Why is my MailServer unable to start TLS (only happens with PHPMailer btw. Other email clients work fine)

[mrlerch]

Here is what I get back from the PHPMailer log:

2021-08-29 17:58:11 Connection: opening to mail.server.com:587, timeout=300, options=array ()
2021-08-29 17:58:11 Connection: opened
2021-08-29 17:58:11 SMTP -> get_lines(): $data is ""
2021-08-29 17:58:11 SMTP -> get_lines(): $str is "220 mail.server.com SurgeSMTP (Version 7.5c-1) http://surgemail.com"
2021-08-29 17:58:11 SERVER -> CLIENT: 220 mail.server.com SurgeSMTP (Version 7.5c-1) http://surgemail.com
2021-08-29 17:58:11 CLIENT -> SERVER: EHLO www.sender.com
2021-08-29 17:58:11 SMTP -> get_lines(): $data is ""
2021-08-29 17:58:11 SMTP -> get_lines(): $str is "250-mail.server.com. Hello www.sender.com (xxx.xxx.xxx.xxx)"
2021-08-29 17:58:11 SMTP -> get_lines(): $data is "250-mail.server.com. Hello www.sender.com (xxx.xxx.xxx.xxx)"
2021-08-29 17:58:11 SMTP -> get_lines(): $str is "250-LOGINDISABLED"
2021-08-29 17:58:11 SMTP -> get_lines(): $data is "250-mail.server.com. Hello www.sender.com (xxx.xxx.xxx.xxx)250-LOGINDISABLED"
2021-08-29 17:58:11 SMTP -> get_lines(): $str is "250-ETRN"
2021-08-29 17:58:11 SMTP -> get_lines(): $data is "250-mail.server.com. Hello www.sender.com (xxx.xxx.xxx.xxx)250-LOGINDISABLED250-ETRN"
2021-08-29 17:58:11 SMTP -> get_lines(): $str is "250-STARTTLS"
2021-08-29 17:58:11 SMTP -> get_lines(): $data is "250-mail.server.com. Hello www.sender.com (xxx.xxx.xxx.xxx)250-LOGINDISABLED250-ETRN250-STARTTLS"
2021-08-29 17:58:11 SMTP -> get_lines(): $str is "250-X-ID 6d61696c2d312e6765726d63616e2e636f6d353639393231393432"
2021-08-29 17:58:11 SMTP -> get_lines(): $data is "250-mail.server.com. Hello www.sender.com (xxx.xxx.xxx.xxx)250-LOGINDISABLED250-ETRN250-STARTTLS250-X-ID 6d61696c2d312e6765726d63616e2e636f6d353639393231393432"
2021-08-29 17:58:11 SMTP -> get_lines(): $str is "250-SIZE 50000000"
2021-08-29 17:58:11 SMTP -> get_lines(): $data is "250-mail.server.com. Hello www.sender.com (xxx.xxx.xxx.xxx)250-LOGINDISABLED250-ETRN250-STARTTLS250-X-ID 6d61696c2d312e6765726d63616e2e636f6d353639393231393432250-SIZE 50000000"
2021-08-29 17:58:11 SMTP -> get_lines(): $str is "250 HELP"
2021-08-29 17:58:11 SERVER -> CLIENT: 250-mail.server.com. Hello www.sender.com (xxx.xxx.xxx.xxx)250-LOGINDISABLED250-ETRN250-STARTTLS250-X-ID 6d61696c2d312e6765726d63616e2e636f6d353639393231393432250-SIZE 50000000250 HELP
2021-08-29 17:58:11 CLIENT -> SERVER: STARTTLS
2021-08-29 17:58:11 SMTP -> get_lines(): $data is ""
2021-08-29 17:58:11 SMTP -> get_lines(): $str is "220 go ahead, begin SSL/TLS negotiation"
2021-08-29 17:58:11 SERVER -> CLIENT: 220 go ahead, begin SSL/TLS negotiation
2021-08-29 17:58:11 Connection failed. Error #2: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version [/var/www/www.sender.com/html/vendor/phpmailer/phpmailer/class.smtp.php line 375]
SMTP Error: Could not connect to SMTP host.
2021-08-29 17:58:11 CLIENT -> SERVER: QUIT
2021-08-29 17:58:11 SERVER -> CLIENT:
2021-08-29 17:58:11 SMTP ERROR: QUIT command failed:
2021-08-29 17:58:11 Connection: closed
SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting
Mailer Error: SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting

Here is what I see on the mail server (not the same time stamp, but same thing always):

29 08:13:59.11:Info:2136119040: SurgeSMTP 7.5c-1, User connected (xxx.xxx.xxx.xxx) (yyy.yyy.yyy.yyy) Port (587)
29 08:13:59.11:Info:2136119040: scmd: Welcome delay for (xxx.xxx.xxx.xxx) of 0 seconds
29 08:13:59.13:Info:2136119040: smtp:[xxx.xxx.xxx.xxx] In: EHLO www.sender.com
29 08:13:59.13:Info:2136119040: scmd: showing STARTTLS option to (xxx.xxx.xxx.xxx)
29 08:13:59.13:Info:2136119040: smtp:[xxx.xxx.xxx.xxx] Out: 250-mail.server.com. Hello www.sender.com (xxx.xxx.xxx.xxx)
29 08:13:59.15:Info:2136119040: smtp:[xxx.xxx.xxx.xxx] In: STARTTLS
29 08:13:59.15:Info:2136119040: smtp:[xxx.xxx.xxx.xxx] Out: 220 go ahead, begin SSL/TLS negotiation
29 08:13:59.15:Info:2136119040: SSL: init not finished, ssl want=SSL_READING xxx.xxx.xxx.xxx 0sec
29 08:13:59.17:Info:2136119040: SSL: communication could not establish encryption. xxx.xxx.xxx.xxx
29 08:13:59.17:Info:2136119040: smtp: ssl failed SSL could not start, unknown reason (-1)(handaccept SSL routines tls_early_post_process_client_hello unsupported protocol) (from IP xxx.xxx.xxx.xxx)
29 08:13:59.17:Info:2136119040: smtp:[xxx.xxx.xxx.xxx] Out: 500 SSL/TLS failed SSL could not start, unknown reason (-1)(handaccept SSL routines tls_early_post_p
29 08:13:59.17:Info:2136119040: msg: [0] ssl: xxx.xxx.xxx.xxx www.sender.com 0 unknown "dom=mail.server.com err=SSL could not start, unknown reason (-1)(handaccept SSL routines tls_early_post_process_client_hello unsupported protocol)"
29 08:13:59.17:Info:2136119040: smtp: Closing connection xxx.xxx.xxx.xxx, task took 0 seconds

On the Surgemail mail server only TLS v 1.2 is allowed and enabled. I also tested from the www.sender.com the following:

[root@host-1 src]# openssl s_client -connect mail.server.com:587 -starttls smtp
CONNECTED(00000003)
depth=3 C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = AT, O = ZeroSSL, CN = ZeroSSL RSA Domain Secure Site CA
verify return:1
depth=0 CN = server.com
verify return:1

Certificate chain
0 s:/CN=server.com
i:/C=AT/O=ZeroSSL/CN=ZeroSSL RSA Domain Secure Site CA
1 s:/C=AT/O=ZeroSSL/CN=ZeroSSL RSA Domain Secure Site CA
i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services

Server certificate
-----BEGIN CERTIFICATE-----
MIIIPjCCBiagAwIBAgIQI8wmZMQ9NTpG6p9cUK3DjDANBgkqhkiG9w0BAQwFADBL
MQswCQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NT
TCBSU0EgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTIxMDgyOTAwMDAwMFoXDTIx
MTEyNzIzNTk1OVowFjEUMBIGA1UEAxMLZ2VybWNhbi5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCeAlNE3qb9kWjrjCGvWDf4EhxH4aOubbIJUVKE
ZtGBFnyZDlzxT5kfqE7QlYlx9sf2FoTV9dLi+lLYoIJSqEGgW48yTN2Cx082zfy9
PGsXnB7ryG9/3pBw8...
-----END CERTIFICATE-----
subject=/CN=server.com
issuer=/C=AT/O=ZeroSSL/CN=ZeroSSL RSA Domain Secure Site CA

No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits

SSL handshake has read 6258 bytes and written 408 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: EDD5723B7D92DA1F59006231C0556ACEE6410A507DC6CE0C3910F0B762862439
Session-ID-ctx:
Master-Key: 4F1911AA974324DB6FF767D97A6853D07438362C58D76CCFA6FCAEA6903071643C6FE255443B192F197D3E2E1BBEF8EC
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 52 cf d6 89 a3 b4 cf 4a-fa 5b 42 ab 1d 09 88 8c R......J.[B.....
0010 - b1 00 60 57 bb c6 81 24-32 5b 35 df ...

Start Time: 1630261065
Timeout   : 300 (sec)
Verify return code: 0 (ok)

---

250 HELP

My code is as follows:

//Create a new PHPMailer instance
$mail = new PHPMailer;
//Tell PHPMailer to use SMTP
$mail->isSMTP();
//Enable SMTP debugging
// 0 = off (for production use)
// 1 = client messages
// 2 = client and server messages
$mail->SMTPDebug = 4;
//Ask for HTML-friendly debug output
$mail->Debugoutput = 'html';
//Set the encryption system to use - ssl (deprecated) or tls
$mail->SMTPSecure = 'tls';
//Set the hostname of the mail server
$mail->Host = "mail.server.com";
//Set the SMTP port number - likely to be 25, 465 or 587
$mail->Port = 587;
//Whether to use SMTP authentication
$mail->SMTPAuth = true;
//Username to use for SMTP authentication
$mail->Username = "usernamehere";
//Password to use for SMTP authentication
$mail->Password = "passwordhere";
//Set who the message is to be sent from
$mail->setFrom('send_only@sender.com', 'email topic here');
//Set an alternative reply-to address
$mail->addReplyTo('info@sender.com', 'Customer Support');
//Set who the message is to be sent to
$mail->addAddress($_POST['email'], $_POST['fname']." ".$_POST['lname']);
//Set the subject line
$mail->Subject = $subject;
//Read an HTML message body from an external file, convert referenced images to embedded,
//convert HTML into a basic plain-text alternative body
$mail->msgHTML($message);
//Replace the plain text body with one created manually
$mail->AltBody = $message_plain;

//send the message, check for errors
if (!$mail->send()) {
//echo "Mailer Error: " . $mail->ErrorInfo;
} else {
echo "Message sent!";
}

Please note that I am running not the latest version of PHPMailer because my old server is still on PHP 5.3.29. Can't upgrade to 5.4 at this time. So I am using PHPMailer 5.2.28

Anybody has any idea why the TLS is failing? Thanks.

[Synchro]

It looks like your version of PHP is so old that it doesn't support TLS 1.2, so you can't connect to a TLS server that requires 1.2. There's not really anything you can do about that other than upgrade, and you should do that anyway since you're using a PHP runtime with lots of known vulnerabilities, on top of the ones probably present in your old version of PHPMailer.

PHP 5.3 was end of life over 7 years ago. You need to upgrade.