OJS 3.3.0.13 cannot send mail

Hi, I recently upgraded my installation from OJS 3.1.1.4 to 3.3.0.13.

My main mail system is Microsoft Office 365. Since Microsoft activated the new security features (MFA), My installation is no longer sending emails.

I already tried using application passwords and it didn’t worked. So as a workaround I’m using a local MTA to relay the messages to 365 as its working for other things I’m working with. I tested and the MTA is working fine… The issue is with OJS.

Since my MTA relay mail, all mailed received from the account specified without password is relayed to Office 365.

My configuration has these lines:

;;;;;;;;;;;;;;;;;;
; Email Settings ;
;;;;;;;;;;;;;;;;;;

[email]

; Use SMTP for sending mail instead of mail()
smtp = On

; SMTP server settings
; smtp_server = smtp.office365.com
; smtp_port = 587
smtp_server = 172.16.8.103
smtp_port = 25

; Enable SMTP authentication
; Supported mechanisms: ssl, tls
; smtp_auth = tls
smtp_username = no-reply-revistas@mydomain.com
; smtp_password =

; Allow envelope sender to be specified
; (may not be possible with some server configurations)
allow_envelope_sender = On

; Default envelope sender to use if none is specified elsewhere
default_envelope_sender = no-reply-revistas@usma.ac.pa

; Force the default envelope sender (if present)
; This is useful if setting up a site-wide noreply address
; The reply-to field will be set with the reply-to or from address.
force_default_envelope_sender = On

; Amount of time required between attempts to send non-editorial emails
; in seconds. This can be used to help prevent email relaying via OJS.
time_between_emails = 3600

; Maximum number of recipients that can be included in a single email
; (either as To:, Cc:, or Bcc: addresses) for a non-priveleged user
max_recipients = 10

; If enabled, email addresses must be validated before login is possible.
require_validation = On

; Maximum number of days before an unvalidated account expires and is deleted
validation_timeout = 14

The issue I’m having is that every time that I try to send mail through OJS, it returns the “Could not send email, call your administrator”. I tested sendig email the CLI and it works,

What else I could be missing for this to work?

Not an expert in mails myself but I also got trouble in past too when I moved from OJS 3.2 to 3.3 with Microsoft Office 365… and if I recall well, the problem had two main reasons:
a) Microsoft MTA is a mess (different kind of services under same umbrella… different standards and settings…)
b) OJS 3.2 and greater the phpmailer library have changed in OJS 3.3.

My personal conclusion (based on 20 years of observation) is some companies don’t play gentle with standards (because they are the standard) and then things go wrong…

I couldn’t manage to make OJS talk oauth2 in the way M$ demaned so I used a similar approach as you with a middle smtp relay.

Initially it fails but when I added the proper SPF records, M$ let me mail again… but I still don’t know why in hell I can’t user oauth2.

Here you have the issue:

You can also take a look to those posts talking about same/similar issue:

• Emails don't send in OJS3.3.0-6 - SMTP ERROR: DATA END command failed
• OJS not sending emails

And PKP documentation (not specific for microsoft):

• https://docs.pkp.sfu.ca/admin-guide/3.3/en/email
• https://docs.pkp.sfu.ca/admin-guide/en/advanced-email

So if you find a solution or you can narrow the problem, I’m really interested in your research… so we can give PKP the right indications to fix this problem (at least till M$ MTA decide to change something else).

Cheers,
m.

Thanks for the info, I’ll check based the shared resources provided.

I think the issue is related to M$ using SASL. I’ve other products like GLPI, and other programs developed locally that needs to uses SASL smtp libraries. Even now, that M$ is has forced us to use MFA, accounts of these type has to be created without using MFA, since they are internal accounts, we are the only ones doing the connection from within the application (OJS).

That’s why I’m trying to use a server relay (Postfix) that’s working for me to relay mail to 365. I’ll check and post any of my findings…

Thanks

Hi Marc,

After a lot of testing with the provided info, I can conclude that the issue is a combination of recent changes in standards at M$365 as you pointed out. For that, I redo all my steps for these diagnosis:

My original configuration:

[email]

; Use SMTP for sending mail instead of mail()
smtp = On

; SMTP server settings
smtp_server = smtp.office365.com
smtp_port = 587

; Enable SMTP authentication
; Supported mechanisms: ssl, tls
smtp_auth = tls
smtp_username = no-reply-revistas@usma.ac.pa
smtp_password = *************

; Allow envelope sender to be specified
; (may not be possible with some server configurations)
 allow_envelope_sender = On

; Default envelope sender to use if none is specified elsewhere
 default_envelope_sender = no-reply-revistas@usma.ac.pa

; Force the default envelope sender (if present)
; This is useful if setting up a site-wide noreply address
; The reply-to field will be set with the reply-to or from address.
 force_default_envelope_sender = On

As today, OJS returns errors trying to send email. This is because of Office 365, they recommend to use app passwords, but even using this, then there is the MFA thing to verify access.

If I use OAUTH, There is a lot of stuff at 365 that I have to do, that in the end, even deactivating MFA to the account, OJS didn’t send emails.

Switching to a different scenario:

• Using an on premises MTA that relays mail to Office 365 and its working. It relays to almost 5 different accounts at the same time.
• OJS is in another server different from the mail server.

on premises I have local MTA with address 172.16.8.103 running on port 25. This server receive mails from printers, databases, and other equipment with their named accounts.

Changed the configuration to this:

[email]

; Use SMTP for sending mail instead of mail()
smtp = On

; SMTP server settings
smtp_server = 172.16.8.103
smtp_port = 25

; Enable SMTP authentication
; Supported mechanisms: ssl, tls
smtp_auth = tls
smtp_username = no-reply-revistas@usma.ac.pa
;smtp_password = *************

; Allow envelope sender to be specified
; (may not be possible with some server configurations)
; allow_envelope_sender = On

; Default envelope sender to use if none is specified elsewhere
 default_envelope_sender = no-reply-revistas@usma.ac.pa

; Force the default envelope sender (if present)
; This is useful if setting up a site-wide noreply address
; The reply-to field will be set with the reply-to or from address.
 force_default_envelope_sender = On

Since I’m relaying, the local MTA doesn’t need local accounts, it only receive and relays emails according to the relay configuration, and this is what happened:

We try to send email through OJS using the new config, the local MTA receive the mail and rejects it. After a lot of trial and error, I realize that PHPMailer is having problems, may be bacause the smtp_auth param in PHPMailer is set to yes and obviously credentials are not complete (no password - local mta doesn’t need authentication )
So I change the config and commented the smtp_auth in the config.inc.php and try to let PHPMailer in OJS to see if the MTA receive and send the message, but it I have no such luck.
I came to the conclusion that at the PHP Mailer Layer, the programming is forcing that using the smtp_auth, smtp_username and smtp_password variables at config.inc.php are required and that OJS through phpmailer dependes to use a mail system that authenticate accounts, not one that relays.

After lot of tesing, My working configuration with a twist:

[email]

; Use SMTP for sending mail instead of mail()
smtp = On

; SMTP server settings
smtp_server = 172.16.8.103
smtp_port = 25

; Enable SMTP authentication
; Supported mechanisms: ssl, tls
;smtp_auth = tls
;smtp_username = no-reply-revistas@usma.ac.pa
;smtp_password = *************

; Allow envelope sender to be specified
; (may not be possible with some server configurations)
; allow_envelope_sender = On

; Default envelope sender to use if none is specified elsewhere
 default_envelope_sender = no-reply-revistas@usma.ac.pa

; Force the default envelope sender (if present)
; This is useful if setting up a site-wide noreply address
; The reply-to field will be set with the reply-to or from address.
 force_default_envelope_sender = On

Since I’m relaying, the local MTA doesn’t need local accounts and since it is used inside my local isolated network, need no authentication between equipments only
when doing the relaying process between the MTA and Office 365.

The twist applied was at Office 365 level. After further examination of the postfix queue and the mesage rejected in the previous scenario, we discover that when
OJS was sending email to the local MTA it uses a MAILER-DAEMON account and when the local MTA receive the mail, it try to send it using the first of the five accounts
configured in postfix for mail relay (infraestructura@usma.ac.pa). So at office365 level, we go to the account infraestructura@usma.ac.pa and gave permissions to send
email as the account no-reply-revistas@usma.ac.pa. After some tests, and checking mailserver logs and the mailbox at no-reply-revistas@usma.ac.pa, the configuration is working.

We already tested this same scenario using the smtp_username parameter and changing the allow_envelope_sender to On again, and mail and I sadly report that mail is not delivered.

My conclusions:

• Since OJS is using PHPMailer as the mail engine in your programming there is no parameter to tell PHPMailer if the mail server that I’m going to use requires authentication. I think that the smtp_auth parameter at config.inc.php might be using a logic that if you uses tls, ssl, plain, xoauth, etc… by default at PHPMailer engine it is assumed that the mail server uses authentication. In local MTA that only relays, doesn’t work because the PHPMailer forces to use the user and password to authenticate to the local MTA that was my scenario.
• Do to the changes being made at M$ level, it seems the route is to configure oauth at M$ level an try to connect using OAUTH in OJS. The challenge here is that when you configure accounts in mail clients using OAUTH, usin M$365 by the new MFA features, access confirmations need to be done by “humans”, so this might be a challenge. I didn’t tried this scenario with OJS, only with thunderbird and I have to be checking and approving access every certain ammount of time. If someone has tested this scenario with oauth in ojs without humans dependency, glad to hear their recommendations and config.
• Right now, I’m testing with my users the las config posted, so any changes I will update here.