Can't send mails using gmail with EmailTransport configured as described in cookbook 4

Using Cookbook - Mailer I managed to send CakePHP-mail using my hoster. No problem there.

I wanted to make an extra transport to send mail using gmail. Google-account is set to accept less secure apps. In app.php I added an EmailTransport as described in the cookbook:

‘gmail’ => [
‘host’ => ‘’,
‘port’ => 587,
‘username’ => ‘’,
‘password’ => ‘secret’,
‘className’ => ‘Smtp’,
‘tls’ => true

These settings seems equal to SMTP-settings Google is giving.

The email delivery profile stays untouched.

In the controller I setTransport to gmail, the other fields (like subject etc) are equal to those when using my hoster.

Using ‘tls=false’ gives:

So I guess SMTP-server is not accepting the connection.

Deliberatly using wrong account/password gives same error (tested succesfully account/password to login in google-account).

Using the ssl-setting given in the cookbook gives ‘an’ error too:

'host' => 'ssl://',
'port' => 465,
'username' => '',
'password' => 'secret',
'className' => 'Smtp'


So what to do next?

Hi drtrppr
It is a fairly good possibilty that your errors are happening due to your anti-virus software. (I’m assuming you are running anti-virus software)
I get your first reported error when running AntiVirus free. When I temporarily turn it off the email works fine.
Did you have an error just above your first reported error similair to this:
[ **Warning** (2)](javascript:void(0);): stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed [ **CORE\src\Network\Socket.php** , line **475** ]

It appears the anti-virus software has a negative effect when cake attempts to verify the TLS server certificate.

1 Like

Robertkendrick, thanks for reply.

You not only could have assumpted that I was running anti-virus software, you may as well have assumpted that I was running AntiVirus free!

And yes, the AntiVirus free is the problem. Nowadays it’s appently not possible anymore to disable the program with a one-click action, and you have to shut down different components separately?

I deactivated the scanning of the outbound mail, and now I’m able to send mails using gmail.

My problem seems solved, question is if it’s a typically ‘AntiVirus free / Gmail’ issue or a generic ‘anti-virus software / Gmail’ issue? Because mail using my hoster isn’t a problem, it doesn’t seem a generic antivirus free issue.

And how bad is it to disable the scanning of the outbound mail? I guess that’s there’s a bigger risc now that I’m spreading virusses? Maybe just using the windows-virusscanner is enough nowadays (I’m using antivirus free out of habbit I think)?

Didn’t see this was one, but maybe I’m not looking at the right place.

I have no idea why Antivirus free behaves this way.
Found this link from their forum but it doesn’t resolve anything.

Also cannot understand why ‘normal’ mail clients on my machine work ok - including the more secure gmail.
Still reseaching …

Ok. This ‘certificate’ stuff is a career in itself. It would’nt leave you much time for app development.
However, this is my understanding of the problem along with a solution. Note, this is my understanding, it may not be completely accurate.
AVG installs a self signed certificate into your web browser so that it can become the middle man in web/email traffic. This is how it is able to scan your web and email data for viruses.
This works for web requests and ‘normal’ email clients because your browser has this self signed certificate to verify credentials against. Most browsers have the option to view the certificates that are installed. If you look you will see the AVG one.
Problem is PHP does not, by default, allow self signed certicates - hence the error mesages.
To configure your email transports to allow self signed certificates add:
‘context’ => [
‘ssl’ => [
‘verify_peer’ => false,
‘verify_peer_name’ => false,
‘allow_self_signed’ => true
to the transport configurations in config/app.php

You will then notice that any emails sent have the:
‘This email has been checked for viruses by AVG.’

I’m not totally sure what the security implications of doing this are but hope to find out with further investigation.

Yep, I’m glad you indicated what the problem is. This seems a problem to be solved by email-protocol specialists, for sure that’s not me (I even didn’t know what TLS stands for).

But what puzzles is that using a hoster this doesn’t seem to be a problem. The mail servers of a hoster and Google use different protocols/configurations?

Default seems to be ‘Add a signature to the end of the mails’. Because you mentioning it, I’ve never noticed it in my mails. Will keep an eye on that.

Quick update.
I tested this config:
‘context’ => [
‘ssl’ => [
‘verify_peer’ => false,
‘verify_peer_name’ => false,
‘allow_self_signed’ => true

if you comment out
// ‘verify_peer_name’ => false,
// ‘allow_self_signed’ => true
the emails are still sent ok after being scanned by AVG.
So it appears that
‘verify_peer’ => false,
is the line that allows the emails to work.

Online comments about this indicate that this line stops the certificate(s) being verified !!!
Don’t like the sound of this. I think I would rather have AVG not scan the email for viruses than do away with certificate security.

If your hoster is using SMTP than its using the same protocol as gmail. What is almost certainly different is how authentication is carried out before you are allowed to send and whether a ‘middle man’ certificate is inserted into the process to scan sent emails…What port is your hoster using to send emails (25) ?

But at least you have a choice what risc to take :). Suppose sending 10.000 mails with your standard e-mail client and 10 mails sending with a CakeePHP app.

Keep wondering if this is just an AVG-issue, I will purge the AVG and use the windows virus-scanner instead.

Yes, but I realized I don’t have to state ‘tls’ => true’. So it’s not using tls I guess, and according to the error message you received (‘tls_process_server_certificate:certificate verify failed’) it’s in the tls.

Default Windows10 virus detection doesn’t give a problem, so i’ll stick to that. No idea how much risc on receiving/sending virusses raises, whether microsoft uses those self signed certificates, it’s far beyond my knowledge. Hope there is still a basic protection.

So, bad idea after all. Appears I’m using apps that will not work with the Google-account set to accept less secure apps. When set to accept only secure apps, I get errors, as expected (password errors).