Issue Cannot connect to SMTP on Plesk for Windows with SSL or TLS

[VojinP]

I'm managing friends server with Windows 2012 Server r2 and Plesk Onyx installed on server. There is installed wildcard SSL certificate for primary domain.

Using PHPmailer whithout SMT (isMail() function) works just fine, but transmission is not secured.

I have tried all combinations with ports 465, 587, using TLS or SSL or STARTTLS as SMTPSecure option, but with no results. In fact, different one.

Here is configuration for sending emails:

$mail = new PHPMailer(true);
$mail->isSMTP();
$mail->SMTPDebug = 3;
$mail->Debugoutput = 'html';
$mail->CharSet = 'utf-8';
$mail->UseSendmailOptions = false;
$mail->Host = "88.99.0.148";
$mail->Port = 465;
$mail->SMTPAuth = true;
$mail->SMTPSecure = 'tls';
$mail->Username = "[email protected]";
$mail->Password = "xxxxxxxxxx";
$mail->setFrom('[email protected]','Transform Performance Intl.');
$mail->addAddress($toemail);
$mail->Subject = $subject;
$mail->msgHTML($body);
if ($attachment!="") $mail->addAttachment($attachment);
@$mail->send();​

When I use 587/TLS, I receive following error:

Connection: opening to 88.99.0.148:587, timeout=300, options=array ()
SMTP ERROR: Failed to connect to server: No connection could be made because the target machine actively refused it. (10061)
SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting​

When trying with post 465/TLS i receive:

Connection: opening to 88.99.0.148:465, timeout=300, options=array ()
Connection: opened
SERVER -> CLIENT: 220 OWNEROR-HRSH0QT.home ESMTP MailEnable Service, Version: 9.16-- ready at 12/09/16 17:15:20
CLIENT -> SERVER: EHLO surveys.transformperformance.com
SERVER -> CLIENT: 250-home [88.99.0.148], this server offers 5 extensions250-AUTH LOGIN250-SIZE 40960000250-HELP250-AUTH=LOGIN250 STARTTLS
CLIENT -> SERVER: STARTTLS
SERVER -> CLIENT: 454 TLS not available due to temporary reason
SMTP ERROR: STARTTLS command failed: 454 TLS not available due to temporary reason
SMTP Error: Could not connect to SMTP host.
CLIENT -> SERVER: QUIT
SERVER -> CLIENT: 221 Service closing transmission channel
Connection: closed
SMTP Error: Could not connect to SMTP host.​

Ports 465 and 587 are opened. I have tried to find an answer in past two weeks, but with no success. There should be (according to some solutions) IME_SYSTEM user for which we have to set privileges, but there is no such user (there are IME_ADMIN and IME_USER).

Certificate is set to be used with email in system configuration in Plesk.

UPDATE:

Tried also with classic ASP, but again error:

CDO.Message.1 error '80040213'
The transport failed to connect to the server.​

Any help would be appreciated.

 

[Maxim Elchugin]

Hi.
Have you secured mail in Plesk? If not, you should go to Tools & Settings > SSL/TLS Certificates > Certificate for securing mail, and choose any installed certificate.
After this, mail server will support SSL/TLS.

MailEnable supports TLS on 25 and 587(message submission) ports.
SSL is supported on 465 port.`

 

[VojinP]

Hi Maxim,

of course I did it. Here is screenshot:

On Mail settings, I only cannot select any certificate for web mail... Look at the screenshot

 

[Maxim Elchugin]

Ok.
What about real mail server settings.
Could you show screenshot from:

1. MailEnable > Servers > localhost > Properties > SSL
2. MailEnable > Servers > localhost > Services and Connectors > SMTP > Properties:
   • General
   • Inbound > Settings

 

[VojinP]

I would like to give you a screenshot but I cant find where are MailEnable settings in plesk...

 

[Maxim Elchugin]

Oh, sorry.
This is not in Plesk.
You should connect to server by RDP and find in all programs in start menu MailEnable.

 

[VojinP]

Yep, I found a program, and did some reconfiguration... Now when I send with TLS on port 587 I receive (after longer wait) following:

Connection: opening to 88.99.0.148:587, timeout=300, options=array ()
Connection: opened
SERVER -> CLIENT:
SMTP NOTICE: EOF caught while checking if connected
Connection: closed
SMTP Error: Could not connect to SMTP host.
SMTP Error: Could not connect to SMTP host.

Heare are screenshots you asked for

 

[UFHH01]

General investigations ( hostname / DNS / reverse DNS / IP check ):

transformperformance.com resolves to 91.148.168.165
91.148.168.165 resolves to server.transformperformance.com

mail.transformperformance.com resolves to 88.99.0.148
88.99.0.148 resolves to static.178.0.99.88.clients.your-server.de

213.133.98.98 resolves to ns1-coloc.hetzner.de
213.133.99.99 resolves to ns2-coloc.hetzner.de
213.133.100.100 resolves to ns3-coloc.hetzner.de
88.99.0.178 resolves to static.178.0.99.88.clients.your-server.de

surveys.transformperformance.com resolves to 88.99.0.148
88.99.0.148 resolves to static.178.0.99.88.clients.your-server.de

503 This mail server requires authentication when attempting to send to a non-local e-mail address. Please check your mail client settings or contact your administrator to verify that the domain or address is defined for this server.

Why do you setup the "hetzner" nameservers as IPs for your mail-server? => Completely wrong here.

Consider think about your configuration, pls. Why would someone define the name "surveys." for it's mail - server, when the MX - entry is "mail." ? In addition, the reverse check for the IP "88.99.0.148" doesn't match the DNS - check for "mail.transformperformance.com" and when you connect to your mail - server, it answers with "surveys.transformperformance.com". Correct that, pls. and define the DNS - name for your IP over your Hetzner - Control - Panel.​

SPF / DMARC:

There is NO SPF - entry for transformperformance.com
There is no DKIM - entry for transformperformance.com
There is NO DMARC - entry for transformperformance.com

Add correct SPF/DKIM/DMARC - entries for "transformperformance.com", pls. to avoid issues/errors/problems with other mail - servers, which may deny communication, because of the missing entries.​

Certificate:

        STARTTLS command works on this server
        SSLVersion in use: TLSv1.2
        Cipher in use: ECDHE-RSA-AES128-SHA256
        Connection converted to SSL
       
Certificate 1 of 3 in chain:
subject= /CN=*.transformperformance.com
issuer= /C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL SHA256 CA                                              
       
Certificate 2 of 3 in chain:
subject= /C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL SHA256 CA
issuer= /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2008 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G3                                                
       
Certificate 3 of 3 in chain:
subject= /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2008 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G3
issuer= /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2008 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G3                                                  

        Cert VALIDATED: ok
        Cert Hostname VERIFIED (mail.transformperformance.com = *.transformperformance.com)

All fine here!​

 

[VojinP]

I have set mail.transformperformance.com as a server (really don't know why I set surveys), And have changed DNS servers to 88.99.0.148 and it won't work again, php or asp. However, when I changed in script host values from IP address to mail.transformperformance.com - both php and asp works!

But there is no mail sent....

I have checked SMTP debug... (I have tried to send to my private mail [email protected])

[1196] Relay Granted: Sender IP (127.0.0.1) is within an authorized IP range.
[1196] A21BE0EFA49B48F2A95BFD41EA89C7A5.MAI was received successfully and delivery thread was initiated
[1196] (Debug) End of conversation
[1411E047A72E4D098E53D4E2419690DD.MAI] Outbound message from ([SMTP:[email protected]]) requeued as [3965CFDE834F4B99AC548136DBFDF170.MAI] to the target domain [vojjin.com]
Error (9002): Could not resolve MX list for domain [vojjin.com]
[3965CFDE834F4B99AC548136DBFDF170.MAI] Sending message
[3965CFDE834F4B99AC548136DBFDF170.MAI] Message Delivery Failure. Attempt (0): Could not connect to mail server for domain (vojjin.com). The remote mail server could not be contacted at this time. Message has been requeued.

Then I have tried to my gmail... Similar output

[1276] Relay Granted: Sender IP (127.0.0.1) is within an authorized IP range.
[1276] 17ABF08A1E9D4FB3942374370BEDE2D6.MAI was received successfully and delivery thread was initiated
[1276] (Debug) End of conversation
[36DD6171B24241E9A2B76B25DE973C7C.MAI] Outbound message from ([SMTP:[email protected]]) requeued as [EA07619DF08D42D7840ECC30123636F8.MAI] to the target domain [gmail.com]
Error (9002): Could not resolve MX list for domain [gmail.com]
[EA07619DF08D42D7840ECC30123636F8.MAI] Sending message
[EA07619DF08D42D7840ECC30123636F8.MAI] Message Delivery Failure. Attempt (0): Could not connect to mail server for domain (gmail.com). The remote mail server could not be contacted at this time. Message has been requeued.

Then I realized those 213... hetzner IP's are for DNS resolvers, So I put them back - all works!

Thanks alot! You saved my ... not day... a month!

 

[VojinP]

No, wrong.... this configuration worked on ASP, but not on PHP.... I have realized that I'm using port 25 on ASP... so I switched back to 25 instead of 587 in php and it works!

 

[VojinP]

No, wrong.... this configuration worked on ASP, but not on PHP.... I have realized that I'm using port 25 on ASP... so I switched back to 25 instead of 587 in php and it works!

It works, but seems it is sent without SSL (not quite sure)... on 465 and 587 ports just won't send. Any email to send you a test email? If you want to keep it private send me to [email protected] and I'll send you test email from the server.

 

[UFHH01]

Hi VojinP,

Then I realized those 213... hetzner IP's are for DNS resolvers, So I put them back - all works!

Consider to use resolvers like: "8.8.8.8" + "8.8.4.4" on your server ... they are stable, never have issues and they are fast and independent.


Now the same investigations again, but for "vojjin.com":

vojjin.com resolves to 91.148.168.34
91.148.168.34 resolves to guard.vivawebhost.com
[/INDENT]
mail.vojjin.com resolves to 91.148.168.34
91.148.168.34 resolves to guard.vivawebhost.com

SendSMTPCommand: Timeout waiting for response after 15 seconds.

Error (9002): Could not resolve MX list for domain [vojjin.com]

Points to my investigations: "SendSMTPCommand: Timeout waiting for response after 15 seconds." / At least one name server failed to respond in a timely manner

BUT ( !!! ) the certificate is misconfigured here:

        SSLVersion in use: TLSv1.2
        Cipher in use: ECDHE-RSA-AES128-SHA256
        Connection converted to SSL
        
Certificate 1 of 3 in chain:
subject= /CN=*.vivawebhost.com
issuer= /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA                                             
        
Certificate 2 of 3 in chain:
subject= /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
issuer= /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA                                               
        
Certificate 3 of 3 in chain:
subject= /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
issuer= /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA                                                 

        Cert VALIDATED: ok
        Cert Hostname DOES NOT VERIFY (mail.vojjin.com != *.vivawebhost.com)
        (see RFC-2818 section 3.1 paragraph 4 for info on wildcard ("*") matching)
        So email is encrypted but the host is not verified

​

 

[VojinP]

I don't have problem with domain vojjin.com ... on server at Scalahosting there is some kind of smtp delay of 20 secs and I'm aware of it. transformperformance.com is not on the same server as all it's subdomains. Subdomains are on windows server with installed SSL and Plesk and where I'm experiencing a problem. So far problem is solved cause we made it work on port 25 with turned on tls. Just wondering why it won't send through 465 or 587...