On a shared host I have to use PHPMailer to send emails for certain actions. Unfortunately I don't have access to php.ini to customize it to my needs. Therefore I get the following warning when sending an email:
[warn] set_time_limit() has been disabled for security reasons in .../class.smtp.php on line 338
The script still works and all e-mails are sent successfully. But I wanted to ask if there is a way to configure PHPMailer so that this warning does not appear?
Related
I have a website, with a mailbox using Roundcube. This mailbox is affiliate to my domain name.
I use Cloudflare on my website with a D_marc in DNS section, and this send my own emails as SPAM to anybody.
I don't understand why.
v=DMARC1; p=quarantine; rua=mailto:contact#sp-batiment.com; ruf=mailto:contact#sp-batiment.com; fo=1
whereas I thought it should only send email who are not sent from my domain to SPAM folders.
The first step is to change p=quarantine to p=none (reporting only) as that won't break your own email. Then, once you have SPF and/or DKIM passing and in alignment (using same domain as the visible from) such that DMARC passes for all your legit mail, then cautiously ramp your policy back up to an enforcing policy.
I'd say that changing your policy to none (reporting only) gives the time and space to fix email authentication problems without causing you real problems with your own email deliverability.
When I send an email from my Apache JAMES SMTP server to my Gmail address, Gmail receives the email but apparently not via TLS encryption. Gmail shows the show red lock icon saying '[my server] did not encrypt this message.' The email headers also do not indicate receipt via TLS.
I have turned on TLS for my Apache JAMES SMTP server. Here is the relevant part from my smtpserver.xml:
<tls socketTLS="false" startTLS="true">
<keystore>[my-jks-file]</keystore>
<secret>[my-jks-password]</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
</tls>
I have also tried using
<tls socketTLS="true" startTLS="false">
instead but it did not fix the problem.
When I try testing my Apache JAMES email address using https://www.checktls.com/TestReceiver the report says everything (including TLS) passed. Testing my server domain using https://mxtoolbox.com/diagnostic.aspx also says TLS passed.
Why are the emails not being encrypted?
I too am having the same problem, trying to get emails pushed from email clients through Apache James onto Gmail, and Gmail is reporting that they have not been securely received.
From what I understand looking at Apache James documentation and source code, it is the RemoteDelivery mailet that is in charge of sending out emails to recipent email servers. https://james.apache.org/server/3/dev-provided-mailets.html
The doc and RemoteDelivery.java source code says RemoteDelivery contains the two properties:
startTLS: a Boolean (true/false) indicating whether the STARTTLS command (if supported by the server) to switch the connection to a TLS-protected connection before issuing any login commands. Default is false.
sslEnable: a Boolean (true/false) indicating whether to use SSL to connect and use the SSL port unless explicitly overridden. Default is false.
startTLS seems like the key here, where when James is negotiating a connection to Gmail's servers it should try to upgrade an insecure connection to a secure one if Gmail allows it.
I'm running Apache James 2.3.2 and in the /path/to/James/apps/james/SAR.INF/conf.xml file, under the Remove delivery section:
<mailet match="All" class="RemoteDelivery">
I tried setting setting properties to true
<startTLS>true</startTLS>
<sslEnable>true</sslEnable>
However James is still not sending secure emails to Gmail. So I'm out of ideas.
FYI in Apache James version 3.4 the RemoteDelivery configurations appears to be relocated to the conf/mailcontainer.xml file.
SocketTLS and startTLS only affect the encryption method of James inbound mail, and the encryption of mail sent from James, which affects the encryption of the gmail red lock, requires additional configuration. The test result mail is passed in Gmail: "security: Standard encryption (TLS)". My configuration(Apache James version:2.3.2) is like this:
<mail.smtp.port>25</mail.smtp.port>
<mail.smtp.starttls.enable>true</mail.smtp.starttls.enable>
<mail.smtp.auth>false</mail.smtp.auth>
<mail.smtps.auth>false</mail.smtps.auth>
<mail.smtp.socketFactory.port>25</mail.smtp.socketFactory.port>
<mail.smtp.socketFactory.fallback>false</mail.smtp.socketFactory.fallback>
<mail.smtps.ssl.protocols>TLSv1.2</mail.smtps.ssl.protocols>
<mail.transport.protocol>smtp</mail.transport.protocol>
<mail.smtps.port>465</mail.smtps.port>
<mail.smtps.ssl.enable>true</mail.smtps.ssl.enable>
<mail.smtps.starttls.enable>false</mail.smtps.starttls.enable>
<mail.smtps.socketFactory.port>465</mail.smtps.socketFactory.port>
<mail.smtps.socketFactory.class>javax.net.ssl.SSLSocketFactory</mail.smtps.socketFactory.class>
<mail.smtps.socketFactory.fallback>false</mail.smtps.socketFactory.fallback>
Just like setting properties in the java code in Christos's answer: Java mail cannot connect to smtp using tls or ssl.
According to above answers and/or comments, if anyone gets this problem in Apache James 3.7.0, you can try to seach for RemoteDelivery in mailetcontainer.xml and add:
<startTLS>true</startTLS>
Additionally, I currently do not know if it is necessary to add <sslEnable>true</sslEnable> while outgoing emails are encrypted and Gmail knows this without this setting. If you know this should be set up, you can explain why for anyone who needs to know. I do not set up this now because sending emails with <sslEnable>true</sslEnable> seems to be slower than this setting is removed (I feel this).
Some emails sent by our sever go to spam for certain recipients. E.g when sent to #outlook.com email addresses.
I have been testing our emails using https://www.mail-tester.com
SpamAssassin gives a score of -0.1 for the issue of 'HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different'
This is the only issue reported. Everything else, such as SPF and DKIM, passes. There is no documentation on their website for this issue and I don't understand what it means or how to fix it.
The email is sent using PHPMailer via AWS SES.
I solved this by completing the setup of 'MAIL FROM' in AWS SES. This set the mail from header in emails to be my domain name.
"HEADER_FROM_DIFFERENT_DOMAINS" and mail-tester.com now gives me a score of 10/10.
Note that for some email providers it took a few weeks before we were trusted and emails stopped going to spam.
It means that the envelope sender address (which is used at the SMTP level) is different to the address used in the From header. This is very common, but can be a problem if you try to implement DMARC alignment. For example, you might send a message with a from header containing user#example.com, but your envelope sender might be bouncehandler#mail.example.com. You should be able to see this in the Return path header of a received message. Whether you can change this depends on exactly how you're sending your message, but in PHPMailer the envelope sender defaults to the from address, and you can override it by setting the Sender property.
A -0.1 penalty is unlikely to be the entire cause of your mail being sent to spam.
Its outlooks rubbish filtering system. They have "AI" rules that look at the sending ip address for reputation. They score you on user reportsand lots of other bits they will not tell you about. Make sure you have SPF, DMARC, DKIM, and sign up for their JMRP and SDNS they will tell you. But it still is a game of cat and mouse. Its a slippery slope and even Microsoft trap their own mail to their own outlook users. PITA, to be honest and luckily we managed to get a mitigation to the issue. However some users in different domains still complain of email going to JUNK. Go figure. I hate having to work on issues with Outlook.com. They themselves send out spam and have the audacity to block well configured SMTP senders.
I wish you luck. You will need it.
I recently noticed my gmail spam folder had some bounced messages to my business email address (which is configured to forward to my gmail). After some investigation it appears as though someone is using my domain name and randomly generated usernames as return address on their spam emails.
Mail.log shows these messages coming in, but not being sent. Is it possible that my server (Postfix or sendmail) is allowing a user to push out emails without generating log entries? What is the likelihood that somebody is spoofing my domain (not a very popular one at all) and not actually sending from my server?
Most importantly, what can I do to prevent spam emails from being sent out with my name on them, if anything? I'm concerned that gmail at least will mark me as a spammer since all the bounced spam messages are going to my gmail as though they were sent from my domain.
You can install the spamassassin in your server and connect it to the postfix. SpamAssassin uses a wide variety of local and network tests to identify spam signatures. This makes it harder for spammers to identify one aspect which they can craft their messages to work around.
It is very easy to config,SpamAssassin requires very little configuration; you do not need to continually update it with details of your mail accounts, mailing list memberships, etc. Once classified, site and user-specific policies can then be applied against spam. Policies can be applied on both mail servers and later using the user's own mail user-agent application.
You can refer the link to know more about the spamassassin
How do you stop the "Default SMTP Virtual Server" from sending bounce messages for email addresses that you don't have?
i.e. I'm using IIS' SMTP server to handle my email and if an email is sent unknown at mydomain.com a bounce email with 'address not known' (or something like that) is sent back to the sender. I want it to silently fail.
I found this article which has a script you can run to configure a catch-all account on your server. All emails which would generate a NDR will instead be directed to this account. Sorry, I haven't tested it. The article above has been removed here it is via the WayBack Machine
Basically the short answer to your question is no.
On another note, if you don't want to spend any money, or have no budget, and want a better email system, try something like Smarter Mail which you can use for free up to 10 users. I am sure there are others out there, but I have used Smarter Mail in the past successfully.
This isn't an IIS failure. The SMTP server receiving the message is looking for a valid email address, and when it doesn't find one, sends an email back to your email address saying that there isn't one there. The only way to have it silently fail is by putting the from address as a bogus email like no-reply#company.com, etc.
From an SMTP point of view, a better way to handle this is to reject the RCPT request at some point during the SMTP transaction. This way, your server isn't responsible for sending any blowback to the alleged sender.
I don't know how to configure IIS to do this specifically, but you certainly can with Postfix (which is what I use).