PHPMailer generates PHP Warning: stream_socket_enable_crypto(): Peer certificate did not match expected

Question

I am using PHPMailer on PHP 5.6, the increased security around certificated in PHP 5.6 is certainly fun.

I am trying to send a test message to a domain hosted on dreamhost, the error that comes back from PHPMailer is: Could not connect to SMTP host.

That error is not right though, I have logging enabled and here is what is actually going on.

Connection: opening to mx1.sub4.homie.mail.dreamhost.com:25, timeout=30, options=array ( ) Connection: opened S: 220 homiemail-mx32.g.dreamhost.com ESMTP

C: EHLO s81a.ikbb.com

S: 250-homiemail-mx32.g.dreamhost.com 250-PIPELINING 250-SIZE 40960000 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250 8BITMIME

C: STARTTLS

S: 220 2.0.0 Ready to start TLS

C: QUIT

S: SMTP ERROR: QUIT command failed: Connection: closed

I could not understand why PHPMailer just gives up, issuing a QUIT command when it should start sending the message. I got another clue from another log:

PHP Warning: stream_socket_enable_crypto(): Peer certificate CN=*.mail.dreamhost.com' did not match expected CN=mx1.sub4.homie.mail.dreamhost.com' in /home/ikbb/domains/dev.ikbb.com/public_html/includes/phpmailer/5.2.10/class.smtp.php

If I use some custom options to prevent validation of the cert they are using I can get it to continue. Here is what I have:

        $mail->SMTPOptions = array (
        'ssl' => array(
            'verify_peer'  => false,
            'verify_peer_name'  => false,
            'allow_self_signed' => true));

If I put the SMTPOptions in there and skip the peer verification, message goes OK - with no warning in PHP at all.

How can I trap that error, so I know there is an issue but still send the message?

Yes, it's not pretty! If you disable verification you won't get a warning because stream_socket_enable_crypto doesn't return error codes, just a boolean. A messy workaround would be to create a temporary error handler to trap the warning. What you could do is try to deliver with verification (i.e. the default), and if that fails, try again without verification before giving up. — Synchro, May 21 '15 at 15:38
SMTP is a mess. Usually, about the best you can do is opportunistic encryption. *If* you follow the DNS MX records, then the hostname will likely match since you are probably being directed to a Smart Host on a different domain. That is, mail for `example.com` is directed to `spam-filer.com`. In this case, Spam Filter is a smart host. — jww, May 21 '15 at 21:21

score 92 · Accepted Answer · answered Aug 17 '15 at 09:42

I had the same problem and I found the answer in the PHPMailer documentation.

PHP 5.6 certificate verification failure

In a change from earlier versions, PHP 5.6 verifies certificates on SSL connections. If the SSL config of the server you are connecting to is not correct, you will get an error like this:

Warning: stream_socket_enable_crypto(): SSL operation failed with code 1.
OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

The correct fix for this is to replace the invalid, misconfigured or self-signed certificate with a good one. Failing that, you can allow insecure connections via the SMTPOptions property introduced in PHPMailer 5.2.10 (it's possible to do this by subclassing the SMTP class in earlier versions), though this is not recommended:

$mail->SMTPOptions = array(
    'ssl' => array(
        'verify_peer' => false,
        'verify_peer_name' => false,
        'allow_self_signed' => true
    )
);

You can also change these settings globally in your php.ini, but that's a really bad idea; PHP 5.6 made this change for very good reasons.

Sometimes this behaviour is not quite so apparent; sometimes encryption failures may appear as the client issuing a QUIT immediately after trying to do a STARTTLS. If you see that happen, you should check the state of your certificates or verification settings.

Good info on the PHP version change. Ubuntu 14.04 LTS uses PHP 5.5 so this may come up quite a bit yet. — Michael K, Oct 24 '16 at 20:01
I am also getting the same error but your solution is not working and my domain is not SSL. Can you help me in this? — Naren Verma, Jul 29 '17 at 05:45

Alive to die - Anant · Answer 2 · 2021-07-26T11:44:54.410

17

Solution for WHM/cPanel(s) : Disable SMTP Restriction by following below process:

a) Open WHM and search for SMTP restriction, make sure it's disable.(You can go through Home »Security Center »SMTP Restrictions directly as well)

b) Or Same thing can be done via Tweak Settings (Directly go for Home »Server Configuration »Tweak Settings or you can click on tweak setting link shown in upper image)

edited Jul 26 '21 at 11:44

answered Feb 12 '21 at 05:15

Alive to die - Anant

70,531
10
51
98

3

I've been banging my head against the wall since morning! Thank you so much you're a life saver! – Taha Khan Dec 11 '21 at 18:14
@TahaKhan Glad to help you! – Alive to die - Anant Mar 03 '22 at 12:37

score 7 · Answer 3 · answered Apr 18 '18 at 16:41

For those of you using cPanel, I tried the SMTP check code from the examples folder in PHPMailer and I got this same error:

PHP Warning: stream_socket_enable_crypto(): Peer certificate  CN=*.mail.dreamhost.com' did not match expected CN=mx1.sub4.homie.mail.dreamhost.com' in /home/ikbb/domains/dev.ikbb.com/public_html/includes/phpmailer/5.2.10/class.smtp.php

I realized that it was not an error related to PHPMailer, so I searched for similar errors related to CentOS and I found this link that shed some light: Issue sending mails through 3rd party. You have to take a look at "SMTP Restrictions" in cPanel.

hello did you find any solution? – Mifayo Mar 13 '20 at 16:47 — Mifayo, Mar 13 '20 at 16:47

score 4 · Answer 4 · answered Jul 23 '16 at 02:42

4

For PHP 5.6 use the following. Adding "tls://" is the key.

$mail->Host = gethostbyname('tls://smtp.gmail.com');

See: http://php.net/manual/en/context.ssl.php

answered Jul 23 '16 at 02:42

Chrisbot

67
4

That worked perfectly, and without the insecurity of other responses. Thanks! – Stephen R Aug 30 '16 at 14:23
3

This is exactly the same as not using the prefix and setting `$mail->SMTPSecure = 'tls'`, which is what the original question does, and will make no difference to security. – Synchro Oct 04 '16 at 08:48
what should I use for a domain? – Swarne27 Nov 24 '16 at 22:05

score 4 · Answer 5 · answered Dec 02 '20 at 10:38

4

Disable SMTP Restriction in WHM

answered Dec 02 '20 at 10:38

Karan Chunara

518
4
15

score 2 · Answer 6 · answered Aug 31 '22 at 12:21

2

As somebody mentioned here, the issue is an invalid SSL certificate. Your website might have a valid SSL certificate, but it might not apply to the mail.website.net or smtp.website.net subdomains. If your hosting provider has an interface for generating SSL certificates for your website, try to search if there isn't a possibility to select subdomains for which the certificate will generate.

answered Aug 31 '22 at 12:21

Shady Medic

111
11

I added a subdomain first and then created the SSL for it then was able to send through it. – Rami Alloush Dec 28 '22 at 06:17

score 1 · Answer 7 · answered Apr 23 '18 at 02:28

I had a similar problem after I've upgraded to PHP 5.6 on my WordPress machine. The WP Mail SMTP by WPForms (wp-mail-smtp) plugin were configured to use localhost as SMTP Host. I've changed it to the FQHN (Fully Qualified Host Name) as it is defined in the SSL cert. After this change it is working fine.

score 1 · Answer 8 · edited Sep 26 '22 at 07:32

1

If you just migrated to a different server, most likely you can fix this by disabling SMTP restriction from WHM :

edited Sep 26 '22 at 07:32

Gauthier

1,116
2
16
39

answered Sep 20 '22 at 21:24

Jeswin Libay

11
2

PHPMailer generates PHP Warning: stream_socket_enable_crypto(): Peer certificate did not match expected

8 Answers8

Linked

Related