SMTP: Failed to connect socket: stream_socket_client(): unable to connect to ssl://

serbus

Hello!

On a sg-3100 running 2.4.5.r.20200305.1800

I started having a problem sending notifications setup via the System -> Advanced -> Notifications tab after updating to the 2.4.5_RC. Notifications worked fine in 2.4.4_p3 using the same smtp server.

Error is :

Could not send the message to foo@bar.com -- Error: Failed to connect to ssl://smtp.foo.local:465 [SMTP: Failed to connect socket: stream_socket_client(): unable to connect to ssl://smtp.foo.local:465 (Unknown error) (code: -1, response: )]

Crash dump:

[05-Mar-2020 22:04:06 America/Chicago] PHP Warning: stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed in /usr/local/share/pear/Net/Socket.php on line 159
[05-Mar-2020 22:04:06 America/Chicago] PHP Warning: stream_socket_client(): Failed to enable crypto in /usr/local/share/pear/Net/Socket.php on line 159
[05-Mar-2020 22:04:06 America/Chicago] PHP Warning: stream_socket_client(): unable to connect to ssl://smtp.crownehill.local:465 (Unknown error) in /usr/local/share/pear/Net/Socket.php on line 159

Setting:

<sslvalidate>disabled</sslvalidate> in the config

This problem appears to be similar to this thread :

https://forum.netgate.com/topic/138289/solved-smtp-notification-error-smtp-failed-to-connect-socket-fsockopen-with-tls-and-private-ca

Additional net chatter :

https://stackoverflow.com/questions/45942833/pear-mail-unable-to-connect-to-gmail-smtp-failed-to-connect-to-socket

Based on what I found, my poke-and-hope fix was to add
'verify_peer' => false
to the send_smtp_message socket_options in etc/inc/notices.inc

This fixes the error in my environment.
I have no idea if this is a valid solution or if will will break something else.
I was hoping someone with a better understanding of the pfsense pkg environment and code could weigh in.

Thanks!

John

Gertjan

Hi,

What you are saying is that some mail server out there that your are using is breaking the rules.
Like "asking you to use SSL and propoising invalid certificates". That like visiting a web site with uses expired certs, or a site that uses a revoked cert. You could use internal settings in your browser so it wouldn't mind ...

As said in https://stackoverflow.com/questions/45942833/pear-mail-unable-to-connect-to-gmail-smtp-failed-to-connect-to-socket, you can check what happens using the command line, and the "openssl client" command :

openssl s_client -connect smtp.gmail.com:465 -starttls smtp

returns with

....
Verify return code: 0 (ok)

which means : "all is ok, go ahead"

This :

works fine for me.
But take note : I set up may own mail server (postfix). pfSense cans end mails just fine. As Thunderbird, Outlook 2010, Outlook 365, etc, using SSL

viktor_g

Based on what I found, my poke-and-hope fix was to add
'verify_peer' => false
to the send_smtp_message socket_options in etc/inc/notices.inc

This fixes the error in my environment.

Screenshot from 2020-11-13 18-13-33.png

Gertjan

@serbus said in SMTP: Failed to connect socket: stream_socket_client(): unable to connect to ssl://:

bar.com

I guess the issue was solved : bar.com - and hopefully the MX attached to - it uses a cert that comes from a known issuer.
Can't really test it's a cloudfaire thing.

serbus

Hello!

https://redmine.pfsense.org/issues/10317

John

Gertjan

@serbus said in SMTP: Failed to connect socket: stream_socket_client(): unable to connect to ssl://:

Hello!

https://redmine.pfsense.org/issues/10317

John

That one was solved 2.4.5-p1 is good.