EHLO not accepted from server

Quote

Post by hermes23 » Thu Jun 11, 2020 11:31 pm

My Amazon SES setup was working fine all along using port 587 and tls://email-smtp.us-east-1.amazonaws.com for the hostname but now since May 29th it suddenly stopped working with "Error: EHLO not accepted from server!"

I use the same configuration in Thunderbird and it still works fine. All looks good on Amazon SES side, everything is green and test email works fine.

Anyone know why this would suddenly stop working or how to go about troubleshooting further? Could my host be blocking the response somehow?

I get the error when trying to update order status and also when using the contact form:

Code: Select all

Warning: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in /public_html/store/system/library/mail/smtp.php on line 140
Fatal error: Uncaught exception 'Exception' with message 'Error: EHLO not accepted from server!' in /public_html/store/system/library/mail/smtp.php:157 Stack trace: #0 /public_html/store/system/library/mail.php(142): Mail\Smtp->send() #1 /public_html/store/catalog/controller/information/contact.php(25): Mail->send() #2 [internal function]: ControllerInformationContact->index() #3 /public_html/store/vqmod/vqcache/vq2-_storage_modification_system_engine_action.php(79): call_user_func_array(Array, Array) #4 /public_html/store/catalog/controller/startup/router.php(25): Action->execute(Object(Registry)) #5 [internal function]: ControllerStartupRouter->index() #6 /public_html/store/vqmod/vqcache/vq2-_storage_modification_system_engine_action.php(79): call_user_func_array(Array, Array) #7 /public_html/store/system/engine/router.php(67): Action->execute(Object(Registry)) #8 /public_html/store/system/en in /public_html/store/system/library/mail/smtp.php on line 157
Last edited by straightlight on Sat Jun 13, 2020 8:10 pm, edited 1 time in total.
Reason: Added code tags.
hermes23
New member
Posts
20
Joined
Mon Apr 16, 2018 8:29 am
Top

Re: EHLO not accepted from server

Quote

Post by ADD Creative » Fri Jun 12, 2020 12:28 am

Look like a certificate issue. Could be:

1. Something wrong with the SMTP server's SSL/TLS certificate.
2. Something is redirecting or messing with the connection.
3. Your server doesn't have the correct root CA certificate to recognize the one on the SMTP server.

www.add-creative.co.uk

ADD Creative
Guru Member
Posts
5243
Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom
Top

Re: EHLO not accepted from server

Quote

Post by hermes23 » Fri Jun 12, 2020 3:42 am

It's been working fine for at least 6 months though, why would it stop working all of a sudden? All my SSL certificates are up to date, I even reissued and reinstalled the certs through cPanel because one of the ca bundle certs expired. The same Amazon SES service is working perfectly with Thunderbird. I assume that means something changed on my host?
hermes23
New member
Posts
20
Joined
Mon Apr 16, 2018 8:29 am
Top

Re: EHLO not accepted from server

Quote

Post by ADD Creative » Fri Jun 12, 2020 6:55 am

Thunderbird (or your device) may have the correct CA certificates to verify the one on the SMTP server (or it's been added as an exception). Your server may not.

The Troubleshoot SSL/TLS negotiations section may be helpful. However, the openssl included with PHP is not always the same as the one form the command line.
https://aws.amazon.com/premiumsupport/k ... ssues-ses/

www.add-creative.co.uk

ADD Creative
Guru Member
Posts
5243
Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom
Top

Re: EHLO not accepted from server

Quote

Post by hermes23 » Fri Jun 12, 2020 11:36 pm

Yes that's exactly the problem, thanks for pointing me in the right direction. The server is still using the old AddTrust External CA Root certificate even though I installed new certificates that were reissued:

Code: Select all

# openssl s_client -crlf -starttls smtp -connect email-smtp.us-east-1.amazonaws.com:587
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=10:certificate has expired
notAfter=May 30 10:48:38 2020 GMT
verify return:0
"Versions of OpenSSL prior to 1.1.1 incorrectly use the expired certificate when validating the trust chain sent by the server" More info: https://forums.aws.amazon.com/thread.js ... 7&tstart=0

I found a fix but I can't run it from my jailed shell. For anyone that has full control over their server this should get you back up and running.

How to distrust "AddTrust External Root" on Fedora and RHEL:

Code: Select all

trust dump --filter "pkcs11:id=%AD%BD%98%7A%34%B4%26%F7%FA%C4%26%54%EF%03%BD%E0%24%CB%54%1A;type=cert"  > /etc/pki/ca-trust/source/blacklist/addtrust-external-root.p11-kit

update-ca-trust extract
Verify it's blacklisted:

Code: Select all

trust list | grep -C2 "AddTrust External"

pkcs11:id=%AD%BD%98%7A%34%B4%26%F7%FA%C4%26%54%EF%03%BD%E0%24%CB%54%1A;type=cert
    type: certificate
    label: AddTrust External Root
    trust: blacklisted
    category: authority
hermes23
New member
Posts
20
Joined
Mon Apr 16, 2018 8:29 am
Top

Re: EHLO not accepted from server

Quote

Post by ADD Creative » Sat Jun 13, 2020 4:04 am

As a temporary workaround you may be able to stop PHP trying to verify the peer by added something like the following before stream_socket_enable_crypto in the SMTP class.

Code: Select all

stream_context_set_option($handle, 'ssl', 'verify_peer', false);
This would be less secure as there would be no checking that it's the correct SMTP server.

www.add-creative.co.uk

ADD Creative
Guru Member
Posts
5243
Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom
Top
Post Reply
Return to “General Support”
Who is online

Users browsing this forum: No registered users and 23 guests