WireMailSmtp

[horst]

As far as I understand, deprecation warnings are hints to developers that pops up when error level is set to E_ALL or likely, that tell devs that this particular feature will change in future PHP versions.

So, this is not an issue! This is a hint to developers who wants to be informed (on their local dev machines).

So, you can suppress E_DEPRECATED on your dev machine if you are not interested in such hints.
Something like E_ALL & ~E_DEPRECATED https://www.php.net/manual/de/errorfunc.configuration.php#ini.error-reporting

I definitely do not alter 3-party-code that is working as expected. ?

The lib is from phpclasses.org Manuel Lemos. He updated it last in January 2022. I think he has used and tested it with several PHP versions, at least with 7.4+. ?

[szabesz]

Thanks Horst for looking into it.

If it is a library, then it is a library :) I do not think that any in release version of a library/framework a developer should leave in their code anything spitting out messages no matter what the error reporting settings are. It is because users of libs are interested in their own code issues as well, and suppressing messages is counter-productive. Let's imagine a lib that spits out loads of messages and I have to find among them the ones that were the results of my own code. I sometimes run into this issue with other libs/framework and it is not fun at all. Suppressing the messages does not solve the issue during development so it makes development less fun.

Anyway, since PHP 7.4 is history in 9 months and this issue is not a big deal and the best you/we could do is to "complain" to the dev, I can sure live with it.

Thanks for you contribution and the module! I always use it in production.

[bernhard]

thx @szabesz

I checked back and I'm also on 7.4 - sorry for the confusion ? Ok thx then the error is annoying but no issue.

Thx for your help!

[horst]

I wrote a tut for you guys ?

 

[froot]

This module doesn't send mails anymore, though it used to before.

The module cannot connect to the email server:

    [0]      string(87) "could not start TLS connection encryption protocol: STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT"

and also:

C STARTTLS
S 220 2.0.0 Ready to start TLS
Starting TLS cryptographic protocol
could not start TLS connection encryption protocol: STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT

 I spent hours searching the error.

Now I realised that our host uses php version 8.0.14.

Might this issue be related to the php version? 

 

[wbmnfktr]

Just used WireMailSMTP (Version 0.6.0) to send out about 1.200 newsletters without any issues.

Running ProcesswIre 3.0.181 with PHP 7.4.

[netcarver]

@fruid Not 100% sure what's going on, but running grep in the site/modules/wireMailSmtp/ folder shows it's using mcrypt functions on lines 67, 68 and 79 of smtp_classes/ntlm_sasl_client.php - but mcrypt was removed from PHP7.2. It might be that @wbmnfktr isn't running into the issue if his setup is connecting to an smtp server without using ntlm_sasl.

Is the SMTP server you are connecting to using Windows by any chance? (This might be a wild-hunch)

Looks like that file was originally part of PHPMailer - and there are some posts about fixing it to work with NTLM that are more recent. Like this one: https://cheesefather.com/2017/06/phpmailer-ntlm-ms-exchange-smtp-authentication/ (though for a different hash() issue). You might be able to use that to patch your local copy - or otherwise look for a more recent version of the ntlm_sasl_client class.

[wbmnfktr]

58 minutes ago, netcarver said:

smtp server without using ntlm_sasl

You are right about that.
Almost standard connection with only SSL enabled.

[horst]

15 hours ago, fruid said:

could not start TLS connection encryption protocol: STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT

have you checked if open_sll is enabled in PHP?

[froot]

4 minutes ago, horst said:

have you checked if open_sll is enabled in PHP?

it is, namely OpenSSL/1.0.2u

[froot]

webhost told me NTLM is not supported by our mail server, server runs Linux (Debian).

What to do? 

[karian]

Hi everyone,

Sending emails with WireMailSmtp works well but I would like to reflect sent emails on the email server "Sent" folder.

Similar as what's discussed here. Someone mentions using imap_append ...

Does anyone have a solution for WireMailSmtp?

[horst]

33 minutes ago, karian said:

Does anyone have a solution for WireMailSmtp?

SMTP is not IMAP. Maybe you can setup your SMTP server to send a copy into your desired subfolder, or simply use the BCC header with every outgoing email for that.

see: https://www.socketlabs.com/blog/smtp-or-imap/

Quote

What is SMTP?

SMTP stands for Simple Mail Transfer Protocol and it’s the industry standard protocol for email sending.

With SMTP you are sending, relaying, or forwarding messages from a mail client (like Microsoft Outlook) to a receiving email server. A sender will use an SMTP server to carry out the process of transmitting an email message.

What is IMAP?

Simply put, IMAP (Internet Access Message Protocol) is an email protocol that deals with managing and retrieving email messages from the receiving server.

Since IMAP deals with message retrieval, you will not be able to use the IMAP protocol to send email. Instead, IMAP will be used for receiving messages.

 

[Jozsef]

On 1/19/2020 at 5:23 PM, francis said:

A great module that works absolutely fine out of the box but I am not happy having the SMTP password in plain text in the database. Is there maybe a reason I am just not getting why this is necessary?

I completely agree, I really think that saving the SMTP password as plain text is a big security compromise.
Is there a simple way to change this?

[horst]

1 hour ago, Jozsef said:

Is there a simple way to change this?

I'm not sure I understand completely. The password is saved in the DB (module config). If this can be read by someone, you have much more problems then a single smtp password. ?

The smtp sending process explicitly needs the password passed in as plain text. So, if we would encrypt it before storing in DB, we would need to decrypt it before sending. If we use hash or salt, or keys etc, they must be stored somewhere (DB?). So, this would not be a "better" solution. Any ideas by you?

[Jozsef]

Thanks, these are valid points. I'm not a module developer, hence the "simple way" in my question. ?
No ideas unfortunately.

15 minutes ago, horst said:

'm not sure I understand completely. The password is saved in the DB (module config). If this can be read by someone, you have much more problems then a single smtp password. ?

The site is for cyber security experts, their mindset is to minimise the risk when something happens. Their previous WordPress site was compromised so a breach is not an "if", it's more like a "when" for them as they deal with this all day every day.

[fliwire]

you can set password and other settings in config.php 

WireMailSmtp/WireMailSmtpConfig.php at master · horst-n/WireMailSmtp · GitHub
 

$config->wiremailsmtp = [
    "smtp_password" => "test",
];

 

[horst]

8 hours ago, fliwire said:

you can set password and other settings in config.php 

Ah yes, there it is still in plain text too, but also the DB credentials are. But looks like a better solution indeed. Best practise is to have one single config.php file only, that one on the live server. No copies in GIT. And not a plain password in every DB dump!

Thanks @fliwire

[Jozsef]

Thank you @fliwire, that might be another consideration for the client.

[bernhard]

@horst the password could be encrypted using the $config->userAuthSalt. For sending an email the module could load the encrypted password from the DB, decrypt it using the config salt and log into the mail account. That way an attacker would have to have access both to the DB and to your config.php file. 

https://stackoverflow.com/questions/9262109/simplest-two-way-encryption-using-php

Though I don't know if it's really worth having that extra...

[wbmnfktr]

18 hours ago, Jozsef said:

The site is for cyber security experts...

So... maybe ask them what they would like to use or recommend in first place and go from there.

Depending on the setup you could also look into environment variables which sit in places far away from any web root.

Another thing could be a mail account which is only used for that website.
Or you use something like Mailgun, Mailjet or similar which is a 3rd party service and therefore all details sit on yet another server.

I personally use Mailjet which is configured in a way that only my website can send mails through that account, still everything via SMTP. 
So... even if someone can get a copy of my credentials they still would need access to the server or the Mailjet account to do anything with it.

[Jozsef]

On 5/7/2022 at 1:40 PM, wbmnfktr said:

maybe ask them what they would like to use or recommend in first place and go from there.

Thanks @wbmnfktr I will definitely do. I was also looking into email relay services such as Mailgun or SendGrid but their privacy policies were not acceptable for them. ? Anyway, thanks for everyone for the ideas. We are going off topic though so it will be the WireMailSMTP module for now.

[karian]

On 4/5/2022 at 1:53 PM, horst said:

SMTP is not IMAP. Maybe you can setup your SMTP server to send a copy into your desired subfolder, or simply use the BCC header with every outgoing email for that.

see: https://www.socketlabs.com/blog/smtp-or-imap/

 

Thanks @horst ! Sending a copy or using the bcc header is actually a good solution.

I'll explore this way.

[Frank Vèssia]

I've been using WireMailSmtp since ages and for some clients we have microsoft exchange 365 emails. Recently Microsoft annouced they are deprecating basic stmp authentication in favor of OAuth 2.0...is there a way to configure WireMailSmtp with this method?

[froot]

my SMTP-server has a limited amount of emails that it can send per day. Is there a way to find out if an email was actually sent or not?