View Issue Details

IDProjectCategoryView StatusLast Update
0021293mantisbtemailpublic2016-08-28 01:12
Reporterkyo88kyoAssigned Toatrol 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
PlatformLinuxOSCentOSOS Version5.11
Product Version1.3.0 
Target Version1.3.1Fixed in Version1.3.1 
Summary0021293: Send notifications by smtp does not work correctly, and the analysis of why it happend.
Description
I've downloaded the latest version of mantisbt, 1.3.0, and deploy it on centos 5.11, with apache 2.4.23 and php 5.6.23 and openssl-1.0.2h(important).
After config the email by smtp, I found that the notification does not sent after I modified the user's profile, and the same behavior worked correctly under version 1.2.19.
So I inspect the codes, and add the log level for email on, found some error infomations from apache's error log, which content is something like 'MAIL email_api.php:1205 email_send() ERROR: Message could not be sent - SMTP Error: Could not connect to SMTP host.'.
I add 'print $e;' after line 1205 of email_api.php and finally found that,

the lastest version of mantisbt use phpmailer 5.2.15 as email sender, and this version of phpmailer will try to use tls automatically even if SMTPSecure is not set to 'tls'. See line 257, line 1612 and line 1617 for details.
I compiled php with openssl but I do not use ssl to connect my stmp server, but this codes in phpmailer will automatically use tls when 'SMTPAutoTLS' is ture & has openssl extension & did not already using SSL & the server offers STARTTLS.
Because I do not have the cert files of the smtp server, so connection faild.
Currently, I add some clause to control the logic to avoid to use tls. In file email_api.php, line 1126, I add an 'else' branch to disable 'SMTPAutoTLS'. I think it will be better to disable the 'SMTPAutoTLS' when the variable's value is blank, who's name is 'smtp_connection_mode'.The codes is something like:

if( !is_blank( config_get( 'smtp_connection_mode' ) ) ) {
$t_mail->SMTPSecure = config_get( 'smtp_connection_mode' );
} else {
$t_mail->SMTPAutoTLS = false;
}

And it worked now.
Because I am a non-php programmer, so I believe there will be an better solution to solve the issue, and I hope this logic can be amended in future versions.
This is the end.

Steps To Reproduce

1.centos 5.11 x64.
2.install openssl 1.0.2h from source.
3.install apache 2.6.23 from source.
4.install php 2.6.23 from source.
5.config php, apache.
6.install mantisbt.
7.modifiy config/config_inc.php, use 'PHPMAILER_METHOD_SMTP' method to send email, config other smtp infomations also, and turn on the log for email($g_log_level = LOG_EMAIL;)
8.login as administrator and modify someone's profile, see the errors from the log.

TagsNo tags attached.

Activities

atrol

atrol

2016-07-16 12:32

developer   ~0053614

Thanks @kyo88kyo for the detailed analysis.

It's questionable to introduce such kind of regressions, but the new behaviour is exactly what the author wanted.
https://github.com/PHPMailer/PHPMailer/commit/9da56fc1328a72aa124b35b738966315c41ef5c6

Seems we are not alone, there is certainly a reason that there is a note for it in troubleshooting guide.
https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting

PHPMailer 5.2.10 introduced opportunistic TLS - if it sees that the server is advertising TLS encryption (after you have connected to the server), it enables encryption automatically, even if you have not set SMTPSecure. This might cause issues if the server is advertising TLS with an invalid certificate, but you can turn it off with $mail->SMTPAutoTLS = false;.

kyo88kyo

kyo88kyo

2016-07-17 10:04

reporter   ~0053618

Thank you for your reply.@atrol
It is a great feature, I mean auto enable tls in new version of PHP. But, as a non-phper, It is really confused me for a while, because I even do not known what is PHPMailer, so I only follow the pdf version of MantisBT 1.3.0, config the parameters, and according to the description for the parameter named "$g_smtp_connection_mode", I believed that when this parameter is balnk, MantisBT should not use security connection to send the emails.
We can not control what kind of new features the PHPMailer will added, maybe we can write more sentences in MantisBT's source codes, to avoid or adapt this feature or change.
Best wishes. Thank you again.

atrol

atrol

2016-07-17 11:31

developer   ~0053619

PR https://github.com/mantisbt/mantisbt/pull/821

atrol

atrol

2016-08-08 17:27

developer   ~0053762

New PR https://github.com/mantisbt/mantisbt/pull/839

Related Changesets

MantisBT: master-1.3.x b0389ec9

2016-08-08 17:04:04

atrol

Details Diff
Prevent TLS if smtp_connection_mode is empty (no encryption)

Since version 5.2.10 PHPMailer automatically tries to enable TLS.
This is not what we want if the Mantis administrator decided not to use
encryption (smtp_connection_mode is empty)

Fixes 0021293
mod - core/email_api.php Diff File

Issue History

Date Modified Username Field Change
2016-07-16 04:38 kyo88kyo New Issue
2016-07-16 12:13 atrol Status new => confirmed
2016-07-16 12:13 atrol Target Version => 1.3.1
2016-07-16 12:32 atrol Note Added: 0053614
2016-07-17 10:04 kyo88kyo Note Added: 0053618
2016-07-17 11:31 atrol Assigned To => atrol
2016-07-17 11:31 atrol Status confirmed => assigned
2016-07-17 11:31 atrol Note Added: 0053619
2016-08-08 17:27 atrol Note Added: 0053762
2016-08-09 06:00 atrol Changeset attached => MantisBT master-1.3.x b0389ec9
2016-08-09 06:00 atrol Status assigned => resolved
2016-08-09 06:00 atrol Resolution open => fixed
2016-08-09 06:00 atrol Fixed in Version => 1.3.1
2016-08-28 01:12 vboctor Status resolved => closed