Old PHPMailer (5.1)... and causing "SMTP Error: Could not authenticate"

Hello everybody!

Hoping to be useful let me say I’m happy to see that Phabricator is using PHPMailer to handle SMTP. That library is used for a very large amount of projects in the world so I know it somehow well.

Having said that it seems that Phabricator is using a very old version of PHPMailer: the version 5.1 is now 10-years old I think.

I don’t know if this is a place to talk about the security concerns of using such old version, anyway I’m here to note that because of this actually Phabricator does not support any other SMTP AUTH method but AUTH LOGIN, because it was hardcoded in PHPMailer 5.1:

So, if someone is having this error with a correct SMTP configuration:

(phpmailerException) SMTP Error: Could not authenticate. at [<phabricator>/externals/phpmailer/class.phpmailer.php:798

It’s because Phabricator it’s actually hardcoded with AUTH PLAIN and maybe your mailserver expects AUTH LOGIN or whatever.

I think that:

  1. first of all the documentation could say that the only accepted SMTP AUTH method is actually LOGIN and not PLAIN etc. (this is an useful information, it’s somehow rare that a CMS does not support the customization of the AUTH action, they always have a configuration string with PLAIN, LOGIN, etc.)
  2. then someone should look around for any known CVE for this version and then patch our downstream version to eventually give some backward compatibility fixes if not already done before (P.S. it seems patched, thanks to @epriestley notes)
  3. maybe one day Phabricator should advance PHPMailer to a more recent version to add a small option for the AUTH action (e.g. to use LOGIN as well, as supported by the library)

(I’m absolutely independent in giving these fixes and I do not expect you must do this for me. I’m here only in the hope to simplify troubleshooting and maybe improve the software!)

Thank you for reading! :slight_smile:


1 Like