Could not start TLS connection encryption protocol

[jakeisjake]

Hello everyone!
I have a problem that has already been addressed in this forum, but I can't find a solution that is right for me.
I use Hesk on a CentOS8 with apache + mysql 8 + phpmyadmin:
Version Hesk: 3.2.5
Version PHP: 8.1.0 (MySQLi)
Version MySQL: 8.0.26

When I try to connect using the "HESK" control panel to my exchange SMTP server without a login and password, everything works out, but emails are not sent when the user forms an application.
When I enter the login and password to connect via SMTP to my exchange server, I get the error: "It is not supported by any of the authentication mechanisms required by the server".
Please tell me how can I fix this error?

Resolving SMTP server domain "exchange.server"...
Connecting to SMTP server "exchange.server" port 587...
Connected to SMTP server "exchange.server".
S 220 exchange.server Microsoft ESMTP MAIL Service ready at Tue, 21 Jun 2022 11:54:15 +0300
C EHLO support.mydomain.ru
S 250-exchange.server Hello [ip-exchange server]
S 250-SIZE 37748736
S 250-PIPELINING
S 250-DSN
S 250-ENHANCEDSTATUSCODES
S 250-STARTTLS
S 250-AUTH GSSAPI NTLM
S 250-8BITMIME
S 250-BINARYMIME
S 250 CHUNKING
C STARTTLS
S 220 2.0.0 SMTP server ready
Starting TLS cryptograpic protocol

[Klemen]

You will probably need to enable "Basic Authentication" method on your Exchange server.

[jakeisjake]

Can you tell if "HESK" has the ability to authorize on the exchange server?

Speaking of the problem: I solved the problem by resolving the tls protocol in the file /httpd/conf.d/ssl.conf
After that, I made a connector on the exchange server without authorization (anonymous).

Now the question is, can "HESK" log in to the exchange server via SMTP?
When I try to connect with the TLS function activated, I get the error "The server does not support TLS startup".

[Klemen]

Yes, Hesk can and we have several users who use an Exchange server without problems.

The thing is things like establishing a TLS connection, verifying certificates etc... is done by the server, not by Hesk. So the server needs to be properly set up and updated.

Also, the Exchange server must be enabled to allow BASIC authentication.

We'll be adding support for Oauth also later this year which should solve many of the authentication issues/work-around.

[jakeisjake]

This is very interesting information.

I tried to do as you say: - I have created a certificate that is authorized by my domain and certification authority, it works fully, but still there are problems with the mail connection with the login and password.

Perhaps you can tell me what to pay attention to or some features that are needed when creating a certificate for hesk to work with the exchange server?

At the moment, what I have: a full-fledged work of "HESK" (you have a great product, I really like it, thank you very much) with a self-signed certificate by my root center and certified by my CA.
https works fully, but still authorization by login and password smtp does not pass and you have to send emails using the "anonymous" connector configured on the exchange server.

[jakeisjake]

Regarding what you said about basic authorization on the exchange server: I tried to activate the basic authorization function in the connector, but I still can't connect using my username and password.

[Klemen]

I am not an Exchange expert so unfortunately not sure what else needs to be set up, sorry.

If this is an Exchange server hosted my Microsoft (not by yourself) see if you can generate and use an "App password" or something similar instead of your account password to login.

[jakeisjake]

Understood you.
Anyway, thanks for the great product! We will be looking forward to the update and testing! Thank you for your feedback!

[jakeisjake]

I am not an Exchange expert so unfortunately not sure what else needs to be set up, sorry.

If this is an Exchange server hosted my Microsoft (not by yourself) see if you can generate and use an "App password" or something similar instead of your account password to login.

After upgrading to 3.3.1 from version 3.2.5
Stopped receiving emails.

I restored the backup copy of 3.2.5 and everything is working as usual.

What could be the gap?

I would also like to know if it is possible to send emails to two different addresses?

For example: I need that when creating an application in a certain category, an email message is sent not only to the person who created the application, but also to the person whose email he indicated as additional.

The solution with entering email addresses through "," works, letters come.

Is it possible to make the input form of the second electronic mailbox work?
What I mean:
In the admin panel - tools - additional fields - field type - email.

The field is created and works, but when you enter information into it, a messege does not arrive at the email address specified in this field. Can this be fixed somehow?

[Klemen]

Most likely a SSL certificate verification error, see my first reply here:
viewtopic.php?f=13&t=7076

No, the custom email fields are just used for gathering data, not for email notifications. The only built-in solution is to separate emails in the top Email: field by a comma.

[jakeisjake]

If possible, please tell me which file is responsible for sending emails to HESK.

According to my logic, you can add the desired <div> (additional field created by me) to the submit file so that it takes into account the data specified in the new field.

Correct me if Im wrong.

[jakeisjake]

Most likely a SSL certificate verification error, see my first reply here:
viewtopic.php?f=13&t=7076

No, the custom email fields are just used for gathering data, not for email notifications. The only built-in solution is to separate emails in the top Email: field by a comma.

This is definitely not the problem, because the certificate is 100% valid. I'll try to figure out what the problem is this week.

And I will try your method again.

[Klemen]

The problem usually is not that the certificate is invalid, but that root certificates on the server are not up-to-date and so OpenSSL cannot properly verify server and peer certificates. It's more common than you think... give it a try.

As for adding additional field - code that handles emails is in "inc/email_functions.inc.php".