SMTP mail with starttls not working if mail server is not supporting TLS1

[alexw65500]

Steps to reproduce

1. configure Nextcloud to send mail encrypted via SMTP/StartTLS
2. Make sure mail server is NOT offering TLS1 (e.g. TLS1.2 only)
3. Try to send any mail, e.g. by pressing the Mail test button in setup

Expected behaviour

Mail can be sent with TLS1.2

Actual behaviour

Mail is not send / mail test fails if mail server is not offering TLS1.

Description

This is a known Swiftmail issue, see e.g. swiftmailer/swiftmailer#598
There is also a proposed fix, but that one is NOT working for me: swiftmailer/swiftmailer#935

Replacing "STREAM_CRYPTO_METHOD_TLS_CLIENT" with "STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT" in "3rdparty/swiftmailer/swiftmailer/lib/classes/Swift/Transport/StreamBuffer.php" allows sending mails again, but of course now hard codes TLS1.2.

[tflidd]

There is also a proposed fix, but that one is NOT working for me: swiftmailer/swiftmailer#935

Perhaps a good idea to let them know?

[Rotzbua]

The fix has to work, I use this code of line in other projects and it is the supposed solution in https://secure.php.net/manual/en/function.stream-socket-enable-crypto.php#119122 .

The fix uses a concatenation of tls1.0 tls1.1 and tls1.2. In background openssl do the work and normally uses the highest available tls version.

STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT | STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT | STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT

Maybe there is some missconfig by alexw65500... The easiest way to check is using sslscan (sid) to test available and preferred tls versions.

[alexw65500]

The upstream code is of course fine, I just applied it wrong:

I just commented out the original line and pasted the updated line from swiftmailer/swiftmailer@da58965

But upstream is using $this->stream, while the version bundled in nextcloud is using $this->_stream.
Referencing the wrong variable of course broke it and using the correct one indeed works fine for me.

[Rotzbua]

Ah, nextcloud is using swiftmailer v5 but my patch is for v6. They renamed the variable names between this version...

[MorrisJobke]

@rullzer haven't you looked into updating swift mailer?

swiftmailer/swiftmailer#935 looks quite good and says, that this only affects PHP 7.0 and 7.1.

[rullzer]

Yes I was looking into it. But it requires quite a bit of changes into the server. And frankly I did not have time yet

[mandree95]

Any update on this? Since my mail server does not offer TLS1 anymore (enforcing TLS1.2 now), my Nextcloud instance is unable to send mails anymore.

[mandree95]

Maybe this issue is fixed by upgrading to swiftmailer 6.
See #9791, which is currently set to the milestone Nextcloud 14.

As a workaround I've setup an old version of postfix to relay the mails using TLS1.2 to my mail server.

[mandree95]

Just a few minutes ago I tested if this issue disappeared with Nextcloud 14. I'm proud to confirm that I do not have the tls issue anymore. Sending emails to a mailserver, that enforces TLS 1.2, is working now

[hede5562]

Are you sure it's working with Nextcloud 14 and TLS >= 1.1? I still have to manually patch StreamBuffer.php:

     public function startTLS()
     {
-        return stream_socket_enable_crypto($this->stream, true, STREAM_CRYPTO_METHOD_TLS_CLIENT);
+        return stream_socket_enable_crypto($this->stream, true, STREAM_CRYPTO_METHOD_SSLv23_CLIENT);
     }

And yes, I'm using STREAM_CRYPTO_METHOD_SSLv23_CLIENT since it's (despite its name) the TLS1.x default:

PHP >= 5.6.7
STREAM_CRYPTO_METHOD_SSLv23_CLIENT = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT
STREAM_CRYPTO_METHOD_TLS_CLIENT = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT

[Rotzbua]

Fix applied in swiftmailer 6.1.x:
swiftmailer/swiftmailer@4c4b333

But nexcloud uses 6.0.2

Bump swiftmailer/swiftmailer from 5.4.8 to 6.0.2
nextcloud/3rdparty@b995ca8

[kesselb]

Nextcloud 16 ships Swiftmailer 6.1.3 🎉