Error sending mails with forced TLS 1.2

[ps1lo]

Steps to reproduce

1. Install Nextcloud 14.0.1
2. Setup Email server at Basic Settings with STARTTLS or SSL/TLS
3. Send Testmail

Expected behaviour

Sending mail without any error.

Actual behaviour

If the Mail server is configured to only support TLS 1.2 nextcloud can't send a Mail because swfitmailer doesn't support these configuration (yet).

It's a closed swiftmailer issue: swiftmailer/swiftmailer#598 and fixed in the next version swiftmailer/swiftmailer@4c4b333#diff-c0a98e32b9cfd0944a6c592d5d6c1a35.

Server configuration detail

Operating system: Linux 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u4 (2018-08-21) x86_64

Webserver: nginx/1.12.2 (fpm-fcgi)

Database: mysql 10.1.32

PHP version:

7.1.17
Modules loaded: Core, date, libxml, pcre, zlib, filter, hash, readline, Reflection, SPL, session, cgi-fcgi, bcmath, bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, mbstring, mcrypt, openssl, pcntl, PDO, pgsql, posix, standard, SimpleXML, sqlite3, tidy, xml, xmlwriter, zip, exif, mysqlnd, xmlreader, mysqli, pdo_mysql, Zend OPcache

Nextcloud version: 14.0.1 - 14.0.1.1

**Updated from an older Nextcloud/ownCloud or fresh install: Upgrade

**Where did you install Nextcloud from: nextcloud.com tar.bz(.asc) download

List of activated apps

Enabled:
 - accessibility: 1.0.1
 - activity: 2.7.0
 - bookmarks: 0.13.0
 - calendar: 1.6.2
 - cloud_federation_api: 0.0.1
 - comments: 1.4.0
 - contacts: 2.1.6
 - dav: 1.6.0
 - federatedfilesharing: 1.4.0
 - federation: 1.4.0
 - files: 1.9.0
 - files_external: 1.5.0
 - files_pdfviewer: 1.3.2
 - files_sharing: 1.6.2
 - files_texteditor: 2.6.0
 - files_trashbin: 1.4.1
 - files_versions: 1.7.1
 - files_videoplayer: 1.3.0
 - firstrunwizard: 2.3.0
 - gallery: 18.1.0
 - issuetemplate: 0.4.0
 - logreader: 2.0.0
 - lookup_server_connector: 1.2.0
 - nextcloud_announcements: 1.3.0
 - notes: 2.4.2
 - notifications: 2.2.1
 - oauth2: 1.2.1
 - password_policy: 1.4.0
 - provisioning_api: 1.4.0
 - serverinfo: 1.4.0
 - sharebymail: 1.4.0
 - spreed: 4.0.0
 - support: 1.0.0
 - systemtags: 1.4.0
 - tasks: 0.9.7
 - theming: 1.5.0
 - twofactor_backupcodes: 1.3.1
 - twofactor_totp: 1.5.0
 - updatenotification: 1.4.1
 - workflowengine: 1.4.0
Disabled:
 - admin_audit
 - checksum
 - encryption
 - survey_client
 - user_external
 - user_ldap

Configuration (config/config.php)

{
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "cloud.example.com"
    ],
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "overwrite.cli.url": "https:\/\/cloud.example.com",
    "overwriteprotocol": "https",
    "dbtype": "mysql",
    "version": "14.0.1.1",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbtableprefix": "oc_",
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true,
    "forcessl": true,
    "forceSSLforSubdomains": true,
    "mail_from_address": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpmode": "smtp",
    "mail_domain": "***REMOVED SENSITIVE VALUE***",
    "theme": "",
    "maintenance": false,
    "loglevel": 1,
    "trashbin_retention_obligation": "auto, auto",
    "updatechecker": true,
    "check_for_working_htaccess": true,
    "log_type": "owncloud",
    "logfile": "\/data\/log\/nextcloud.log",
    "logdateformat": "F d, Y H:i:s",
    "logtimezone": "Europe\/Berlin",
    "log_query": false,
    "cron_log": true,
    "appstoreenabled": true,
    "enable_previews": true,
    "preview_max_x": 2048,
    "preview_max_y": 2048,
    "preview_max_scale_factor": 10,
    "preview_max_filesize_image": 50,
    "enabledPreviewProviders": [
        "OC\\Preview\\PNG",
        "OC\\Preview\\JPEG",
        "OC\\Preview\\GIF",
        "OC\\Preview\\BMP",
        "OC\\Preview\\XBitmap",
        "OC\\Preview\\MP3",
        "OC\\Preview\\TXT",
        "OC\\Preview\\MarkDown"
    ],
    "tempdirectory": "\/tmp\/",
    "hashingCost": 10,
    "blacklisted_files": [
        ".htaccess"
    ],
    "forwarded_for_headers": [
        "HTTP_X_FORWARDED",
        "HTTP_FORWARDED_FOR"
    ],
    "htaccess.RewriteBase": "\/",
    "apps_paths": [
        {
            "path": "\/data\/http\/public\/apps",
            "url": "\/apps",
            "writable": true
        }
    ],
    "mail_smtpauthtype": "PLAIN",
    "mail_smtpauth": 1,
    "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpport": "587",
    "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
    "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
    "filelocking.enabled": true,
    "filelocking.ttl": 3600,
    "updater.secret": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpsecure": "tls"
}

Logs

Nextcloud log

{"reqId":"***REMOVED SENSITIVE VALUE***","level":3,"time":"September 27, 2018 09:05:17","remoteAddr":"172.20.0.11","user":"***REMOVED SENSITIVE VALUE***","app":"PHP","method":"POST","url":"\/settings\/admin\/mailtest","message":"stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:\nerror:1400442E:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert protocol version at \/data\/http\/public\/3rdparty\/swiftmailer\/swiftmailer\/lib\/classes\/Swift\/Transport\/StreamBuffer.php#94","userAgent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36","version":"14.0.1.1"}

#

[nextcloud-bot]

GitMate.io thinks possibly related issues are #3109 (Unable to send e-mail since Nextcloud 11), #6786 (Error with PHP7.2), #6775 (3rdparty swiftmailer NTLMauth throws error but mail is sent), #2391 (Warning "Couldn't send mail to following users: "), and #6325 (mail app does not send fqdn).

[mgoppold]

With the attached patch php can act with STARTTLS tls1.0, tls1.1, tls1.2. see Upstream

Nextcloud_allow_E-Mail_TLSv1_2.diff.txt

best regards
Mario

[alexwijoyo]

@mgoppold sorry stupid question, how to apply the patch when using snap.
I found the file below but can't edit StreamBuffer.php (read only) even using sudo nano.
-rw-r--r-- 1 root root 9715 Aug 30 18:16 /snap/nextcloud/current/htdocs/3rdparty/swiftmailer/swiftmailer/lib/classes/Swift/Transport/StreamBuffer.php

[mgoppold]

@mgoppold sorry stupid question, how to apply the patch when using snap.
I found the file below but can't edit StreamBuffer.php (read only) even using sudo nano.
-rw-r--r-- 1 root root 9715 Aug 30 18:16 /snap/nextcloud/current/htdocs/3rdparty/swiftmailer/swiftmailer/lib/classes/Swift/Transport/StreamBuffer.php

You can not edit snap-Files without rebuilding, follow https://askubuntu.com/questions/919091/why-can-snap-files-not-be-modified-in-any-way

[alexwijoyo]

@mgoppold sorry stupid question, how to apply the patch when using snap.
I found the file below but can't edit StreamBuffer.php (read only) even using sudo nano.
-rw-r--r-- 1 root root 9715 Aug 30 18:16 /snap/nextcloud/current/htdocs/3rdparty/swiftmailer/swiftmailer/lib/classes/Swift/Transport/StreamBuffer.php

You can not edit snap-Files without rebuilding, follow https://askubuntu.com/questions/919091/why-can-snap-files-not-be-modified-in-any-way

Ouch so the only way is waiting for the fix from nextcloud snap team. Thanks for the information.

[kesselb]

Looks like a duplicate of #7421. Nextcloud 16 ships Swiftmailer 6.1.3 🎉