUG: Recv: 250 CHUNKING
DEBUG: Send: STARTTLS
DEBUG: Recv: 220 2.0.0 Ready to start TLS
DEBUG: Send: RSET
DEBUG: Recv: \qz0x9|PT&2VVSl1Nu(XaQ4 FUȩKXHiJcRJ~aj_/$-S셀䰖C
DEBUG: Send: QUIT
DEBUG: Recv: r^O_QW]H"F+zt3^E0Fԋת@

After take a look on some forums, I found it can be fixed changing the line 588 of "Net\SMTP.php" from:

&& extension_loaded('openssl') && isset($this->esmtp['STARTTLS'])

to:

&& extension_loaded('openssl') && $this->esmtp['STARTTLS']

After the change everything start to work fine like before.

My setup is WS 2012 R2 with IIS8, PHP8.0 and pear up to date at January date.

Thanks and best regards!

[schengawegga]

Can you show me your code, please?
I can´t reproduce the error you showed here.

There will be no STARTTLS connection established, when you remove the isset function.
So you send your emails within a non secure connection to your mailserver.

[nerkaid]

Sure @Schengawegga, here is the Pear code modified:

public function starttls()
{
    /* We can only attempt a TLS connection if one has been requested,
     * we're running PHP 5.1.0 or later, have access to the OpenSSL
     * extension, are connected to an SMTP server which supports the
     * STARTTLS extension, and aren't already connected over a secure
     * (SSL) socket connection. */
    if (version_compare(PHP_VERSION, '5.1.0', '>=')
        #&& extension_loaded('openssl') && isset($this->esmtp['STARTTLS'])
        && extension_loaded('openssl') && $this->esmtp['STARTTLS']
        && strncasecmp($this->host, 'ssl://', 6) !== 0
        ) {
            /* Start the TLS connection attempt. */
            if (PEAR::isError($result = $this->put('STARTTLS'))) {
                return $result;
            }
            if (PEAR::isError($result = $this->parseResponse(220))) {
                return $result;
            }
            if (isset($this->socket_options['ssl']['crypto_method'])) {
                $crypto_method = $this->socket_options['ssl']['crypto_method'];
            } else {
                /* STREAM_CRYPTO_METHOD_TLS_ANY_CLIENT constant does not exist
                 * and STREAM_CRYPTO_METHOD_SSLv23_CLIENT constant is
                 * inconsistent across PHP versions. */
                $crypto_method = STREAM_CRYPTO_METHOD_TLS_CLIENT
                | @STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT
                | @STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT;
            }
            if (PEAR::isError($result = $this->socket->enableCrypto(true, $crypto_method))) {
                return $result;
            } elseif ($result !== true) {
                return PEAR::raiseError('STARTTLS failed');
            }
            
            /* Send EHLO again to recieve the AUTH string from the
             * SMTP server. */
            $this->negotiate();
        } else {
            return false;
        }
        
        return true;
}

And here is the code from my website:

	include 'Mail.php';
	include 'Mail/mime.php' ;

	$mime = new Mail_mime();

	$hdrs = array(
		'To'	  => $email_rec,
		'From'    => 'REMOVED FOR PRIVACY',
		'Subject' => "Password restore at REMOVED FOR PRIVACY",
		'Content-Type'  => 'text/html; charset=UTF-8'
            );

            $mime_params = array(
			  'text_encoding' => '8bit',
			  'text_charset'  => 'UTF-8',
			  'html_charset'  => 'UTF-8',
			  'head_charset'  => 'UTF-8'
			);

			$emailstr = "Hi ".$nick.",<br><br>Please, follow <a href='www.REMOVED FOR PRIVACY.com/pw_new.php?email=".$email_rec."&key=".$hash."'>this link</a> to restore your password.<br><br>Best regards<br>";


			$mime->setHTMLBody($emailstr);
			$body = $mime->get($mime_params);
			$hdrs = $mime->headers($hdrs);

			
			$smtp = Mail::factory('smtp', array(
		        'host' => 'smtp.dondominio.com',
		        'port' => '25',
		        'auth' => true,
		        'username' => 'REMOVED FOR PRIVACY',
		        'password' => 'REMOVED FOR PRIVACY'
		    ));

			$resenv = $smtp->send($email_rec, $hdrs, $body);

			// Si hay algún error:
			if (PEAR::isError($resenv)) {
			 	$endMessage = "Oops! Something went wrong sending the email...<br><br>".$resenv."<br><br><br><a href='pw_reset.php'>Back</a>";
			 	$shwImg = true;
			}
			else{
			   // Informo
				$endMessage = "An email to <b>".$email_rec."</b> has been sended sucesfully. Please, check your inbox.<br><br><a href='index.php'>Back</a></p>";
			};

[schengawegga]

Is this code from your website online at the moment?
When i try to establish an connection to smtp.dondominio.com at port 25, i recieve an errormessage that the connection was rejected.

[Neustradamus]

@nerkaid: Have you seen the last comment of @schengawegga?

[nerkaid]

@schengawegga @Neustradamus Hi, sorry for the delay in the response.

Yes, the code is on the web and working at the moment. I've tested it a few seconds ago and is working fine with the changes I explained on the first post.

[schengawegga]

@nerkaid
When i try to establish a connection via port 25, smtp.dondominio.com will reject the connection.
Do you really connect to smtp.dondominio.com via port 25?
Are your website is hosted on a dondominio webspace, too?

From an external site, only on port 587 the connection will be established.

And your changes within the if statement are not secure.
the result of changing the comparison from isset($this->esmtp['STARTTLS']) to $this->esmtp['STARTTLS'] will end up in an unsecure connection, because the value of $this->esmtp['STARTTLS'] is always FALSE.
so your change is not an bugfix, it is a deactivation of the STARTTLS connection.

please try to connect without your changes and via port 587.
the starttls connection will work then.

[rettenbs]

I came across the same error on my roundcube installation. The issue was that the webserver connected to the smtp server on localhost. Of course, the certificate is not valid for localhost. Roundcube has a config variable to specify SSL options. Setting the peer name in the options solved the issue.

[schengawegga]

@rettenbs Thank you for your reply. Yes, i knew this problem. It is the same problem on my webserver, too. But it can be solved via the socket_options. See all socket_options in stream_context_create() (https://www.php.net/manual/en/context.php). The Options you need are
$params['socket_options']['ssl']['verify_peer'] = false;
$params['socket_options']['ssl']['verify_peer_name'] = false;
$params['socket_options']['ssl']['allow_self_signed'] = true;
Then it will work without changing anything in the source-code.
The options can be set via PEAR::Mail, PEAR::Net_SMTP or PEAR::Net_Socket, because it is a feature of PHP native stream_context_create() wich is been used in PEAR::Net_Socket.
@nerkaid maybe it can be your solution too?

[nerkaid]

Is this code from your website online at the moment? When i try to establish an connection to smtp.dondominio.com at port 25, i recieve an errormessage that the connection was rejected.

Hi, sorry for the delay on the response. Yes, that's the code working atm. Is weird you cannot connect, I've just checked via telnet and I can connect and do a HELO without problem:

telnet smtp.dondominio.com 25
Trying 31.214.176.11...
Connected to mailsrv10.dondominio.com.
Escape character is '^]'.
220 mail-node-smtp-01.dondominio.com ESMTP DD Mail System
helo
501 Syntax: HELO hostname

I've just tried the mail sent by the website and is working too.

Best regards!

[rettenbs]

Actually, if you have a valid certificate (not self-signed), setting this should be enough:

$params['socket_options']['ssl']['peer_name'] = '<public domain>'

The <public domain> must be domain under which your server is reachable from the internet.

This is also more secure because SSL is verifying the peer name.

Long explanation:
The SSL client checks that the certificate of the server is valid for the host name of the server. For example, if the server presents a certificate for domain_a.com, the SSL client will not accept the certificate if the client contacted the server with the host name domain_b.com. If the SSL client connects to localhost, it will look for localhost in the certificate. A certificate is usually never valid for localhost. Hence, the check fails and the SSL client will abort the connection. When setting peer_name, you override the host name that is checked by the client. Instead of looking for localhost, the client will look for the name given by peer_name.

[schengawegga]

@nerkaid now i established a connection via port 25 on a debian system with PHP7.4 and got the following result:

DEBUG: Recv: 220 mail-node-smtp-04.dondominio.com ESMTP DD Mail System
DEBUG: Send: EHLO localhost

DEBUG: Recv: 250-mail-node.dondominio.com
DEBUG: Recv: 250-PIPELINING
DEBUG: Recv: 250-SIZE 51200000
DEBUG: Recv: 250-ETRN
DEBUG: Recv: 250-STARTTLS
DEBUG: Recv: 250-AUTH PLAIN LOGIN
DEBUG: Recv: 250-AUTH=PLAIN LOGIN
DEBUG: Recv: 250-ENHANCEDSTATUSCODES
DEBUG: Recv: 250-8BITMIME
DEBUG: Recv: 250-DSN
DEBUG: Recv: 250 CHUNKING
DEBUG: Send: STARTTLS

DEBUG: Recv: 220 2.0.0 Ready to start TLS
DEBUG: Send: EHLO localhost

DEBUG: Recv: 250-mail-node.dondominio.com
DEBUG: Recv: 250-PIPELINING
DEBUG: Recv: 250-SIZE 51200000
DEBUG: Recv: 250-ETRN
DEBUG: Recv: 250-AUTH PLAIN LOGIN
DEBUG: Recv: 250-AUTH=PLAIN LOGIN
DEBUG: Recv: 250-ENHANCEDSTATUSCODES
DEBUG: Recv: 250-8BITMIME
DEBUG: Recv: 250-DSN
DEBUG: Recv: 250 CHUNKING
DEBUG: Send: RSET

DEBUG: Recv: 250 2.0.0 Ok
DEBUG: Send: MAIL FROM:<********@*******>

DEBUG: Recv: 250 2.1.0 Ok
DEBUG: Send: RCPT TO:<********@*******>

DEBUG: Recv: 554 5.7.1 <********@*******>: Recipient address rejected: Access denied

The access denied failure depends on not existing credentials.

I think, to reproduce your issue, i have to setup a IIS8.0 system with PHP8.0.
My guess is that this behavior is related to the IIS.

I will keep you on track when i tested it on a IIS system.

[schengawegga]

@nerkaid Now i tested the connection on a Win2012 R2 IIS8.0 with PHP8.0 and got the same result as on my debian system with PHP7.4.

I think, the issue is a problem on your server.
It seems, that your server cannot decrypt the answers from dondominio.com smtp-server.
Did you got this error after changing the package version of PEAR/Mail oder PEAR/Net_SMTP?
Or did the error occur during normal operation, without any changes?

DEBUG: Recv: 220 2.0.0 Ready to start TLS
DEBUG: Send: RSET
DEBUG: Recv: \qz0x9|PT&2VVSl1Nu(XaQ4 FUȩKXHiJcRJ~aj_/$-S셀䰖C
DEBUG: Send: QUIT
DEBUG: Recv: r^O_QW]H"F+zt3^E0Fԋת@

Your bebug-log shows, that the dondominio.com smtp-server answers after the tls connection is established.
I think, the problem is, that your server cannot decrypt the tls encrypted answers from dondominio.com.
However....... Maybe a short term microsoft bug?
Did you tried to revert your changes (set isset() back) and check if sending mails is still not possible?

[schengawegga]

@nerkaid Does the problem still exists, or can i close this issue?

[sasha-x]

+1 problem exists.
And +1 for @nerkaid 's fix. It works.

Final code snippet from SMTP.php is:

        if (version_compare(PHP_VERSION, '5.1.0', '>=')
            && extension_loaded('openssl') && isset($this->esmtp['STARTTLS']) && $this->esmtp['STARTTLS']
            && strncasecmp($this->host, 'ssl://', 6) !== 0
            ) {
                /* Start the TLS connection attempt. */

Error message: authentication failure [SMTP: STARTTLS failed (code: 220, response: 2.0.0 SMTP server ready)]
appears after upgrade php from 7.2 to 7.4 and pear/net_smtp package to dev-master several days ago.

$ php -v
PHP 7.4.3-4ubuntu2.17 (cli) (built: Jan 10 2023 15:37:44) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Zend OPcache v7.4.3-4ubuntu2.17, Copyright (c), by Zend Technologies
$ lsb_release -a
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.4 LTS
Release:        20.04
Codename:       focal

Client code looks like:

        $smtp = Mail::factory('smtp',
            [
                'host' => $this->host,
                'port' => $this->port,
                'auth' => true,
                'username' => $this->username,
                'password' => $this->password,
                'socket_options' => [
                    'ssl' => [
                        'verify_peer_name' => false,
                        'verify_peer' => false,
                        'allow_self_signed' => true,
                    ],
                ],
            ]);
        $mail = $smtp->send($to, $headers, $body);

        if (PEAR::isError($mail)) {
            $this->error = $mail->getMessage();
            return false;
        } else {
            return true;
        }

Mail server is Exchange Server 2010 version 14.03.0361.001

[schengawegga]

@sasha-x Thanks for your comment and the technical details. When you call $this->esmtp['STARTTLS'], the value will always be NULL, because STARTTLS not has a value. So the result will be a well established but none secure connection to your SMTP.

But the very interesting part is, that the issue occurs after upgrading from PHP7.2 to PHP7.4.
So i think, that your problem occurs because the new crypto method STREAM_CRYPTO_METHOD_TLSv1_3_CLIENT, wich was implemented with PHP7.4, wasn´t implemented in Net_SMTP. So i will do a PR in the next few days, with wich you can check, if your connection works.

Are there any updates done on the SMTP-Server? Or only the PHP update triggers the issue?

With wich port do you connect to your SMTP?
And is it a local connection (SMTP and Client on the same server), or is it an external connection?

[schengawegga]

@sasha-x i created a PR #74, please check this code, if it works with your server.

[sasha-x]

@sasha-x i created a PR #74, please check this code, if it works with your server.

It don't works. I see authentication failure [SMTP: STARTTLS failed (code: 220, response: 2.0.0 SMTP server ready)] again.

When you call $this->esmtp['STARTTLS'], the value will always be NULL, because STARTTLS not has a value.

Looks so. If I disable code of starttls() method by put if (false) { ... to SMTP.php:609
my mail send successfully.

Are there any updates done on the SMTP-Server?

No, as I know.

Or only the PHP update triggers the issue?

PHP update & composer update in project.
Prev version of Net_SMTP was: "reference": "ee0e156ab94b37ac7ad10623a4a62f10a2a2d421"

With wich port do you connect to your SMTP?

25 or 1225. I have two configs. It both works or don't works depends on SMTP.php code modification.

And is it a local connection (SMTP and Client on the same server), or is it an external connection?

External connection.

[schengawegga]

@sasha-x Thanks for your reply.

Is it possible to send me the mail-server url, or create a mail account for me to check it on my own?
You can send me the url or the credentials via email schengawegga@gmail.com

Otherwise, i have to setup an exchange server on my own environment.
This will take some time.

[sasha-x]

Is it possible to send me the mail-server url, or create a mail account for me to check it on my own?

No, sorry. It is corporative mail server. I am not authorized to pass any account to somebody out of company.

Otherwise, i have to setup an exchange server on my own environment. This will take some time.

I understand. I can try to know some config options of mail server via system administrator or get some debug logs if it can help you. But this will take some time too.

[schengawegga]

Is it possible to send me the mail-server url, or create a mail account for me to check it on my own?

I understand that. I do not need an account, i only need the url to the server, to check the connection via startssl. Is it possible to write me the url via mail?

I understand. I can try to know some config options of mail server via system administrator or get some debug logs if it can help you. But this will take some time too.

Logs are always helpful ;-)

[sasha-x]

Is it possible to write me the url via mail?

Yes. I send it.

[schengawegga]

@sasha-x Thank you for your mail. It helps me a lot to identify the line where the error occurs. So i do another commit with more details in the error message.
I think, that $result = $this->socket->enableCrypto(true, $crypto_method) not returns true, as mentioned.
But the STARTTLS connection establishes anyway.
Very strange behavior.

My idea is, that $result = $this->socket->enableCrypto(true, $crypto_method) returns 1 on your system.

Could you please pull my latest commit on dev-schengawegga/SMTP_STARTTLS_failed and give me the detailed error message?

Thanks.

[schengawegga]

@sasha-x @nerkaid now i reproduced your error behavior.
The problem is on non-blocking streams.
It must be a configuration on your client-system.
$result = $this->socket->enableCrypto(true, $crypto_method) returns 0, because the transfer stream is not finished and the method has to wait until all data received.

So i do another commit at dev-schengawegga/SMTP_STARTTLS_failed wich should solve your problem within a secure STARTTLS connection.

Please give me a quick response, if this is the solution, so i will merge it into master and publish a new release.

[schengawegga]

@jparise Could you do another code-review, please?

[sasha-x]

@schengawegga, new output is:

 authentication failure [SMTP: STARTTLS failed
                        [enableCrypto: false;
                        crypto_method: 121;
                        attempts: 1] (code: 220, response: 2.0.0 SMTP server ready)]

[sasha-x]

Update: debug output of script is:

DEBUG: Recv: 220 <server dns name here> Microsoft ESMTP MAIL Service ready at <datetime here>
DEBUG: Send: EHLO localhost

DEBUG: Recv: 250-<server dns name here> Hello [<client ip here>]
DEBUG: Recv: 250-SIZE
DEBUG: Recv: 250-PIPELINING
DEBUG: Recv: 250-DSN
DEBUG: Recv: 250-ENHANCEDSTATUSCODES
DEBUG: Recv: 250-STARTTLS
DEBUG: Recv: 250-X-ANONYMOUSTLS
DEBUG: Recv: 250-AUTH NTLM LOGIN
DEBUG: Recv: 250-X-EXPS GSSAPI NTLM
DEBUG: Recv: 250-8BITMIME
DEBUG: Recv: 250-BINARYMIME
DEBUG: Recv: 250-CHUNKING
DEBUG: Recv: 250-XEXCH50
DEBUG: Recv: 250-XRDST
DEBUG: Recv: 250 XSHADOW
DEBUG: Send: STARTTLS

DEBUG: Recv: 220 2.0.0 SMTP server ready
DEBUG: Send: RSET

DEBUG: Send: QUIT

 authentication failure [SMTP: STARTTLS failed
                        [enableCrypto: false;
                        crypto_method: 121;
                        attempts: 1] (code: 220, response: 2.0.0 SMTP server ready)]

And no mail delivered.

If I remove 'socket_options' block from my config, then nothing changes (exactly the same output and no mail delivered).

[schengawegga]

@sasha-x
Thanks.
The strange thing is, that the server responses 220 SMTP Server Ready, but the PHP function stream_socket_enable_crypto returns false.
So the issue lies deeper, because the PHP function causes the error, and we have to search why PHP natively causes an error.

I think, there is something with your client config, because on all of my test machines, the STARTTLS will be established well.

Could you take a look into your PHP logs, PHP Warnings enabled?

There must be a line like: PHP Warning: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14161044:SSL routines:state_machine:internal error in XXXXXXX

Or any other PHP Warning:  stream_socket_enable_crypto():.

[sasha-x]

@schengawegga
I see warning message after remove @ from Net/Socket.php:679 line.
Warning message was:

PHP Warning:  stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol in .../vendor/pear/net_socket/Net/Socket.php on line 679

Then I found ubuntu 20 - related bugreport and solution at https://stackoverflow.com/a/62359497

Open /etc/ssl/openssl.cnf
Add first line: 
openssl_conf = openssl_configuration
Add at the end:
[openssl_configuration]
ssl_conf = ssl_configuration
[ssl_configuration]
system_default = tls_system_default
[tls_system_default]
CipherString = DEFAULT:@SECLEVEL=1

It works ok now.
So many thanks for your help!
And:

1. Is it possible to make such situation a bit more clear for future seekers? May be we can remove @ from pear/net_socket/Net/Socket.php:679 permanently. Or place notice text somewhere in error output.
2. I am not clear if @nerkaid 's fix force to send my mail with no any encryption (and mail server allow this mode)?

[sasha-x]

In addition, my earlier answer to your question

Are there any updates done on the SMTP-Server? Or only the PHP update triggers the issue?

was incomplete. I lose that client OS was upgraded from ubuntu 18 to ubuntu 20.
I'm sorry about that.

[schengawegga]

@sasha-x

It works ok now.
So many thanks for your help!

Thanks for your support. I am very happy that we found a solution for that problem.

1. Is it possible to make such situation a bit more clear for future seekers? May be we can remove @ from pear/net_socket/Net/Socket.php:679 permanently. Or place notice text somewhere in error output.

I think it is not a good solution to remove the @ from Socket.php, because the developer has a reason to put this into the code. But I have an idea to implement a detailed error output into the SMTP.php. I will implement it into the PR in the next days.

2. I am not clear if @nerkaid 's fix force to send my mail with no any encryption (and mail server allow this mode)?

I am very sure, that with the fix from @nerkaid only non encrypted connections will be established to the SMTP server, because the process will never go into the code part, wich enables the TLS connection. Many servers allow non encrypted connections at the moment. Have you asked your Serveradmin, if your server allow non encrypted connections? That would be a very interresting question.

[schengawegga]

@sasha-x

Is it possible to make such situation a bit more clear for future seekers? May be we can remove @ from pear/net_socket/Net/Socket.php:679 permanently. Or place notice text somewhere in error output.

I pushed a more detailed version of the STARTTLS failed errormessage in the PR.
Can you please undo your fix in debian and check if the new script gives the errormessage stream_socket_enable_crypto(): SSL operation failed with code 1. out, too?
Can you post the debug-log here, please?

Thank you very much.

[schengawegga]

@sasha-x Did you have time to verify my errormessage fix on you system with your old configuration?

[sasha-x]

@schengawegga , I am busy now. May be some time later.

[Neustradamus]

@sasha-x, @nerkaid, @rettenbs: After several months, have you tried the @schengawegga PR?

[Neustradamus]

@sasha-x, @nerkaid, @rettenbs: After several months, have you tried the @schengawegga PR?

Here: #74

Thanks in advance.

[schengawegga]

@sasha-x @nerkaid @rettenbs I merged this PR into master now. Please check, if this commit will fix your problems. I will mark this issue as solved. If there are further problems, open a new issue, please.