Php – Certificate problems when sending mail via smtp (tream_socket_enable_crypto(): SSL operation failed with code 1)


Summary: I tried to send mails (from a php script) via smtp. The site uses an external mailserver (MX → → A to external IP). When trying to send the mail, I get an error: SSL routines:tls_process_server_certificate:certificate verify failed. Trying to connect via SSH results in Verification error: self signed certificate which is true for the webserver, but not for the external mailserver. CheckTLS states: Cert Hostname DOES NOT VERIFY ( != localhost.localdomain). I am in charge of the webserver (managed server) but not of the mailserver (externally provided).

The Setup

Website runs on – they also have a shorter version, let's call it

Mail server is provided by another company and is found on (this is the MX for all (wwwdomain, wwwshort, other domains) the domains. In the DNS for there is an A record pointing to the IP). There is also an A record mail.* pointing to

I try to send emails from a craftcms3 installation via smtp. Mailserver is

All domains have self-signed certificates. The server behind has a proper SSL certificate which also mentions all the possible domain names (e.g.,, etc).

My client uses this mailserver daily (I guess it is an Microsoft Exchange Server) and has no problems whatsoever.

The Problem

When trying to send mails, I get the following error in my log:

Error sending email: stream_socket_enable_crypto(): SSL operation
failed with code 1. OpenSSL Error messages: error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify faile

I was able (some time ago) to perform the workaround suggested here but I don't want to do that anymore since it is not really secure.


I set up a script using PHPMailer to get a more complete log. This was what I got:

2021-01-23 18:30:30 Connection: opening to, timeout=300, options=array()
2021-01-23 18:30:30 Connection: opened
2021-01-23 18:30:30 SMTP INBOUND: "220 ESMTP - DSS"
2021-01-23 18:30:30 SERVER -> CLIENT: 220 ESMTP - DSS
2021-01-23 18:30:30 CLIENT -> SERVER: EHLO
2021-01-23 18:30:30 SMTP INBOUND: ""
2021-01-23 18:30:30 SMTP INBOUND: "250-PIPELINING"
2021-01-23 18:30:30 SMTP INBOUND: "250-SIZE 105080012"
2021-01-23 18:30:30 SMTP INBOUND: "250-ETRN"
2021-01-23 18:30:30 SMTP INBOUND: "250-STARTTLS"
2021-01-23 18:30:30 SMTP INBOUND: "250-8BITMIME"
2021-01-23 18:30:30 SMTP INBOUND: "250 DSN"
2021-01-23 18:30:30 SERVER -> CLIENT: 250-mailgate.wwwshort.com250-PIPELINING250-SIZE 105080012250-ETRN250-STARTTLS250-ENHANCEDSTATUSCODES250-8BITMIME250 DSN
2021-01-23 18:30:30 CLIENT -> SERVER: STARTTLS
2021-01-23 18:30:30 SMTP INBOUND: "220 2.0.0 Ready to start TLS"
2021-01-23 18:30:30 SERVER -> CLIENT: 220 2.0.0 Ready to start TLS
2021-01-23 18:30:30 Connection failed. Error #2: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed [/usr/www/users/client/test-mail/PHPMailer/SMTP.php line 467]
SMTP Error: Could not connect to SMTP host.
2021-01-23 18:30:30 CLIENT -> SERVER: QUIT
2021-01-23 18:30:30 Connection: closed
SMTP Error: Could not connect to SMTP host.
Message could not be sent. Mailer Error: SMTP Error: Could not connect to SMTP host.

Now I searched the web and did a lot of investigations. I will list the results here.

Checking CA certificates

I followed the advice from PHPMailer and checked the CA certs by

echo QUIT | openssl s_client -crlf -starttls smtp -CAfile /etc/ssl/cacert.pem -connect

This worked perfectly fine.

Now I tried the same with

echo QUIT | openssl s_client -crlf -starttls smtp -CAfile /etc/ssl/cacert.pem -connect

Here the problem started again:

depth=0 O = NA, CN = localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 O = NA, CN = localhost.localdomain
verify return:1
Certificate chain
 0 s:O = NA, CN = localhost.localdomain
   i:O = NA, CN = localhost.localdomain
Server certificate
bG9jYWxob3N0LmxvY2FsZG9tYWluMIICIjANBgkqhk0BAg8AMIIC (shortened)
subject=O = NA, CN = localhost.localdomain

issuer=O = NA, CN = localhost.localdomain

No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
SSL handshake has read 2481 bytes and written 483 bytes
Verification error: self signed certificate
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 0225B94178B4DE0B4499DAFB0C0D3AD4BE5519CCFBA4458E1333FF56B56D700D
    Master-Key: 103159001B6597C40E8C35A31B5DC240AE52D081BEE153A0B904A71C618D235AE5DD21192A784FBD35084130A1A36688
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 71 f2 0b 8f 85 4b e2 9a-cb bc 21 1f 5a c6 a7 b4   q....K....!.Z...

    Start Time: 1611427542
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: yes
250 DSN

The output was equal for and the IP-Adress of the Mailserver.

Two things caught my attention:

SSL handshake has read 2481 bytes and written 483 bytes
Verification error: self signed certificate

and the mentioning of localhost.local

0 s:O = NA, CN = localhost.localdomain
  i:O = NA, CN = localhost.localdomain

SSL Report

I used the SSL Report from SSL Labs to test the domains.

  • was correctly recognized as "self-signed" and lists only the main domain and www.* It got an B rating.
  • also
  • was correctly recognized as not-self-signed and listed as "alternative names" all the other possible domains pointing to this server. It got an A+ rating.


I used CheckTLS to run some tests on It identified the MX server correctly as (with correct IP) and showed the following output.

Result from CheckTLS

[000.000]       Trying TLS on[] (10)
[000.099]       Server answered
[000.595]   <‑‑ 220 ESMTP - DSS
[000.595]       We are allowed to connect
[000.595]   ‑‑> EHLO
[000.691]   <‑‑
                250-SIZE 105080012
                250-AUTH PLAIN LOGIN
                250 DSN
[000.691]       We can use this server
[000.691]       TLS is an option on this server
[000.692]   ‑‑> STARTTLS
[000.788]   <‑‑ 220 2.0.0 Ready to start TLS
[000.788]       STARTTLS command works on this server
[001.010]       Connection converted to SSL
SSLVersion in use: TLSv1_2
Cipher in use: ECDHE-RSA-AES256-GCM-SHA384
Perfect Forward Secrecy: yes
Certificate #1 of 1 (sent by MX):
Cert VALIDATION ERROR(S): self signed certificate
So email is encrypted but the recipient domain is not verified
Cert Hostname DOES NOT VERIFY ( != localhost.localdomain)
So email is encrypted but the host is not verified
Not Valid Before: Jan  9 20:31:46 2021 GMT
Not Valid After: Oct  6 20:31:46 2023 GMT
subject= /O=NA/CN=localhost.localdomain
issuer= /O=NA/CN=localhost.localdomain
[001.013]   ~~> EHLO
[001.111]   <~~
250-SIZE 105080012
250 DSN
[001.111]       TLS successfully started on this server
[001.111]   ~~> MAIL FROM:<>
[001.212]   <~~ 250 2.1.0 Ok
[001.212]       Sender is OK
[001.212]   ~~> QUIT
[001.311]   <~~ 221 2.0.0 Bye

Highlighted was this part:

Certificate #1 of 1 (sent by MX):
Cert VALIDATION ERROR(S): self signed certificate
So email is encrypted but the recipient domain is not verified
Cert Hostname DOES NOT VERIFY ( != localhost.localdomain)
So email is encrypted but the host is not verified

I wondered whether the self-signed certificate of the webserver caused the problem (since it was a wildcard * initially) so I replaced all the certificates with self-signed ones that only include the main domain. However, the problem persists (although I am not sure whether I just have to wait longer).

My "not-understanding"

To my (not)understanding there are reports on two problems: 1) the certificate is self signed (which is true for the webserver,but not for the mailserver) and 2) the domain names don't match up.

I am absolutely not an expert on all this. Can anyone tell me whether the problem is on my side (webserver, craft, etc.) or on "their side" (mailserver).

Best Answer

In short: the mail server you try to use is not properly setup for public use. It is using a self-signed certificate - which is not trusted by any client by default. Additionally the name in the certificate does not match the hostname of the server.

My client uses this mailserver daily (I guess it is an Microsoft Exchange Server) and has no problems whatsoever.

There can be several reasons for this:

  • The client is not aware of the problems since it simply ignores certificate errors
  • The client is not actually using exactly this server and service (host and port) but instead uses a different service and this server, like port 465 (smtps) or does not use SMTP at all but instead the Exchange specific services. And these might be properly setup.

I was able (some time ago) to perform the workaround suggested here but I don't want to do that anymore since it is not really secure.

Unfortunately with a broken server setup there are not really good options. But check with the server provider on how secure access is supposed to be done in their setup, because maybe you use the system not in the way intended by their setup.