Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 1.8.1

Bug #16349 send() always uses SSL for Authenticated SMTP
Submitted: 2009-06-19 15:21 UTC
From: infoquick Assigned: jon
Status: Closed Package: Net_SMTP
PHP Version: 5.2.0 OS: Windows 2003
Roadmaps: (Not assigned)    
Subscription  


 [2009-06-19 15:21 UTC] infoquick (Brad Codd)
Description: ------------ The send() function is always using SSL for Authenticated SMTP when I did not request SSL. User Name and Password for mail server available via email request to brad@infoquick.com. Test script: --------------- $host = "mail.authsmtp.com"; $port = "25"; $username = "username"; $password = "password"; $smtp = Mail::factory( 'smtp', array ( 'host' => $host, 'port' => $port, 'auth' => true, 'username' => $username, 'password' => $password, 'localhost' => 'mail.webhost-o-matic.com', 'debug' => true ) ); $mail = $smtp->send($to, $headers, $body); Expected result: ---------------- I expected the email to be sent using Authenticated SMTP without SSL. Actual result: -------------- 505 5.0.0 Message is sent with SSL but SSL is not allowed for this user

Comments

 [2009-08-11 02:30 UTC] schmuwi (Uwe Mesecke)
This is a feature/bug in Net_SMTP. The method auth() checks if the server understands STARTTLS and tries to start a tls connection. See the following code in Net/SMTP.php: function auth($uid, $pwd , $method = '') { /* We can only attempt a TLS connection if we're running PHP 5.1.0 or * later, have access to the OpenSSL extension, are connected to an * SMTP server which supports the STARTTLS extension, and aren't * already connected over a secure (SSL) socket connection. */ $tls = version_compare(PHP_VERSION, '5.1.0', '>=') && extension_loaded('openssl') && isset($this->_esmtp['STARTTLS']) && strncasecmp($this->host, 'ssl://', 6) != 0; if ($tls) { if (PEAR::isError($result = $this->_put('STARTTLS'))) { return $result; } if (PEAR::isError($result = $this->_parseResponse(220))) { return $result; } if (PEAR::isError($result = $this->_socket->enableCrypto(true, STREAM_CRYPTO_METHOD_TLS_CLIENT))) { return $result; } elseif ($result !== true) { return PEAR::raiseError('STARTTLS failed'); } /* Send EHLO again to recieve the AUTH string from the * SMTP server. */ $this->_negotiate(); } You should open a bug for the Net_SMTP package.
 [2009-09-07 16:37 UTC] yunosh (Jan Schneider)
-Status: Open +Status: Bogus
Thank you for taking the time to write to us, but this is not a bug. Correct, this is a Net_SMTP problem.
 [2010-01-18 04:09 UTC] jon (Jon Parise)
-Status: Bogus +Status: Feedback -Package: Mail +Package: Net_SMTP -Assigned To: +Assigned To: jon
Yes, this is the behavior of the Net_SMTP package. It's interesting that the SMTP server is advertising the STARTTLS extension but isn't allowing the user to initiate a TLS session. Do you have any more information about that? Is this a common configuration? One potential change we could make would be the addition of a $allowTLS (defaults to true) parameter to the auth() method. I don't know how the caller would know if it should be allowed for the current user, but it would allow the caller to disallow TLS attempts in general.
 [2010-01-25 02:25 UTC] jon (Jon Parise)
-Status: Feedback +Status: Closed
This bug has been fixed in SVN. If this was a documentation problem, the fix will appear on pear.php.net by the end of next Sunday (CET). If this was a problem with the pear.php.net website, the change should be live shortly. Otherwise, the fix will appear in the package's next release. Thank you for the report and for helping us make PEAR better. http://svn.php.net/viewvc?view=revision&revision=293944 A new $tls parameter has been added to the auth() method to control whether or not TLS is attempted.