Server: Unable to connect with TLS encryption using STARTTLS 587
Steps to reproduce
- Enter settings (in config or via settings) for remote SMTP server
with STARTTLS 587 and required login credentials for authentication. - Try to send test email via the settings page.
Expected behaviour
I receive a test mail.
Actual behaviour
With mail_smtpdebug enabled in the config I get following error message (domains are replaced like "mailprovider.de" as the server of the mail provider and "nextcloud.on.mydomain.com" for the nextcloud instance):
Beim Senden der E-Mail ist ein Problem aufgetreten. Bitte 眉berpr眉fe Deine Einstellungen. (Fehler: Unable to connect with TLS encryption Log data: ++ Starting Swift_SmtpTransport << 220 smtp1.mailprovider.de ESMTP >> EHLO nextcloud.on.mydomain.com << 250-smtp1.mailprovider.de 250-PIPELINING 250-SIZE 51200000 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN >> STARTTLS << 220 2.0.0 Ready to start TLS !! Unable to connect with TLS encryption (code: 0))
I only get the test mail if I use no encryption.
Server configuration detail
Operating system: Linux 4.4.0-130-generic #156-Ubuntu SMP Thu Jun 14 08:53:28 UTC 2018 x86_64
Webserver: Apache/2.4.38 (Debian) (apache2handler)
Database: mysql 5.7.24
PHP version:
7.3.9
Modules loaded: Core, date, libxml, openssl, pcre, sqlite3, zlib, ctype, curl, dom, fileinfo, filter, ftp, hash, iconv, json, mbstring, SPL, PDO, session, posix, Reflection, standard, SimpleXML, pdo_sqlite, Phar, tokenizer, xml, xmlreader, xmlwriter, mysqlnd, apache2handler, apcu, exif, gd, imagick, intl, ldap, memcached, pcntl, pdo_mysql, pdo_pgsql, redis, sodium, zip, Zend OPcache
Nextcloud version: 16.0.4 - 16.0.4.1
Updated from an older Nextcloud/ownCloud or fresh install:
Where did you install Nextcloud from: Official Docker Image
Signing status
List of activated apps
Enabled:
- accessibility: 1.2.0
- activity: 2.9.1
- calendar: 1.7.0
- cloud_federation_api: 0.2.0
- comments: 1.6.0
- dav: 1.9.2
- federatedfilesharing: 1.6.0
- federation: 1.6.0
- files: 1.11.0
- files_pdfviewer: 1.5.0
- files_rightclick: 0.15.1
- files_sharing: 1.8.0
- files_texteditor: 2.8.0
- files_trashbin: 1.6.0
- files_versions: 1.9.0
- files_videoplayer: 1.5.0
- gallery: 18.3.0
- issuetemplate: 0.5.0
- logreader: 2.1.0
- lookup_server_connector: 1.4.0
- mail: 0.17.0
- nextcloud_announcements: 1.5.0
- notifications: 2.4.1
- oauth2: 1.4.2
- password_policy: 1.6.0
- privacy: 1.0.0
- provisioning_api: 1.6.0
- recommendations: 0.4.0
- serverinfo: 1.6.0
- sharebymail: 1.6.0
- sociallogin: 1.16.7
- spreed: 6.0.4
- support: 1.0.0
- survey_client: 1.4.0
- systemtags: 1.6.0
- theming: 1.7.0
- theming_customcss: 1.3.0
- twofactor_backupcodes: 1.5.0
- updatenotification: 1.6.0
- viewer: 1.1.0
- workflowengine: 1.6.0
Disabled:
- admin_audit
- encryption
- files_external
- firstrunwizard
- user_ldap
Configuration (config/config.php)
{
"htaccess.RewriteBase": "\/",
"memcache.local": "\\OC\\Memcache\\APCu",
"apps_paths": [
{
"path": "\/var\/www\/html\/apps",
"url": "\/apps",
"writable": false
},
{
"path": "\/var\/www\/html\/custom_apps",
"url": "\/custom_apps",
"writable": true
}
],
"default_language": "de",
"default_locale": "de_DE",
"logtimezone": "Europe\/Berlin",
"skeletondirectory": "",
"lost_password_link": "disabled",
"login_form_autocomplete": false,
"sort_groups_by_name": true,
"social_login_auto_redirect": true,
"allow_user_to_change_display_name": false,
"share_folder": "ungeordnete Shares",
"remember_login_cookie_lifetime": 0,
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"nextcloud.on.mydomain.com",
"on.mydomain.com"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "16.0.4.1",
"overwrite.cli.url": "https:\/\/nextcloud.on.mydomain.com",
"overwriteprotocol": "https",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"mail_smtpdebug": true,
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpsecure": "tls",
"mail_smtpauth": true,
"mail_smtpauthtype": "LOGIN",
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"mail_smtptimeout": 30,
"mail_smtpport": 587
}
Are you using external storage, if yes which one:
Are you using encryption:
Are you using an external user-backend, if yes which one:
Client configuration
Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3338.0 Safari/537.36
Operating system: MAC OS
Logs
Web server error log
/var/log/apache2/error.log
is empty
Nextcloud log
is empty
Browser log
POST https://nextcloud.on.mydomain.com/index.php/settings/admin/mailtest 400 (Bad request)
XHR failed loading: POST "https://nextcloud.on.mydomain.com/index.php/settings/admin/mailtest".
JLueke
All 34 comments
Unable to reproduce, i can connect to external SMTP using STARTTLS and port 587.
acsfer
on 13 Sep 2019
Do you maybe know what can cause the error? I tried the settings with thunderbird and it had no problem sending the email.
JLueke
on 13 Sep 2019
Due to the fact that the STARTTLS command is sent but it couldn't initiate a TLS session, I would recommend to check if the certificate chain of the mail server can be verified by Nextcloud.
j-ed
on 13 Sep 2019
Due to the fact that the STARTTLS command is sent but it couldn't initiate a TLS session, I would recommend to check if the certificate chain of the mail server can be verified by Nextcloud.
@j-ed is there a console command i can use for that?
JLueke
on 13 Sep 2019
is that it?
openssl s_client -connect smtp.mailprovider.de:587 -starttls smtp
outputs this:
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA CA G1
verify return:1
depth=0 CN = *.goneo.de
verify return:1
140051321431168:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2156:
Certificate chain
0 s:CN = *.mailprovider.de
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA CA G1
1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA CA G1
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
Server certificate
-----BEGIN CERTIFICATE-----
// the certificate
-----END CERTIFICATE-----
subject=CN = *.mailprovider.de
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA CA G1
No client certificate CA names sent
SSL handshake has read 3599 bytes and written 345 bytes
Verification: OK
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1568393235
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
JLueke
on 13 Sep 2019
Good that someone else had the same problem in the past 馃槈
j-ed
on 13 Sep 2019
@j-ed would you elaborate how there is a match with the other ticket? I saw that ticket before but didn't saw the connection or a solution for my case. I don't want to disabled the certificate verification, if thats the proposed solution. Using port 465 with STARTTLS didn't worked. As far as I know the solution with PHP or sendmail as the sendmode doesn't fit, since the mail server is not on the same machine as my Nextcloud instance.
JLueke
on 13 Sep 2019
The mentioned ticked covered a connection problem on port 587 with STARTTLS and the status is closed, therefore my assumption was that it leads you into the right direction.
Port 465 only supports direct encrypted connection so that doesn't work.
What about the Nextcloud log file, could you fina any messages related to your send problem in it?
Have you searched the Nextcloud help forum for a solution of your problem? I found e.g. the following positing covering a TLS problem. BTW, that is usually the right location to ask questions, this is only a bug tracker 馃槈
j-ed
on 13 Sep 2019
The Nextcloud log file is empty.
And yes, I did search the forum before and the there mentioned tickets, where in the end most cases refer to a fix by Nextcloud 16 shipping Swiftmailer 6.1.3.
If I remember correctly most of the tickets weren't claimed to be support ticket. That's why I used the issue ticket instead of the forum. I guess I'll try my luck there, if this issue doesn't qualify as one.
JLueke
on 13 Sep 2019
I tested older Nextcloud (Docker) versions and my SMTP settings are working until Nextcloud 14.0.13-apache.
13.0.4 works
14.0.0-apache, 14.0.7-apache, 14.0.12-apache works
14.0.13-apache fails with:
A problem occurred while sending the email. Please revise your settings. (Error: Unable to connect with TLS encryption Log data: ++ Starting Swift_SmtpTransport << 220 smtp1.goneo.de ESMTP >> EHLO localhost << 250-smtp1.goneo.de 250-PIPELINING 250-SIZE 51200000 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN >> STARTTLS << 220 2.0.0 Ready to start TLS !! Unable to connect with TLS encryption (code: 0))
JLueke
on 30 Sep 2019
it works for 14.0.13RC1-apache, too
JLueke
on 30 Sep 2019
Connecting with Nextcloud 17 to smtp.goneo.de:587 works for me.
kesselb
on 30 Sep 2019
That's weird, it doesn't work for me with Nextcloud Docker 17-apache, even though it's working with the same settings before 14.0.13-apache.
JLueke
on 30 Sep 2019
@kesselb did you use encryption STARTTLS, too? Without encryption it works just fine, but I don't want to drop the encryption.
JLueke
on 30 Sep 2019
Cannot send any emails because I don't have a account there but connected via StartTLS.
kesselb
on 30 Sep 2019
@kesselb how did you setup Nextcloud? Also with the 17-apache Docker image?
I still get the same error, even if I try fake credentials and clear the "From address" fields.
JLueke
on 30 Sep 2019
Also with the 17-apache Docker image?
Yes
kesselb
on 30 Sep 2019
@kesselb would you share the (mail settings) of your config.php, which let to this error?
And do you have any custom apps enabled?
My colleague tested the Docker 17-apache version and got the same error like me -.-
JLueke
on 30 Sep 2019
'mail_smtpmode' => 'smtp',
'mail_smtpsecure' => 'tls',
'mail_sendmailmode' => 'smtp',
'mail_from_address' => 'mail',
'mail_domain' => 'nextcloud-test.com',
'mail_smtphost' => 'smtp.goneo.de',
'mail_smtpport' => '587',
'mail_smtpauth' => 1,
'mail_smtpname' => 'aaa',
'mail_smtppassword' => 'bbb',
Unfortunately I still get the my old error.
JLueke
on 30 Sep 2019
Same here. Using Nexctloud 17.0.0 and the same SMTP settings work with other email clients.
Only on nextcloud I get the :
Unable to connect with TLS encryption Log data: ++ Starting Swift_SmtpTransport << 220 smtp7.infomaniak.ch ESMTP Infomaniak Network Relay Mail Servers; Sat, 5 Oct 2019 11:00:54 +0200 >> EHLO mycloud-integration.nostraterra.ch << 250-smtp7.infomaniak.ch Hello None.236.80.80.in-addr.arpa [80.80.236.11] (may be forged), pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-AUTH LOGIN PLAIN 250-STARTTLS 250-DELIVERBY 250 HELP >> STARTTLS << 220 2.0.0 Ready to start TLS !! Unable to connect with TLS encryption (code: 0))
very puzzling..
guillaumv
on 5 Oct 2019
@guillaumv did you check, if it works on earlier Versions?
Especially the docker versions 14.0.12-apache and 14.0.13-apache?
JLueke
on 7 Oct 2019
Nextcloud 14 => Swiftmailer v6.0.2
Nextcloud 15 => Swiftmailer v6.1.3
https://github.com/swiftmailer/swiftmailer/blob/master/CHANGES maybe one of these changes broke it. Still need to figure out if this is related to nextcloud or swiftmailer.
kesselb
on 8 Oct 2019
No luck still?
Also hitting this on 17-apache...
dimm0
on 19 Oct 2019
@JLueke No I havent tried with earlier version than 16.3.5 and 17 (same error on both but I havent got the time to test much so far)
I got this solved with mail mail provider who simply told me to disable STARTTLS. I did and I can now send email with their SMTP. However I have to compromise on security for now I guess...
guillaumv
on 20 Oct 2019
I also have exactly the same problem however it only happens with smtp.goneo.de.
Sending emails via Thunderbird is possible but with the same credentials and smtp settings nextcloud is not able to send an email.
I've tried the same with an address from web.de, nextcloud is able to send emails via their smtp servers. My humble opinion would be, some server side configuration on smtp.goneo.de upsets nextcloud...
p0lyg0ne
on 16 Dec 2019
I'm still stuck with the only university mail server I can use...
dimm0
on 16 Dec 2019
Problem is on the server side, certificates that are used for SSL/TLS are not trusted or cert chain is bad (I've added all my certs into appropriate stores, openssl test is OK, but this doesn't help).
Not the happiest solution, but you should add $transport->setStreamOptions(array('ssl' => array('allow_self_signed' => true, 'verify_peer' => false))); into /var/www/html/lib/private/Mail/Mailer.php (or where ever your Mailer.php is) and replace the existing line $transport->setEncryption($smtpSecurity); ... or comment it out with //.
That line should be between lines 260 and 270 in Mailer.php (mine was on 262).
Tested on NextCloud17.0.3.1, Apache 2.4.38, Debian 10.
kojo1984
on 17 Feb 2020
For me this solution worked only adding this parameter in the config.php file
'mail_smtpstreamoptions' =>
array (
'ssl' =>
array (
'allow_self_signed' => true,
'verify_peer' => false,
'verify_peer_name' => false
)
)
For Nextcloud 18 on Ubuntu 18 connected to Exchange 2016 email server.
vindic
on 28 Feb 2020
I have the same problem and the solution of vindic is working for me to. But: i have a working mail server with trusted certificates (letsencrypt). The postfix server is configured to only use TLSv1.2.
So, why do I have to use this workaround?
wagnerfl85
on 3 May 2020
So, why do I have to use this workaround?
tl;dr: Because the server you installed Nextcloud on does not trust the certificate that is used by your mail server.
Nextcloud uses Swiftmailer (a library) to send emails. Swiftmailer (or PHP probably) uses the systems certificate storage for certificate validation.
You (Client) -> Mail server: Client (e.g. Thunderbird / whatever) will validate the certificate. That's you using your mail server.
Nextcloud (Client) -> Mail server: Client (Swiftmailer and/or PHP) connects to the mail server and validate the certificate. That's Nextcloud sending an email.
If 1 works but 2 fails usually the server fails to validate the certificate. Why does it fail? The list of certificates contains only the big certificate companies. A reseller pays another certificate company for a intermediate certificate. With this intermediate certificate a reseller is able to sign certificates without being on the list (but the big companies are also using intermediates). Let's encrypt is also using a intermediate certificate.
How to fix that: Make sure the server (Nextcloud is installed on) is able to establish a secure connection to the mail server.
Please visit https://help.nextcloud.com/ or Stack Overflow for such questions. It's not really a issue with Nextcloud but the server configuration. Establishing connections to other services and validating certificates is something the operating system is responsible for. Nextcloud just logs the response. There is no way to fix that.
kesselb
on 3 May 2020
Sorry for this miss placed question. I thought it would fit to the problem and it could be related with Nextcloud directly.
Thanks, especially because of my wrong placement, for you detailed answer. Now i understand whats the problem. :-)
wagnerfl85
on 4 May 2020
This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.
![nextcloud-stale[bot] picture](https://avatars1.githubusercontent.com/in/32530?v=4&s=40)
nextcloud-stale[bot]
on 3 Jun 2020
same problem and For me this solution worked to
only adding this parameter in the config.php file
'mail_smtpstreamoptions' => array ( 'ssl' => array ( 'allow_self_signed' => true, 'verify_peer' => false, 'verify_peer_name' => false ) )
For Nextcloud 20 on docker and synology server mail
pwepwe973
on 2 Dec 2020
Related issues
knut-hildebrandt
路
73Comments
hartundweich
路
71Comments
cdauth
路
121Comments
Wehzie
路
73Comments
axheli
路
93Comments
Most helpful comment
Same here. Using Nexctloud 17.0.0 and the same SMTP settings work with other email clients.
Only on nextcloud I get the :
Unable to connect with TLS encryption Log data: ++ Starting Swift_SmtpTransport << 220 smtp7.infomaniak.ch ESMTP Infomaniak Network Relay Mail Servers; Sat, 5 Oct 2019 11:00:54 +0200 >> EHLO mycloud-integration.nostraterra.ch << 250-smtp7.infomaniak.ch Hello None.236.80.80.in-addr.arpa [80.80.236.11] (may be forged), pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-AUTH LOGIN PLAIN 250-STARTTLS 250-DELIVERBY 250 HELP >> STARTTLS << 220 2.0.0 Ready to start TLS !! Unable to connect with TLS encryption (code: 0))
very puzzling..