The file Mail/sendmail.php is the only file in this module that still uses version 2.02 of the PHP license. Because it has this license, it cannot be packaged on Debian, due to Debian's strict copyright guidelines.

Is it perhaps possible to update the license of this file to the New BSD License, the same license that is used in all the other files in this module?

When I require the pear/net_smtppackage like this:

    "require": {
        "pear/Net_SMTP": "*",

I get the following output:

Your requirements could not be resolved to an installable set of packages.

Prblem 1
    - pear/net_smtp dev-topics/composer-for-pear requires pear/net_socket * -> no matching package found.
    - pear/net_smtp dev-master requires pear/net_socket * -> no matching package found.
    - Installation request for pear/net_smtp * -> satisfiable by pear/net_smtp[dev-master, dev-topics/composer-for-pear].

Mark CRAM-MD5, DIGEST-MD5 and LOGIN as deprecated and trigger a E_DEPRECATION_WARNING

The implementation for XOAuth2 does not seem to respect the following part of the RFC 4954:

Note that the AUTH command is still subject to the line length limitations defined in [SMTP]. If use of the initial response argument would cause the AUTH command to exceed this length, the client MUST NOT use the initial response parameter (and instead proceed as defined in Section 5.1 of [SASL]).

If I understand it correctly, the maximum length of the token that can be sent the way it is now (with AUTH XOAUTH2 <token> command) is 512 bytes (SMTP line length limit) - 2 bytes (CRLF) - 13 bytes (length of the literal AUTH XOAUTH2 ) = 497. That applies to the base64-encoded version of the token.

For longer tokens, the multiline variant should be used instead, sending AUTH XOAUTH2, waiting for 334 response from the server and then submitting the whole OAuth2 (JWT) token on the next line.

The problematic code is here:

I also created issue in the Roundcube project (roundcube/roundcubemail#8623) to bring more awareness to the issue, as the implementation here was done by a Roundcube team member.

Also, if I did not understand the issue or the RFC right, I'll be happy for a correction. Otherwise I will start working on a PR.

Thank you!

hi guys, i'm with some problems, runnning a background process forever (execute at server startup and continue live forever) with persistent connection, sometimes it don't work and no exception is displayed, i'm running debug parameter set to true, i will try to develop a test case, but i don't know what could i do to solve this problem

thanks guys

Set all auth* methods as protected

We need to provide class constructor via __construct().

I think we could also drop PHP4 support.

Hello,

I would like to know if we can configure the response of the server to recover the value of queued as who is get $this->_smpt->getResponse(), because on my server I get this string: "Message queued as .." while in the file smtp.php the chain of Expected character is: "Ok: queued as", I submitted a Pull requests in pear/Mail project to the case where.

Thank you.

Can you add the SCRAM supports?

For example Rouncube has needed: roundcube/roundcubemail#6917

Cyrus SASL supports:

• SCRAM-SHA-1
• SCRAM-SHA-1-PLUS
• SCRAM-SHA-224
• SCRAM-SHA-224-PLUS
• SCRAM-SHA-256
• SCRAM-SHA-256-PLUS
• SCRAM-SHA-384
• SCRAM-SHA-384-PLUS
• SCRAM-SHA-512
• SCRAM-SHA-512-PLUS

-> https://cyrusimap.org/sasl/sasl/authentication_mechanisms.html
-> https://github.com/cyrusimap/cyrus-sasl/commits/master

Dovecot SASL supports:

• SCRAM-SHA-1
• SCRAM-SHA-256

-> https://doc.dovecot.org/configuration_manual/authentication/password_schemes/

GNU SASL supports:

• SCRAM-SHA-1
• SCRAM-SHA-1-PLUS
• SCRAM-SHA-256
• SCRAM-SHA-256-PLUS

-> http://www.gnu.org/software/gsasl/

"When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".

• SCRAM-SHA-1(-PLUS):
  -- https://tools.ietf.org/html/rfc5802
  -- https://tools.ietf.org/html/rfc6120

• SCRAM-SHA-256(-PLUS):
  -- https://tools.ietf.org/html/rfc7677 since 2015-11-02
  -- https://tools.ietf.org/html/rfc8600 since 2019-06-21: https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA

• SCRAM-SHA-512(-PLUS):
  -- https://tools.ietf.org/html/draft-melnikov-scram-sha-512

• SCRAM-SHA3-512(-PLUS):
  -- https://tools.ietf.org/html/draft-melnikov-scram-sha3-512

• SCRAM BIS: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms:
  -- https://tools.ietf.org/html/draft-melnikov-scram-bis

https://xmpp.org/extensions/inbox/hash-recommendations.html

-PLUS variants:

• RFC5056: On the Use of Channel Bindings to Secure Channels: https://tools.ietf.org/html/rfc5056
• RFC5929: Channel Bindings for TLS: https://tools.ietf.org/html/rfc5929
• Channel-Binding Types: https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml
• RFC 9266: Channel Bindings for TLS 1.3: https://tools.ietf.org/html/rfc9266

IMAP:

• RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2: https://tools.ietf.org/html/rfc9051

LDAP:

• RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803

HTTP:

• RFC7804: Salted Challenge Response HTTP Authentication Mechanism: https://tools.ietf.org/html/rfc7804

2FA:

• Extensions to Salted Challenge Response (SCRAM) for 2 factor authentication: https://datatracker.ietf.org/doc/html/draft-ietf-kitten-scram-2fa

IANA:

• Simple Authentication and Security Layer (SASL) Mechanisms: https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml

Linked to:

• scram-sasl/info#1

[Mon Aug 11 17:40:42 2014] [error] [client X.X.X.X] Deprecated: Assigning the return value of new by reference is deprecated\nBacktrace:#0: in "/usr/share/php/Mail/smtp.php" at line 349\n#1
[Mon Aug 11 17:40:43 2014] [error] [client X.X.X.X] Deprecated: Assigning the return value of new by reference is deprecated\nBacktrace:#0: in "/usr/share/php/Mail/smtp.php" at line 349\n#1:

Server version: Apache/2.2.22 (Ubuntu)
Server built: Jul 22 2014 14:37:02
Server's Module Magic Number: 20051115:30
Server loaded: APR 1.4.6, APR-Util 1.3.12
Compiled using: APR 1.4.6, APR-Util 1.3.12
Architecture: 32-bit
Server MPM: Prefork
threaded: no
forked: yes (variable process count)
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/prefork"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=128
-D HTTPD_ROOT="/etc/apache2"
-D SUEXEC_BIN="/usr/lib/apache2/suexec"
-D DEFAULT_PIDLOG="/var/run/apache2.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_LOCKFILE="/var/run/apache2/accept.lock"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="mime.types"
-D SERVER_CONFIG_FILE="apache2.conf"

php -v
PHP 5.3.10-1ubuntu3.13 with Suhosin-Patch (cli) (built: Jul 7 2014 18:52:09)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies

php -m
[PHP Modules]
bcmath
bz2
calendar
Core
ctype
curl
date
dba
dom
ereg
exif
fileinfo
filter
ftp
gd
gettext
hash
iconv
imap
json
libxml
mbstring
memcache
mhash
ming
mssql
mysql
mysqli
openssl
pcntl
pcre
PDO
pdo_dblib
pdo_mysql
pdo_sqlite
Phar
posix
readline
Reflection
session
shmop
SimpleXML
soap
sockets
SPL
sqlite3
standard
sysvmsg
sysvsem
sysvshm
tokenizer
wddx
xml
xmlreader
xmlwriter
zip
zlib

[Zend Modules]

Prepare and release version 1.11.0

Ref: roundcube/roundcubemail#9381

When $gssapi_principal is not set the method should become unavailable.

--- SMTP.old    2024-04-13 08:14:00.369484126 +0200
+++ SMTP.php    2024-04-13 08:13:19.873746919 +0200
@@ -206,7 +206,7 @@
         $this->gssapi_cname     = $gssapi_cname;
 
         /* If PHP krb5 extension is loaded, we enable GSSAPI method. */
-        if (extension_loaded('krb5')) {
+        if ($gssapi_principal && extension_loaded('krb5')) {
             $this->setAuthMethod('GSSAPI', array($this, 'authGSSAPI'));
         }
 

Hello Net_SMTP developer!

Please find the following bugfix for a problem, where the email message is empty using resource mail body (used by horde webmailer):

--- SMTP.orig.php       2013-08-26 21:14:43.602400474 +0200
+++ SMTP.php    2013-08-26 21:14:55.801607272 +0200
@@ -1036,6 +1036,7 @@
                 return PEAR::raiseError('Failed to get file size');
             }
             $size += $stat['size'];
+            rewind($data);
         } else {
             $size += strlen($data);
         }

Reason: the pointer is not getting resetted after using fstat($data).
Without rewind($data) theres no data on line 1075 to read...

I am not sure if this is caused by a change in PHP (5.3.17).

Best regards,
Juergen

Edit: not sure on how to post code to that issue tracker... Hopefully the bugfix is clear, otherwise please tell me how to post code like [code] ... [/code]

Edit2: Thank you jparise ;)

Google encourages the use of the login mechanism XOAUTH2 [1]. It would be great if Net_SMTP had support for this.

Some informations about the protocol and SMTP can be found here: https://developers.google.com/gmail/xoauth2_protocol#smtp_protocol_exchange

(edit: Typos)

Problem

The /docs directory is not part of the installed files after running composer. That makes the /README.rst link invalid.

Consequence

During a deployment, we have chosen to run composer in a pipeline. During that process, when the broken symlink is encountered by the aws cli (for example), we get No such file or directory and the deployment fails.

Mitigation / Workaround

Delete /README.rst right after running composer install

Proposed solution

• Do no include any symlink in a library, a repo, etc.
• In this case, replace README.rst with the actual file from the /docs directory.

in NET/SMTP.php

this if statement would always error with STARTTLS failed for many email servers.

        if (PEAR::isError($result = $this->socket->enableCrypto(true, $crypto_method))) {
            return $result;
        } elseif ($result !== true) {
            return PEAR::raiseError('STARTTLS failed');
        }

I noticed email servers like office365 and yahoo behaved differently than secureserver.net for example

I commented out the raiseError and it worked in all my situations.

Hello,

I'm trying to find out why roundcube won't connect to an SMTP server that uses TLS v1.2 as the only available protocol.

I traced the problem down to TLS v1.2 because when the server enables TLS v1.0, then roundcube is able to connect without problems.

What is also interesting, is that roundcube connects fine to the IMAP server with TLS v1.2, only the SMTP protocol seems to have this problem. Apparently this is because it uses a different library for IMAP.

Upon further investigation, I found that roundcube uses Net_SMTP, which in turn uses PHP contexts. Since I'm using CentOS 7 with PHP 5.4.16 and openssl 1.0.1e, everything supports TLS v1.2 without a problem.

In opening this issue, in hope that you will have more information about TLS v1.2 with Net_SMTP.

Thank you.

Suddenly my web start to give this error when trying to send an email:

[SMTP: STARTTLS failed (code: 220, response: 2.0.0 Ready to start TLS)]

If enabling debug mode I'm getting this info:

DEBUG: Recv: 220 mail-node-smtp-02.dondominio.com ESMTP DD Mail System
DEBUG: Send: EHLO localhost
DEBUG: Recv: 250-mail-node.dondominio.com
DEBUG: Recv: 250-PIPELINING
DEBUG: Recv: 250-SIZE 51200000
DEBUG: Recv: 250-ETRN
DEBUG: Recv: 250-STARTTLS
DEBUG: Recv: 250-AUTH PLAIN LOGIN
DEBUG: Recv: 250-AUTH=PLAIN LOGIN
DEBUG: Recv: 250-ENHANCEDSTATUSCODES
DEBUG: Recv: 250-8BITMIME
DEBUG: Recv: 250-DSN
DEBUG: Recv: 250 CHUNKING
DEBUG: Send: STARTTLS
DEBUG: Recv: 220 2.0.0 Ready to start TLS
DEBUG: Send: RSET
DEBUG: Recv: \qz0x9|PT&2VVSl1Nu(XaQ4 FUȩKXHiJcRJ~aj_/$-S셀䰖C
DEBUG: Send: QUIT
DEBUG: Recv: r^O_QW]H"F+zt3^E0Fԋת@

After take a look on some forums, I found it can be fixed changing the line 588 of "Net\SMTP.php" from:

&& extension_loaded('openssl') && isset($this->esmtp['STARTTLS'])

to:

&& extension_loaded('openssl') && $this->esmtp['STARTTLS']

After the change everything start to work fine like before.

My setup is WS 2012 R2 with IIS8, PHP8.0 and pear up to date at January date.

Thanks and best regards!

See pr #17 for missing file

File headers states version 2.02 of PHP License, when LICENSE file in git states 3.01

I get the following error after upgrading to version 1.7.0:
PHP Notice: Undefined variable: last in /usr/share/php/Net/SMTP.php on line 1087
It seems to me that the two lines
$last = $line;
and
$last = $chunk;
in the function Net_SMTP::data() got lost somehow during the update from version 1.6.3 to 1.7.0.

guys when running as a background process, forever
while(1){ read emails from database; send email; disconnect; }

i get a lot of close_wait at netstat, i think it's a netsocket problem, but i changed net socket to shutdown() and fclose() the socket before close, and it persist, any idea what could we do?

check netstat running 1hour (near to 100emails), i'm using non persistent connections

[beto@xyz ~]# netstat -an | grep CLOSE_WAIT
tcp 54 0 192.168.0.5:34375 208.84.244.140:587 CLOSE_WAIT
tcp 54 0 192.168.0.5:34365 208.84.244.140:587 CLOSE_WAIT
tcp 54 0 192.168.0.5:34390 208.84.244.140:587 CLOSE_WAIT
tcp 54 0 192.168.0.5:34385 208.84.244.140:587 CLOSE_WAIT
tcp 54 0 192.168.0.5:34379 208.84.244.140:587 CLOSE_WAIT
tcp 54 0 192.168.0.5:34369 208.84.244.140:587 CLOSE_WAIT
tcp 54 0 192.168.0.5:34362 208.84.244.140:587 CLOSE_WAIT
tcp 54 0 192.168.0.5:34366 208.84.244.140:587 CLOSE_WAIT
tcp 54 0 192.168.0.5:34360 208.84.244.140:587 CLOSE_WAIT
tcp 54 0 192.168.0.5:34383 208.84.244.140:587 CLOSE_WAIT
tcp 54 0 192.168.0.5:34368 208.84.244.140:587 CLOSE_WAIT
tcp 54 0 192.168.0.5:34364 208.84.244.140:587 CLOSE_WAIT
tcp 54 0 192.168.0.5:34372 208.84.244.140:587 CLOSE_WAIT
tcp 54 0 192.168.0.5:34357 208.84.244.140:587 CLOSE_WAIT

20 November 2008: CRAM-MD5 to Historic:

• https://tools.ietf.org/html/draft-ietf-sasl-crammd5-to-historic-00

29 June 2017: CRAM-MD5 to Historic:

• https://tools.ietf.org/html/draft-zeilenga-luis140219-crammd5-to-historic-00

July 2011: RFC6331: Moving DIGEST-MD5 to Historic:

• https://tools.ietf.org/html/rfc6331

I add same about SCRAM-MD5.

There are now:

• July 2010: RFC5802: Salted Challenge Response Authentication Mechanism (SCRAM): SASL and GSS-API Mechanisms: https://tools.ietf.org/html/rfc5802 (SCRAM-SHA-1 and SCRAM-SHA-1-PLUS)
• July 2010: RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803
• November 2015: RFC7677: SCRAM-SHA-256 and SCRAM-SHA-256-PLUS: Simple Authentication and Security Layer (SASL) Mechanisms: https://tools.ietf.org/html/rfc7677

Soon:

• SCRAM-SHA-512(-PLUS): https://tools.ietf.org/html/draft-melnikov-scram-sha-512
• SCRAM-SHA3-512(-PLUS): https://tools.ietf.org/html/draft-melnikov-scram-sha3-512

Hello, I'm not sure if this is a bug in Net_SMTP. We noticed that the final MIME boundary was always being truncated when communicating with an SMTP server in Net_SMTP 1.7.2 and we confirmed that the behavior is not present in 1.7.1.

In our packet capture, we observed that the final boundary is --=_9ac6a00cd3d2ece6e38e5a24cbee6ea1- instead of --=_9ac6a00cd3d2ece6e38e5a24cbee6ea1--. The second - is missing at the end for some reason. Downgrading to Net_SMTP 1.7.1 solved the problem and emails were being displayed correctly to the recipient.

Below you'll find a copy of the packet trace. I edited the domain names, the subject, and the text/html content to remove some sensitive information. There is no text/plain content so that section is empty.

I hope this helps reproduce the issue, and if it's not a bug in Net_SMTP then I would appreciate being pointed in the right direction.

220 our.domain.example.com
EHLO localhost
250-our.domain.example.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM:<[email protected]>
250 2.1.0 Ok
RCPT TO:<[email protected]>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="=_9ac6a00cd3d2ece6e38e5a24cbee6ea1"
Content-Transfer-Encoding: 8bit
From: [email protected]
To: [email protected]
Subject: vos identifiants

--=_9ac6a00cd3d2ece6e38e5a24cbee6ea1
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8


--=_9ac6a00cd3d2ece6e38e5a24cbee6ea1
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns=3D"http://www.w3.org/1999/xhtml" xml:lang=3D"en">
<head>
    <meta http-equiv=3D"Content-Type" content=3D"text/html;charset=3DUTF-8"=
 />
</head>
<body style=3D"font-family: 'Arial', 'sans-serif';font-size: 10pt;">
    <p>Bonjour,</p>
</body>
</html>

--=_9ac6a00cd3d2ece6e38e5a24cbee6ea1-
.
250 2.0.0 Ok: queued as A28A244B0D
QUIT
221 2.0.0 Bye

Currently Net_SMTP is licensed under the PHP 3.01 license. This makes it hard to use this in software that is packaged for Debian, since the Debian standpoint [1] is that this is not a valid license for anything other than PHP itself.

Would you consider updating the license to the BSD-2-clause license?

[1] https://ftp-master.debian.org/php-license.html

Leaking opened TCP socket which remain open as long as the PHP process lives. This especially cause problems when running applications such as long running message bus consumers that sporadically send mails: if you open a new socket per mail, eventually you'll reach a point where you deplete allowed OS open file limit (ulimit).

I'll debug on my side, we reproduced a specific scenario where the server doesn't answer correctly on QUIT command, and I'll open a PR.

The current tag schema is not a Semantic Versioning compatible tag. This would be very helpful to use it together with composer and tag support => https://getcomposer.org/doc/02-libraries.md#tags

Please, release the new version. From my tests on git-master it looks working on PHP7 and PHP5.

When calling Net_SMTP methods using PHP 5.5 with error reporting on, get a lot of warnings about PEAR isError being called statically. Changing PEAR::isError() to $this->isError() gets rid of warnings.

  ini_set('display_errors', 1); 
  error_reporting(E_ALL|E_STRICT);

  PHP Strict standards:  Non-static method PEAR::isError() should not be called statically, assuming $this from incompatible context in /usr/lib64/php/Mail/smtp.php on line 365

  PHP Strict standards:  Non-static method PEAR::isError() should not be called statically, assuming $this from incompatible context in /usr/lib64/php/Net/SMTP.php on line 424

  ...

There is a bug in Net/SMTP.php.

1 - Line 1001 of "public function data" you are setting $size to the length of the $headers, if provided separately from the $data.

2 - Line 1010 if $data is a string, you add strlen($data) to the size. $size now equals strlen($headers)+strlen($data).

3 - Line 1033 if the $headers exist you add them to the quotedata

4 - Line 1066 - Line 1095 you loop over $data, breaking it into chunks, but because the headers were sent separately and output separately on line 1033, but you forgot to remove their length from $size, this loop will attempt to read chars from $data at non-existing indexes.

QUICK FIX: Insert after line 1033
$size = strlen($data);

hi guys i couldn't send email with gmail, i changed the net/socket php file to avoid tls, but the problem is reported here:
http://osticket.com/forum/discussion/3422/failed-to-configure-email-smtp-settings
im using php 5.6, maybe we should change something at socket creation or use a parameter to change socket options

check this comment:

I was getting this error, but even disabling STARTTLS (as several of the above comments suggest) didn't help, as it then reported an authentication error. I found the proper fix for at least my situation.

If you're using PHP 5.6, there are changes to SSL:
http://php.net/manual/en/migration56.openssl.php

Mainly, there is extra verification done on the connection. This verification wasn't done on 5.5 so these issues were ignored. But in my situation, the server was sending the SMTP EHLO command with "localhost" and apparently that causes PHP's new verification to fail.

The solution is to patch osTicket's mail class at /include/pear/Net/SMTP.php - change this line:

$this->_socket_options =$socket_options;

to

$this->_socket_options = array('ssl' => array('verify_peer_name' => false));

This turns the verification off. For my setup, the mail server is on the same local network as the osTicket server, so I'm not overly concerned about the security.

The other solution is to downgrade to PHP 5.5 which doesn't have this extra verification.

It'd be nice if osTicket somehow offered a setting for this so patching the code isn't necessary every time.

Can you make a minor/patch release to include the .gitattributes file please?

Due to a lack of stable releases for pear/net_socket.

  Problem 2
    - Installation request for pear/net_smtp 1.7.1 -> satisfiable by pear/net_smtp[1.7.1].
    - pear/net_smtp 1.7.1 requires pear/net_socket * -> no matching package found.

I know this is technically an issue against pear/net_socket, but issues are disabled there and the project seems mostly unmaintained.

Some HELO-only servers appear to return 503 in response to a EHLO (e.g. http://forums.mozillazine.org/viewtopic.php?t=634628). The current Net_SMTP code interprets that response as an indication that the session is already authenticated. That change was added in 1a7e64b.

I think that code should be removed, but unfortunately, it's unclear what would be the correct solution to that original bug.