I got the following piece of log which was outputted by PHPMailer:
2020-02-03 13:39:00 Connection: opening to some-external.smtp.host:25, timeout=300, options=array()
2020-02-03 13:39:00 Connection: opened
2020-02-03 13:39:00 SERVER -> CLIENT: 220-my-own.domain.com ESMTP Exim 4.92 #2 Mon, 03 Feb 2020 13:39:00 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
2020-02-03 13:39:00 CLIENT -> SERVER: EHLO url-at-my-own.domain.com
2020-02-03 13:39:00 SERVER -> CLIENT: 250-url-at-my-own.domain.com Hello url-at-my-own.domain.com [31.186.175.24]250-SIZE 52428800250-8BITMIME250-PIPELINING250-AUTH PLAIN LOGIN250-STARTTLS250 HELP
2020-02-03 13:39:00 CLIENT -> SERVER: MAIL FROM:<info@domain.com>
2020-02-03 13:39:00 SERVER -> CLIENT: 250 OK
2020-02-03 13:39:00 CLIENT -> SERVER: RCPT TO:<recipient@hotmail.com>
2020-02-03 13:39:00 SERVER -> CLIENT: 550-Please turn on SMTP Authentication in your mail client. 550-(test.admin.mijnvolksuniversiteit.nl) [31.186.175.24]:50402 is not550 permitted to relay through this server without authentication.
2020-02-03 13:39:00 SMTP ERROR: RCPT TO command failed: 550-Please turn on SMTP Authentication in your mail client. 550-(url-at-my-own.domain.com) [31.186.175.24]:50402 is not550 permitted to relay through this server without authentication.
2020-02-03 13:39:00 CLIENT -> SERVER: QUIT
2020-02-03 13:39:00 SERVER -> CLIENT: 221 url-at-my-own.domain.com closing connection
2020-02-03 13:39:00 Connection: closed
Now, the problem is 'obvious', the server requests that I authenticate myself, however that is not the issue at hand here. What is important is knowing wether or not I am really connected to 'some-external.smtp.host' or something on 'my-own.domain.com'.
I am dealing with an external party that manages 'some-external.smtp.host' that claims I shouldn't need to authenticate because 'my-own.domain.com' server IP is white listed.
They specifically claim that I seem to be connected to a local SMTP server because of this pieces in line 3 'SERVER -> CLIENT: 220-my-own.domain.com ESMTP Exim' containing my own domain name and not theirs.
I believe, because line 1 specifically states a connection is made to 'some-external.smtp.host' and line 2 states that the connection was opened successfully, that the 220 message in line 3 is the external host (aka SERVER) is addressing local server (aka CLIENT) by its name.
Since I have no administratorial access to the server on my end I am looking for ways to find out whom is right here. I really hope to rule out that I am not connected to something local and that it really is their server stonewalling me.
The code used to iniate the PHPMailer is as follows:
$mail = new PHPMailer(true);
try {
//Server settings
$mail->SMTPDebug = SMTP::DEBUG_CONNECTION;
$mail->isSMTP();
$mail->Host = $this->vu['setting_mailrelay_host'];
if($this->vu['setting_mailrelay_username'] != '' && $this->vu['setting_mailrelay_password'] != '') {
$mail->SMTPAuth = true;
$mail->Username = $this->vu['setting_mailrelay_username'];
$mail->Password = $this->vu['setting_mailrelay_password'];
}
$mail->SMTPSecure = $this->vu['setting_mailrelay_security'];
if($this->vu['setting_mailrelay_security'] == '') {
$mail->SMTPAutoTLS = false;
}
$mail->Port = $this->vu['setting_mailrelay_port'];
//Recipients
$mail->setFrom($this->vu['email'], $this->vu['name']);
$mail->addAddress($email_to, trim($person['last_name']));
$mail->addReplyTo($this->vu['email'], $this->vu['name']);
// Content
$mail->isHTML(true);
$mail->Subject = $subject;
$mail->Body = $mailBody;
$mail->AltBody = $message_plain;
$mail->send();
echo 'Message has been sent';
} catch (Exception $e) {
echo "Message could not be sent. Mailer Error: {$mail->ErrorInfo}";
}
The SMTPAuth in my case is false, with username and password being emtpy because of the external party insisting that I do not need to authenticate.
The SMTPSecure is empty and SMTPAutoTLS is false because the external party insists that encryption should be off.
Update: If I do enable TLS the log is as follows:
2020-02-04 13:08:11 Connection: opening to some-external.smtp.host:25, timeout=300, options=array()
2020-02-04 13:08:11 Connection: opened
2020-02-04 13:08:11 SERVER -> CLIENT: 220-my-own.domain.com ESMTP Exim 4.92 #2 Tue, 04 Feb 2020 13:08:11 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
2020-02-04 13:08:11 CLIENT -> SERVER: EHLO url-at-my-own.domain.com
2020-02-04 13:08:11 SERVER -> CLIENT: 250-my-own.domain.com Hello url-at-my-own.domain.com [31.186.175.24]250-SIZE 52428800250-8BITMIME250-PIPELINING250-AUTH PLAIN LOGIN250-STARTTLS250 HELP
2020-02-04 13:08:11 CLIENT -> SERVER: STARTTLS
2020-02-04 13:08:11 SERVER -> CLIENT: 220 TLS go ahead
2020-02-04 13:08:11 Connection failed. Error #2: stream_socket_enable_crypto(): Peer certificate CN=`my-own.domain.com' did not match expected CN=`some-external.smtp.host' [/home/tstvubo/public_html/vendor/phpmailer/phpmailer/src/SMTP.php line 429]
SMTP Error: Could not connect to SMTP host.
2020-02-04 13:08:11 CLIENT -> SERVER: QUIT
2020-02-04 13:08:12
2020-02-04 13:08:12
2020-02-04 13:08:12 Connection: closed
This causes the server to complain about certificates on either side not matching, ok so... if I adjust the calling PHP code to apply:
$mail->SMTPOptions = ['ssl' => [
'verify_peer' => false,
'verify_peer_name' => false,
'allow_self_signed' => true
]
];
The result becomes as follows:
2020-02-04 13:12:51 Connection: opening to some-external.smtp.host:25, timeout=300, options=array ( 'ssl' => array ( 'verify_peer' => false, 'verify_peer_name' => false, 'allow_self_signed' => true, ),)
2020-02-04 13:12:51 Connection: opened
2020-02-04 13:12:51 SERVER -> CLIENT: 220-my-own.domain.com ESMTP Exim 4.92 #2 Tue, 04 Feb 2020 13:12:51 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
2020-02-04 13:12:51 CLIENT -> SERVER: EHLO url-at-my-own.domain.com
2020-02-04 13:12:51 SERVER -> CLIENT: 250-my-own.domain.com Hello url-at-my-own.domain.com [31.186.175.24]250-SIZE 52428800250-8BITMIME250-PIPELINING250-AUTH PLAIN LOGIN250-STARTTLS250 HELP
2020-02-04 13:12:51 CLIENT -> SERVER: STARTTLS
2020-02-04 13:12:51 SERVER -> CLIENT: 220 TLS go ahead
2020-02-04 13:12:51 CLIENT -> SERVER: EHLO url-at-my-own.domain.com
2020-02-04 13:12:51 SERVER -> CLIENT: 250-my-own.domain.com Hello url-at-my-own.domain.com [31.186.175.24]250-SIZE 52428800250-8BITMIME250-PIPELINING250-AUTH PLAIN LOGIN250 HELP
2020-02-04 13:12:51 CLIENT -> SERVER: MAIL FROM:<info@domain.com>
2020-02-04 13:12:52 SERVER -> CLIENT: 250 OK
2020-02-04 13:12:52 CLIENT -> SERVER: RCPT TO:<recipient@hotmail.com>
2020-02-04 13:12:52 SERVER -> CLIENT: 550-Please turn on SMTP Authentication in your mail client. 550-(url-at-my-own.domain.com) [31.186.175.24]:36810 is not550 permitted to relay through this server without authentication.
2020-02-04 13:12:52 SMTP ERROR: RCPT TO command failed: 550-Please turn on SMTP Authentication in your mail client. 550-(url-at-my-own.domain.com) [31.186.175.24]:36810 is not550 permitted to relay through this server without authentication.
2020-02-04 13:12:52 CLIENT -> SERVER: QUIT
2020-02-04 13:12:52 SERVER -> CLIENT: 221 my-own.domain.com closing connection
2020-02-04 13:12:52 Connection: closed
And now it asks for authentication, yet again.
This leads to the following conclusions:
I am most definitely connected to the external SMTP server.
Despite what the external party claims, a simple IP white list isn't going to cut it.
I need either some authentication credentials or a proper certificate to communicate with.
Verdict?
It's always a really, really good idea to actually read the error message, especially this bit:
Peer certificate CN='my-own.domain.com' did not match expected CN='some-external.smtp.host'
That means that while you may be asking to connect to some-external.smtp.host (because that's what you put in the Host property), you are actually connected to my-own.domain.com.
This is typically due to firewall rules redirecting SMTP traffic – it also means that TLS is doing exactly what it was designed to do and alerting you that your traffic is effectively subject to a man-in-the-middle attack (by your own firewall), so disabling certificate verification is, as usual, a bad idea. This exact problem is covered in the PHPMailer troubleshooting guide.
So what they say is correct; it's not them doing this – it's your mail server that's asking for authentication, not theirs.