Cannot send email via on site smtp server (ErrorException in StreamBuffer.php line 95:)

[beezel]

Expected Behavior (or desired behavior if a feature request)

Email generated and sent when user is created and 'email credentials' is checked.

Actual Behavior

"Whoops, something went wrong"

http://pastebin.com/cMheVhfs

---

Please confirm you have done the following before posting your bug report:

• [X ] I have enabled debug mode
• [X ] I have read checked the Common Issues page

---

Please provide answers to these questions before posting your bug report:

• Version of Snipe-IT you're running

  v3.3.0-16-ge52a0f6

• What OS and web server you're running Snipe-IT on

CentOS 7 with Apache

• What method you used to install Snipe-IT (install.sh, manual installation, docker, etc)

install.sh

• If you're getting an error in your browser, include that error

http://pastebin.com/cMheVhfs

• What specific Snipe-IT page you're on, and what specific element you're interacting with to trigger the error

Creating new users, wish to email creds.

• If a stacktrace is provided in the error, include that too.
• Any errors that appear in your browser's error console.

Failed to load resource: the server responded with a status of 500 (Internal Server Error)

• Confirm whether the error is reproduceable on the demo.

Does work.

• Include any additional information you can find in app/storage/logs and your webserver's logs.
• Include what you've done so far in the installation, and if you got any error messages along the way.

Modified mail.php multiple times as I've seen on other tickets, no success.

• Indicate whether or not you've manually edited any data directly in the database

No.

mail.php: Info redacted, but configured correctly. Internal mail server tested and working over Telnet to 25 with same user/pass as attempted in Conf

http://pastebin.com/BQ3LGX19

[snipe]

at HandleExceptions->handleError('2', 'stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', '/var/www/html/snipeit/vendor/swiftmailer/swiftmailer/lib/classes/Swift/Transport/StreamBuffer.php', '95', array())

It looks like the SSL certificate on your mail server is invalid.

[beezel]

Except that it isn't. We have an open wildcard cert with RapidSSL that doesn't expire until 7/2019.

As this is all purely internal, can we bypass SSL checking in any manner?

I would be happy to provide our server information to you privately if you need to look at the cert to verify it's legitimacy.

[snipe]

What's your mail server? mail.tonkin.com?

[beezel]

Correct, and passes http://www.checktls.com/perl/TestReceiver.pl check.

[snipe]

TLS is not the same thing as SSL though.

Is this mail server blocked from outside connections?

agianotto$ telnet mail.tonkin.com 25
Trying 50.203.99.222...

agianotto$ telnet mail.tonkin.com 587
Trying 50.203.99.222...

Neither of those connect.

[snipe]

Also, wildcard certs don't really matter if they're only installed on the web server and not on the mail server.

[beezel]

Thanks for assistance, I am not our mail or network guy, so this is not my area of expertise.

Not sure why you cannot telnet in, we test out fine internally, externally, and via mxtoolbox.com
Connecting to 50.203.99.222

220 smtp.tonkin.com mail.tonkin.com [656 ms]
EHLO PWS3.mxtoolbox.com
250-mail.tonkin.com says hello
250-SIZE 0
250-8BITMIME
250-DSN
250-ETRN
250-AUTH LOGIN CRAM-MD5
250-AUTH LOGIN
250-AUTH=LOGIN
250 STARTTLS [656 ms]
MAIL FROM:supertool@mxtoolbox.com
250 ok [672 ms]
RCPT TO:test@example.com
550 not local host example.com, not a gateway [672 ms]

Is there any manner to disable TLS? In the mail.php i have encryption set to null, but it still attempts to TLS. This machine (snipeit) is whitelisted in our mail server, so we can safely trust it to blast a few emails.

[snipe]

Can you show me your mail settings from your .env file, minus the password of course

[beezel]

MAIL_DRIVER=smtp
MAIL_HOST=mail.tonkin.com
#This is correct if you are using Office 365 for your email
MAIL_PORT=25
MAIL_USERNAME=jallen@tonkin.com
#Mail username, usually same a email address
MAIL_PASSWORD=REDACT
#Your email password
MAIL_ENCRYPTION=TLS
MAIL_FROM_ADDR=jallen@tonkin.com
MAIL_FROM_NAME=jallen@tonkin.com

When I changed that encryption setting to null i got

Swift_TransportException in AbstractSmtpTransport.php line 162:
Cannot send message without a sender address

This is from generating a new user section.

[snipe]

What happens if you try:

MAIL_DRIVER=smtp
MAIL_HOST=mail.tonkin.com
#This is correct if you are using Office 365 for your email
MAIL_PORT=587
MAIL_USERNAME=jallen@tonkin.com
#Mail username, usually same a email address
MAIL_PASSWORD=REDACT
#Your email password
MAIL_ENCRYPTION=tls
MAIL_FROM_ADDR=jallen@tonkin.com
MAIL_FROM_NAME=jallen@tonkin.com

[beezel]

Swift_TransportException in StreamBuffer.php line 269:
Connection could not be established with host mail.tonkin.com [Connection refused #111]

it looks like we don't listen on 587. We have an SSL port at 465, that also leaves us with:

Swift_TransportException in AbstractSmtpTransport.php line 404:
Connection to mail.tonkin.com:465 Timed Out

[snipe]

I'm not even seeing those ports open though...

agianotto$ nmap 50.203.99.222

Starting Nmap 6.47 ( http://nmap.org ) at 2016-09-06 13:51 PDT
Nmap scan report for 50-203-99-222-static.hfc.comcastbusiness.net (50.203.99.222)
Host is up (0.047s latency).
Not shown: 995 filtered ports
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
443/tcp  open  https
554/tcp  open  rtsp
7070/tcp open  real server

[beezel]

Our firewall does some kind of packet inspection, I am not 100% sure as it is not my realm.

I assure you that our email is working (you can email me at jallen@tonkin.com if you'd like), and internally we are much more open. Here is my nmap internally:

Scanning mail.tonkin.com (172.16.18.239) [1000 ports]

Discovered open port 8080/tcp on 172.16.18.239

Discovered open port 135/tcp on 172.16.18.239

Discovered open port 110/tcp on 172.16.18.239

Discovered open port 587/tcp on 172.16.18.239

Discovered open port 25/tcp on 172.16.18.239

Discovered open port 445/tcp on 172.16.18.239

Discovered open port 995/tcp on 172.16.18.239

Discovered open port 139/tcp on 172.16.18.239

Discovered open port 443/tcp on 172.16.18.239

Discovered open port 80/tcp on 172.16.18.239

Discovered open port 993/tcp on 172.16.18.239

Discovered open port 143/tcp on 172.16.18.239

Discovered open port 3389/tcp on 172.16.18.239

Discovered open port 8100/tcp on 172.16.18.239

Discovered open port 465/tcp on 172.16.18.239

Discovered open port 49155/tcp on 172.16.18.239

Discovered open port 49153/tcp on 172.16.18.239

Discovered open port 1433/tcp on 172.16.18.239

Discovered open port 49154/tcp on 172.16.18.239

Discovered open port 49159/tcp on 172.16.18.239

Discovered open port 8181/tcp on 172.16.18.239

Discovered open port 49152/tcp on 172.16.18.239

Discovered open port 8088/tcp on 172.16.18.239

[snipe]

This is also interesting:
https://ssl-tools.net/mailservers/tonkin.com

[beezel]

It looks like our server does not show all intermediate certs up the chain, which certain mail servers require to guarantee TLS. I have opened a ticket with our mail person to fix this, which may also fix this current issue.

There is no way to send mail non-TLS internally?

[snipe]

Based on what you're saying, your env config should look like:

MAIL_DRIVER=smtp
MAIL_HOST=mail.tonkin.com
MAIL_PORT=465
MAIL_USERNAME=jallen@tonkin.com
MAIL_PASSWORD=REDACT
MAIL_ENCRYPTION=tls
MAIL_FROM_ADDR=jallen@tonkin.com
MAIL_FROM_NAME='ITAM'

Did you run that nmap from the machine that Snipe-IT is running on, or from your desktop machine?

If you run telnet mail.tonkin.com 465 from the Snipe-IT machine, what do you see?

Also try openssl s_client -connect mail.tonkin.com: 465 from the snipe-it machine.

I was going to suggest intermediate certificate issues as well.

Whether or not you can send non-TLS mail is up to your mail server. Some will force TLS.

[snipe]

(I would bet that the intermediate cert fix will fix this issue.)

[beezel]

I meant, can we elect to not use TLS via snipeIT. We can successfully send generic telnet emails from our whitelisted IPs internally (like snipeit) with 0 auth.

[root@snipeit ~]# telnet mail.tonkin.com 587
Trying 172.16.18.239...
Connected to mail.tonkin.com.
Escape character is '^]'.
220 smtp.tonkin.com mail.tonkin.com

[root@snipeit ~]# openssl s_client -connect mail.tonkin.com:465
CONNECTED(00000003)
depth=0 CN = *.tonkin.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.tonkin.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = *.tonkin.com
verify error:num=21:unable to verify the first certificate
verify return:1

It does look like TLS intermediate cert is the culprit for this scenario, and I'm hoping our mail admin can get it resolved.

Changing to port 465 and 'ITAM' has another timeout.
Sticking with port 25 I continue to get "cannot send email without sender address"

[snipe]

Well, you've already tried setting encryption to null, and it didn't seem happy about that.

This shouldn't work, but try enclosing some settings in single quotes.

MAIL_DRIVER=smtp
MAIL_HOST='mail.tonkin.com'
MAIL_PORT=25
MAIL_USERNAME='jallen@tonkin.com'
MAIL_PASSWORD=REDACT
MAIL_ENCRYPTION=tls
MAIL_FROM_ADDR='jallen@tonkin.com'
MAIL_FROM_NAME='ITAM'

[snipe]

(Also, apologies for portscanning you. I was just trying to troubleshoot.)

[beezel]

Thank you for so much help, we've at least definitely narrowed it down to the TLS chain.

It may or may not be worth noting somewhere that TLS is required to send via an external mail host.

At this point I think my best bet would be to get sendmail working on the snipeit side? Other than waiting on the mail admin who may or may not ever fix the TLS issue.

[snipe]

It isn't required though, that's the thing. Lots of people use no encryption and it works fine. My guess is that your mail host is trying to force TLS.

The error you get with port 25 almost makes it look like its parsing the env file wrong, which is why I suggested trying with the single quotes. It's as if it thinks that from name field isn't even set.

[beezel]

Hrm, I wish I knew enough about all the areas to figure this out. We can successfully send an email via telnet from snipeit:

[root@snipeit ~]# telnet mail.tonkin.com 25
Trying 172.16.18.239...
Connected to mail.tonkin.com.
Escape character is '^]'.
220 smtp.tonkin.com mail.tonkin.com
helo tonkin.com
250 hello mail.tonkin.com
mail from:jallen@tonkin.com
250 ok
rcpt to:jallen@tonkin.com
250 ok its for jallen@tonkin.com
data
354 ok, send it; end with .
for you.
.
250 Message queued
quit
221 bye
Connection closed by foreign host.

If I set encryption type to null, in .env, i continue to get:

Swift_TransportException in AbstractSmtpTransport.php line 162:
Cannot send message without a sender address

So I am unsure how to send it unencrypted from snipeit functionally.

[snipe]

Did you try it with the single quotes, as I mentioned above?

[beezel]

Yes, I have tried all options you suggested, as well as all the varieties I could come up with. single quotes, 25, 587, 465, 'ITAM', 'jallen@tonkin.com' etc.

[snipe]

I have to run out for a bit, but @uberbrady is going to try to help you. (He's badass with mail servers.)

[beezel]

I have success!!

Thank you @snipe, your 'it doesn't appear to be parsing your .env' comment inspired me to manually edit my mail.php with a MAIL_FROM_ADDR, and it is now working beautifully.

Not sure why .env is not overriding the mail.php, or what the design is behind it, but that solved my problems 100%.

Thank you again for your diligent work!

[snipe]

Huh. That's super weird. We have hundreds of installs running and it always groks that env file. ¯_(ツ)_/¯

Oh well, glad it's sorted either way.

[mattgann]

Is there a way to not required a server at all, my company won't allow me to use any

[boyejoayo]

I had this same issue, all I had to do is to change the MAIL_USERNAME and MAIL_PASSWORD to null as shown below:

--------------------------------------------

REQUIRED: OUTGOING MAIL SERVER SETTINGS

--------------------------------------------

MAIL_DRIVER=smtp
MAIL_HOST=email.domain.com
MAIL_PORT=25
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null
MAIL_FROM_ADDR=email@domain.com
MAIL_FROM_NAME='Email Name'
MAIL_REPLYTO_ADDR=email@domain.com
MAIL_REPLYTO_NAME='Email Name'

Our email server is an internal Exchange Server and we already bypassed SSL connections between the Snipe-IT and the mail server so TLS encryption is not needed.

I hope this helps someone.

[darkebe]

Thank you @ayboye
null value is not documented