Hello I have two (or maybe more later) domains:
domain1
domain2
I want to configure Exim (cPanel) to use SendGrid's or Mailgun SMTP servers, currently I'm trying with this config in Exim:
**Section: TRANSPORTSTART**
domain1_smtp:
driver = smtp
hosts = smtp.mailgun.org
hosts_require_auth = smtp.mailgun.org
hosts_require_tls = smtp.mailgun.org
domain2_smtp:
driver = smtp
hosts = smtp.mailgun.org
hosts_require_auth = smtp.mailgun.org
hosts_require_tls = smtp.mailgun.org
**Section: AUTH**
domain1_login:
driver = plaintext
public_name = LOGIN
client_send = : postmaster#mg.domain1.com : password
domain2_login:
driver = plaintext
public_name = LOGIN1
client_send = : postmaster#mg.domain2.com : password
**Section: PREROUTER**
send_via_domain1:
driver = manualroute
domains = ! +local_domains
senders = *#domain1.cm
transport = domain1_smtp
route_list = "* smtp.mailgun.org::2525 byname"
host_find_failed = defer
send_via_domain2:
driver = manualroute
domains = ! +local_domains
senders = *#domain2.com
transport = domain2_smtp
route_list = "* smtp.mailgun.org::2525 byname"
host_find_failed = defer
When I'm sending email from user#domain1.com I'm getting messages delivered by postmaster#mg.domain1.com and when I'm sending from user#domain2.com I'm getting messages delivered also from postmaster#mg.domain1.com.
I want to have smarthost for every domain with different credentials. Thanks
I have these setup (VPS + WHM/cPanel + Exim + Mailgun) and after doing some online research, I've found a few helpful websites regarding this topic and managed to come out with the correct configuration. Below are the solutions that I'm currently using on my VPS and hope it will help you as well. It should solve your "via" problem and might solve the intermittent "550 5.7.1 Relaying denied" error from Mailgun as well:
Go to the "Exim Configuration Editor" in WHM. Choose "Advanced Editor" and insert the configuration below:
Section: AUTH
mailgun_login:
driver = plaintext
public_name = LOGIN
hide client_send = ": ${extract{login}{${lookup{$sender_address_domain}lsearch{/etc/exim_mailgun}{$value}fail}}} : ${extract{password}{${lookup{$sender_address_domain}lsearch{/etc/exim_mailgun}{$value}fail}}}"
Section: ROUTERSTART
mailgun:
driver = manualroute
domains = ! +local_domains
transport = mailgun_transport
route_list = "* smtp.mailgun.org::587 byname"
host_find_failed = defer
no_more
Section: TRANSPORTSTART
mailgun_transport:
driver = smtp
hosts = smtp.mailgun.org
hosts_require_auth = smtp.mailgun.org
hosts_require_tls = smtp.mailgun.org
Then create a file named /etc/exim_mailgun and insert the content similar to the structure below (Replace it with your Mailgun's domain login credentials that was verified):
domain1.com: username=postmaster#mg.domain1.com password=abcdefghi
domain2.com: username=postmaster#mg.domain2.com password=jklmnopqr
Related
I have splunk and try to enable splunk SSO instead of nornal authentiation. I have configuraitons as follows:
In /opt/splunk/etc/system/local/server.conf
[general]
trustedIP = 192.168.1.208
serverName = Splunk_Core_02
pass4SymmKey = $7$RRvdYDdIlj4P2geQdtHluTRb7OfvZhTFTZGJ7z5JiZAkJ6Q1at6j0Q==
sessionTimeout = 30s
[sslConfig]
sslPassword = $7$m6pB5a0PWFg64VlNZGgunhGElO3qLiAc6NrhfLO+tpX2jR7WC7qm1Q==
[lmpool:auto_generated_pool_download-trial]
description = auto_generated_pool_download-trial
quota = MAX
slaves = *
stack_id = download-trial
[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
quota = MAX
slaves = *
stack_id = forwarder
[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
quota = MAX
slaves = *
stack_id = free
[license]
active_group = Enterprise
[diskUsage]
minFreeSpace = 1024
[lmpool:test_splunk]
quota = MAX
slaves = *
stack_id = enterprise
In /opt/splunk/etc/system/local/web.conf
[settings]
#SSO
SSOMode = permissive
trustedIP = 192.168.1.208,192.168.2.15,127.0.0.1
remoteUser = REMOTE-USER
#tools.proxy.on = False
root_endpoint = /splunk
#SSL
enableSplunkWebSSL = 0
httpport = 8000
mgmtHostPort = 127.0.0.1:8089
appServerPorts = 8065
splunkdConnectionTimeout = 30
enableSplunkWebClientNetloc = False
# SSL certificate files.
privKeyPath = $SPLUNK_HOME/etc/auth/splunkweb/privkey.pem
serverCert = $SPLUNK_HOME/etc/auth/splunkweb/cert.pem
...
I see http://192.168.1.208:8000/debug/sso page, I see SSO is not enabled. What's wrong with my configurations?
There are several documentations says in server.conf, the trustedIP is 127.0.0.1. But none of them mention that only 127.0.0.1 is eligible to enable/activate SSO. So do not configure other IP address, instead of 127.0.0.1.
And in server.conf(/opt/splunk/etc/system/local/), you could only configure one trustedIP, and it is 127.0.0.1.
https://docs.splunk.com/Documentation/Splunk/8.0.3/Security/ConfigureSplunkSSO
Have you restarted splunk after making these changes?
In /opt/splunk/etc/system/local/web.conf,
remoteUser = REMOTE-USER is more likley to be REMOTE_USER
You have to use SAML.. I am using SAML for SSO purpose.. You need to contact IT guy and he will provide you IDP file upload it and share with your Splunk Connection file. You can download it from same window. Go to Users -> Authentication Method > SAML. Once everything is placed Then you have to create groups on AD and same thing you need to do on Splunk under SAML configuration.. Let me know if you need more details..
https://docs.splunk.com/Documentation/Splunk/8.0.3/Security/HowSAMLSSOworks
I have a deployment of RabbitMQ that uses it's own certificates for end-to-end encryption. It uses both AMQP and MQTT-over-WSS to connect multiple types of clients. AMQP clients are able to connect securely, so I know that the certificate set up is good.
Clients using WS going to ws://hostname:15675/ws can connect fine, but obviously are not secure. Clients attempting to connect to wss://hostname:15676/ws have the connection closed on them. 15676 is the port you will see I have bound the web-mqtt ssl listener to, as shown below. I've gone through both the networking and tls help guide by RabbitMQ, and I see the port correctly bound and can confirm it is exposed and available to the client.
The relevant rabbit.conf:
listeners.tcp.default = 5671
listeners.ssl.default = 5671
ssl_options.cacertfile = /path/to/fullchain.pem
ssl_options.certfile = /path/to/cert.pem
ssl_options.keyfile = /path/to/privkey.pem
ssl_options.verify = verify_none
ssl_options.fail_if_no_peer_cert = false
web_mqtt.ssl.port = 15676
web_mqtt.ssl.backlog = 1024
web_mqtt.ssl.cacertfile = /path/to/fullchain.pem
web_mqtt.ssl.certfile = /path/to/cert.pem
web_mqtt.ssl.keyfile = /path/to/privkey.pem
Basically, I'm wondering if I have the connection string wrong (wss://hostname:15675/ws)? Do I need to go to /wss? Is it a problem my client is a browser running on localhost -- not HTTPS? Do I have a configuration set incorrectly -- am I missing one?
If there is a better source of documentation/examples of this plugin beyond the RabbitMQ website, I would also be interested.
maybe the configuration mismatch
if there any password for the private file you need to add it also.
refer to the following sample rabbitmq.conf
listeners.ssl.default = 5671
ssl_options.cacertfile = <path/ca-bundle (.pem/.cabundle)>
ssl_options.certfile = <path/cert (.pem/.crt)>
ssl_options.keyfile = <path/key (.pem/.key)>
ssl_options.password = <your private key password>
ssl_options.versions.1 = tlsv1.3
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true
ssl_options.ciphers.1 = TLS_AES_256_GCM_SHA384
ssl_options.ciphers.2 = TLS_AES_128_GCM_SHA256
ssl_options.ciphers.3 = TLS_CHACHA20_POLY1305_SHA256
ssl_options.ciphers.4 = TLS_AES_128_CCM_SHA256
ssl_options.ciphers.5 = TLS_AES_128_CCM_8_SHA256
ssl_options.honor_cipher_order = true
ssl_options.honor_ecc_order = true
web_mqtt.ssl.port = 15676
web_mqtt.ssl.backlog = 1024
web_mqtt.ssl.cacertfile = <path/ca-bundle (.pem/.cabundle)>
web_mqtt.ssl.certfile = <path/crt (.pem/.crt)>
web_mqtt.ssl.keyfile = <path/key (.pem/.key)>
web_mqtt.ssl.password = <your private key password>
web_mqtt.ssl.honor_cipher_order = true
web_mqtt.ssl.honor_ecc_order = true
web_mqtt.ssl.client_renegotiation = false
web_mqtt.ssl.secure_renegotiate = true
web_mqtt.ssl.versions.1 = tlsv1.2
web_mqtt.ssl.versions.2 = tlsv1.1
web_mqtt.ssl.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384
web_mqtt.ssl.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384
web_mqtt.ssl.ciphers.3 = ECDHE-ECDSA-AES256-SHA384
web_mqtt.ssl.ciphers.4 = ECDHE-RSA-AES256-SHA384
web_mqtt.ssl.ciphers.5 = ECDH-ECDSA-AES256-GCM-SHA384
web_mqtt.ssl.ciphers.6 = ECDH-RSA-AES256-GCM-SHA384
web_mqtt.ssl.ciphers.7 = ECDH-ECDSA-AES256-SHA384
web_mqtt.ssl.ciphers.8 = ECDH-RSA-AES256-SHA384
web_mqtt.ssl.ciphers.9 = DHE-RSA-AES256-GCM-SHA384
this is a working configuration file for the rabbitmq-server on ubuntu 20.04
restart the rabbitmq-server
list the listeners port (make sure that the SSL ports enabled) (rabbitmq-diagnostics listeners)
test the SSL (testssl localhost:16567)
also test the telnet (telnet localhost 16567)
please reffer : https://www.rabbitmq.com/ssl.html#erlang-otp-requirements and
troubleshooting
this is worked for me :-)
I've SSL proxy server and I want to scrape https site. I mean the connection between scrapy and the proxy is encrypted then the proxy will open a connection to the website.
after some debugging I found the following:-
currently scrapy handle the situation as follows:-
if the site is http it use ScrapyProxyAgent which send client hello then send a connect request for the website to the proxy
but if the site is https
it use a TunnelingAgent which does not send client hello to the proxy and hence the connection is terminated.
What I need is to tell scrapy to first establish a connection via ScrapyProxyAgent then use a TunnelingAgent not sure how to do that.
I tried to create a https DOWNLOAD_HANDLERS but I'm not that expert
class MyHTTPDownloader(HTTP11DownloadHandler):
def download_request(self, request, spider):
"""Return a deferred for the HTTP download"""
timeout = request.meta.get('download_timeout') or self._connectTimeout
bindaddress = request.meta.get('bindaddress')
proxy = request.meta.get('proxy')
agent = ScrapyProxyAgent(reactor,proxyURI=to_bytes(proxy, encoding='ascii'),
connectTimeout=timeout, bindAddress=bindaddress, pool=self._pool)
_, _, proxyHost, proxyPort, proxyParams = _parse(proxy)
proxyHost = to_unicode(proxyHost)
url = urldefrag(request.url)[0]
method = to_bytes(request.method)
headers = TxHeaders(request.headers)
omitConnectTunnel = b'noconnect' in proxyParams
proxyConf = (proxyHost, proxyPort,
request.headers.get(b'Proxy-Authorization', None))
if request.body:
bodyproducer = _RequestBodyProducer(request.body)
if request.body:
bodyproducer = _RequestBodyProducer(request.body)
elif method == b'POST':
bodyproducer = _RequestBodyProducer(b'')
else:
bodyproducer = None
start_time = time()
tunnelingAgent = TunnelingAgent(reactor, proxyConf,
contextFactory=self._contextFactory, connectTimeout=timeout,
bindAddress=bindaddress, pool=self._pool)
agent.request(method, to_bytes(url, encoding='ascii'), headers, bodyproducer)
I need to establish a tunnel after the proxy agent is connected.
is that even possible?
thanks in advance
We have an internet facing MX server whereby all users authenticate their outgoing connection to submit emails via port 587. This MX server routes incoming mail for our domain to an internal postfix smtp server which then delivers mail to local imap servers.
The internal postfix smtp server users LDAP alias_maps = ldap:/etc/postfix/ldap-aliases.cf, to lookup which imap server a users mailbox resides on.
There is a postfix option...
reject_sender_login_mismatch
that can be mapped...
smtpd_sender_login_maps = ldap:/etc/postfix/smtpd_sender_login.cf
However - I get the following error
Jul 4 11:23:26 smtp-1.domain1.com postfix/smtpd[31530]: warning: restriction `reject_authenticated_sender_login_mismatch' ignored: no SASL support
No users authenticate to the internal postfix smtp server - all it does is route emails from the MX server. I believe the reason I see the warning "no SASL support" is because postfix doesn't handle the authentication as it's taken care of by the MX server.
postconf -n
alias_database = hash:/etc/aliases
alias_maps = ldap:/etc/postfix/ldap-aliases.cf, hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 51200000
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mx3.$mydomain, mx1.$mydomain, mx2.$mydomain
mydomain = domain1.com
myhostname = smtp-1.domain1.com
mynetworks = xxx.xxx.192.0/21, xxx.62.52.0/22, 10.0.0.0/8, xxx.16.0.0/12, xxx.168.0.0/16
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_sender_login_maps = ldap:/etc/postfix/ldap-senders.cf
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
unknown_local_recipient_reject_code = 550
However, with a different config "smtpd_sender_restrictions = reject_unverified_sender"
If the "envelope From field" contains an invalid forged address the following is logged - which is great to stop unknown email address being forged - but doesn't help if it's forged with a known email address.
NOQUEUE: reject: RCPT from mx.domain1.com[xxx.xxx.192.130]: 450 4.1.7 : Sender address rejected: unverified address: unknown user: "hejem"; from= to= proto=ESMTP helo=
-bash-4.1$ postconf -n
alias_database = hash:/etc/aliases
alias_maps = ldap:/etc/postfix/ldap-aliases.cf, hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 51200000
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mx3.$mydomain, mx1.$mydomain, mx2.$mydomain
mydomain = domain1.com
myhostname = smtp-1.domain1.com
mynetworks = xxx.xxx.xxx.0/21, xxx.xxx.xxx.0/22, xxx.0.0.0/xxx, xxx.xxx.0.0/12, xxx.xxx.0.0/16
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_sender_restrictions = reject_unverified_sender"
What I want to achieve is my local internal postfix to check the "envelope From field" to ensure it's not been spoofed by knowing the sending user's username and looking up it's assigned "From" aliases in LDAP if it doesn't match i.e. they're spoofing then reject the mail.
Any advice how to implement this check in postfix?
Thanks
Firstly, it is not considered a good practice to activate reject_unverified_sender in postfix services. If you want to prevent mails being sent from non-existing addresses in your domain, you should prefer reject_unlisted_sender.
You can not be sure of spoofing of existing mail addresses without activating authentication (SASL) mechanism on postfix service. Thus, to prevent spoofing of existing addresses:
Make sure that smtpd_sender_login_maps is properly configured.
Activate SASL authentication on postfix
Configure reject_authenticated_sender_login_mismatch or reject_sender_login_mismatch depending on your preference.
Further Reading (from postfix SASL documentation)
Envelope sender address authorization
By default an SMTP client may specify any envelope sender address in the MAIL FROM command. That is because the Postfix SMTP server only knows the remote SMTP client hostname and IP address, but not the user who controls the remote SMTP client.
This changes the moment an SMTP client uses SASL authentication. Now, the Postfix SMTP server knows who the sender is. Given a table of envelope sender addresses and SASL login names, the Postfix SMTP server can decide if the SASL authenticated client is allowed to use a particular envelope sender address:
/etc/postfix/main.cf:
smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders
smtpd_recipient_restrictions =
...
reject_sender_login_mismatch
permit_sasl_authenticated
I am new to Mantis bug tracker and I want to enable the email notification after registering for a new account.
Well, I installed the MantisBT correctly without any problem on my local computer, I already changed the admin's password and removed the admin folder in the directory. After this I signed up for a new account, there was a confirmation message flashed saying that I need to verify my registration via email. My problem here is that no verification message was sent to my email. According to one of the tutorials I found, I need to configure first my config_inc.php. After the installation, the initial content of my config_inc.php was
<?php
$g_hostname = 'localhost';
$g_db_username = '<myUser>';
$g_db_password = '<myPass>';
$g_database_name = 'bugtracker';
$g_db_type = 'mysql';
?>
So I changed it to.
*I am using my gmail account here
<?php
$g_hostname = 'localhost';
$g_db_username = '<myUser>';
$g_db_password = '<myPass>';
$g_database_name = 'bugtracker';
$g_db_type = 'mysql';
$g_allow_signup = ON;
$g_allow_anonymous_login = OFF;
$g_anonymous_account = '';
$g_phpMailer_method = PHPMAILER_METHOD_SMTP;
$g_smtp_host = 'smtp.gmail.com';
$g_smtp_username = '<myUser#gmail.com>';
$g_smtp_password = '<myPass>';
$g_administrator_email = '<myUser#gmail.com>';
$g_webmaster_email = '<myUser#gmail.com>';
$g_from_name = 'Mantis Bug Tracker';
$g_from_email = '<myUser#gmail.com>';
$g_return_path_email = '<myUser#gmail.com>';
$g_email_receive_own = OFF;
$g_email_send_using_cronjob = OFF;
$g_allow_file_upload = ON;
$g_file_upload_method = DATABASE;
$g_absolute_path_default_upload_folder = '';
$g_max_file_size = 5000000;
$g_preview_attachments_inline_max_size = 256 * 1024;
$g_allowed_files = '';
$g_disallowed_files = '';
$g_window_title = 'MantisBT';
$g_logo_image = 'images/mantis_logo.gif';
$g_favicon_image = 'images/favicon.ico';
$g_show_realname = OFF;
$g_show_user_realname_threshold = NOBODY;
$g_default_home_page = 'my_view_page.php';
?>
I overwrite my config_inc.php with this one and then register for a new account. After submitting the information, an error occured saying:
Fatal error: Call to undefined method SMTP::getError() in < myDirectory >\mantis\library\phpmailer\class.phpmailer.php on line 1910.
And now I'm stucked, please help me with this, I need to setup my email notification. I was just creating accounts but I cannot use them because I need to verify it.
Please let me know if I need to modify some of the related files and what are the steps.
Thanks for the help!
According to a posting on the MantisBT forums, these are working settings for GMail:
$g_phpMailer_method = PHPMAILER_METHOD_SMTP;
$g_smtp_host = 'smtp.gmail.com';
$g_smtp_username = 'username#gmail.com';
$g_smtp_password = 'yourpassword';
$g_smtp_connection_mode = 'ssl';
$g_smtp_port = 465;
Something to add about GMail. These settings are correct but GMail has instituted some new security that will still prevent email from being sent from Mantis or any other mailer using the SMTP connector.
In order to do this with GMail, you must "Allow less secure apps to access accounts". In GMail admin, there is a setting to allow users to control access from "less secure apps," which must be turned on, and then the user account used to send mail must turn on access from "less secure apps." The link above provides the information on how to configure this.
The frustrating thing is everything will appear to work fine but no emails are sent. There is no error indication from the SMTP server. However, the user account used to send mail may receive an email from GMail indicating someone is trying to access the account. I spent hours trying to track this down.
If anyone still faces issue or error while configuration add log level so that you can drill down the problem further. Below settings worked for me. Detailed explanation is written here
$g_phpMailer_method = PHPMAILER_METHOD_SMTP;
$g_smtp_host = 'smtp.gmail.com';
$g_smtp_port = '465';
$g_smtp_connection_mode = 'ssl';
$g_smtp_username = 'letzdotesting#gmail.com';
$g_smtp_password = 'xxxxx';
$g_administrator_email = 'letzdotesting#gmail.com';
$g_webmaster_email = 'letzdotesting#gmail.com';
$g_from_email = 'letzdotesting#gmail.com';
$g_return_path_email = 'letzdotesting#gmail.com';
$g_default_timezone = 'UTC';
$g_log_level = LOG_EMAIL | LOG_EMAIL_RECIPIENT;
$g_log_destination = 'file:C:\mantisbt.log';
$g_phpMailer_method = PHPMAILER_METHOD_SMTP;
$g_smtp_host = 'smtp.gmail.com';
$g_smtp_username = 'username'; // without #gmail.com
$g_smtp_password = 'password';
$g_smtp_connection_mode = 'ssl';
$g_smtp_port = 465;
it Works for me
2017 update (MantisBT 2.3.0) Please follow the steps below:
[1] IF YOU'RE USING DOCKER
Access the docker instance running the command below:
docker exec -it {docker-id} bash
[2] INSIDE MANTISBT SERVER
if you dont have any editor:
# sudo apt-get update
# apt-get install vim
create a log file:
# touch /var/log/mantisbt.log
# cd /var/log/
# chmod 777 mantisbt.log
[3] EDITING MANTISBT CONFIGURATION
# vim /var/www/html/config/config_inc.php
add the following content to the file opened in the earlier step:
$g_phpMailer_method = PHPMAILER_METHOD_SMTP;
$g_administrator_email = 'your-admin-email#gmail.com';
$g_webmaster_email = 'your-webmaster-email#gmail.com';
$g_return_path_email = 'your-return-email#gmail.com';
$g_from_email = 'your-from-email#gmail.com';
$g_smtp_host = 'smtp.gmail.com';
$g_smtp_port = 465;
$g_smtp_connection_mode = 'ssl';
$g_smtp_username = 'username';
$g_smtp_password = 'password';
$g_log_level = LOG_EMAIL | LOG_EMAIL_RECIPIENT;
$g_log_destination = 'file:/var/log/mantisbt.log';
$g_validate_email = OFF;
[4] EDITING GMAIL CONFIGURATION
You need to do this in order to allow MantisBT authentication:
Access the following URL:
https://myaccount.google.com
Navigate to the Sign-in & Security menu-item under menu-tree.
Check the "Allow less secure apps" option and set equals to true
Image:
You're good to go!
Tested and running with these configurations. =]
My issue was solved by updating ca certificates.
I am using Xampp, with PHP 7.2 on Windows sever 2012.
Although the below link provides you with the details, I mention the relavent part too:
Updating CA certificates
Updating CA certificates To update your CA certificates, make sure
your operating system is fully up to date - CA certs are usually
updated via OS updates. Alternatively, you can download the latest CA
cert file from curl, install it somewhere accessible (for example
/etc/ssl/cacert.pem) and point at it from the openssl.cafile and
curl.cainfo directives in your php.ini file (this location will vary
according to your OS and PHP config; where you need to put it is
beyond the scope of PHPMailer!):
openssl.cafile = /etc/ssl/cacert.pem
curl.cainfo = /etc/ssl/cacert.pem
https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting#updating-ca-certificates