starred/qBittorrent

Fork 0

mirror of https://github.com/qbittorrent/qBittorrent.git synced 2026-03-02 22:57:32 -05:00

Must issue a STARTTLS command first #16221

New issue

Open

opened 2026-02-22 02:55:07 -05:00 by deekerman · 8 comments

deekerman commented

2026-02-22 02:55:07 -05:00

Owner

Originally created by @enoch85 on GitHub (Oct 14, 2024).

qBittorrent & operating system versions

qBittorrent v4.6.7 Web UI (64-bit)
Debian 12
Docker Version: 27.3.1

What is the problem?

Trying to send email with Protonmail results in the error described. Tried all different combinations with and without SMTP SSL AUTH, :587 and so on. Nothing works. I either get Email Notification Error: <mail from> was rejected by server, msg: 530 5.7.0 Must issue a STARTTLS command first or Email Notification Error: Error during SSL handshake: error:0A00010B:SSL routines::wrong version number

Steps to reproduce

Try to setup SMTP from, Protonmail
Notice it fails

Additional context

No response

Log(s) & preferences file(s)

(W) 2024-10-14T22:36:00 - Email Notification Error: Error during SSL handshake: error:0A00010B:SSL routines::wrong version number

(W) 2024-10-14T22:29:06 - Email Notification Error: <mail from> was rejected by server, msg: 530 5.7.0 Must issue a STARTTLS command first

Originally created by @enoch85 on GitHub (Oct 14, 2024). ### qBittorrent & operating system versions qBittorrent v4.6.7 Web UI (64-bit) Debian 12 Docker Version: 27.3.1 ### What is the problem? Similar to this issue: https://github.com/qbittorrent/qBittorrent/issues/1845 Trying to send email with Protonmail results in the error described. Tried all different combinations with and without SMTP SSL AUTH, `:587` and so on. Nothing works. I either get `Email Notification Error: <mail from> was rejected by server, msg: 530 5.7.0 Must issue a STARTTLS command first ` or ` Email Notification Error: Error during SSL handshake: error:0A00010B:SSL routines::wrong version number` ### Steps to reproduce 1. Try to setup SMTP from, [Protonmail](https://proton.me/support/smtp-submission) 2. Notice it fails ### Additional context _No response_ ### Log(s) & preferences file(s) ``` (W) 2024-10-14T22:36:00 - Email Notification Error: Error during SSL handshake: error:0A00010B:SSL routines::wrong version number (W) 2024-10-14T22:29:06 - Email Notification Error: <mail from> was rejected by server, msg: 530 5.7.0 Must issue a STARTTLS command first ```

deekerman added the

WebUI

Waiting info

labels

2026-02-22 02:55:07 -05:00

deekerman commented

2026-02-22 02:55:11 -05:00

Author

Owner

@KETHER-NOIR commented on GitHub (May 3, 2025):

I was trying to set up qbittorrent on my nas today and encountered this issue as well. Exact same error messages, both with or without port number appended. I was trying to send notification through my icloud account. I was trying to figure out which ssl version do qbit and icloud use and how to match them. I could not find such information

@KETHER-NOIR commented on GitHub (May 3, 2025): I was trying to set up qbittorrent on my nas today and encountered this issue as well. Exact same error messages, both with or without port number appended. I was trying to send notification through my icloud account. I was trying to figure out which ssl version do qbit and icloud use and how to match them. I could not find such information

deekerman commented

2026-02-22 02:55:16 -05:00

Author

Owner

@luzpaz commented on GitHub (May 3, 2025):

@KETHER-NOIR full qbit about info please

@luzpaz commented on GitHub (May 3, 2025): @KETHER-NOIR full qbit about info please

deekerman commented

2026-02-22 02:55:16 -05:00

Author

Owner

@Rick-van-Dam commented on GitHub (Aug 22, 2025):

Iam seeing this bug as well with proton. This is the relevant config:

[Preferences]
MailNotification\email=foo@proton.me
MailNotification\enabled=true
MailNotification\password=yourstrongpassword
MailNotification\req_auth=true
MailNotification\req_ssl=true
MailNotification\sender=foo@yourdomain.com
MailNotification\smtp_server=smtp.protonmail.ch
MailNotification\username=foo@yourdomain.com

I dont see any port number or anything else that would make it use starttls (port 587)

@Rick-van-Dam commented on GitHub (Aug 22, 2025): Iam seeing this bug as well with proton. This is the relevant config: ``` [Preferences] MailNotification\email=foo@proton.me MailNotification\enabled=true MailNotification\password=yourstrongpassword MailNotification\req_auth=true MailNotification\req_ssl=true MailNotification\sender=foo@yourdomain.com MailNotification\smtp_server=smtp.protonmail.ch MailNotification\username=foo@yourdomain.com ``` I dont see any port number or anything else that would make it use starttls (port 587)

deekerman commented

2026-02-22 02:55:16 -05:00

Author

Owner

@LewpyUK commented on GitHub (Feb 6, 2026):

I wanted to use TLS for SMTP notifications, and came across this issue with qBittorrent v5.1.4
I believe it is because the code is setup to either support unencrypted SMTP (default over port 25) or encrypted SMTPS (default over port 465).
What it doesn't correctly support is STARTTLS, where the connection starts unencrypted (defaults are either port 25 [STARTTLS generally optional] or port 587 [STARTTLS generally enforced]) and then moves to an encrypted TLS connection.
I believe this is down to a fair simple logic flaw in smtp.cpp, whereby the Boolean variable m_useSsl is used to indicate that a SMTPS session has been started but is then also used to control whether a STARTTLS command can be sent.
This means the STARTTLS will only be sent if the connection is already encrypted using SMTPS protocol, and will never allow an unencrypted SMTP session to switch to TLS: this kind of defeats the purpose of the STARTTLS command.
The enforcement of using TLS encryption is becoming standard across a lot of SMTP servers, so it would be good if qBittorrent could be changed to allow the proper use of STARTTLS.
The code in question is
#ifndef QT_NO_OPENSSL if (pref->getMailNotificationSMTPSSL()) { m_socket->connectToHostEncrypted(serverAddress, serverPort.value_or(DEFAULT_PORT_SSL)); m_useSsl = true; } else { #endif m_socket->connectToHost(serverAddress, serverPort.value_or(DEFAULT_PORT)); m_useSsl = false; #ifndef QT_NO_OPENSSL } #endif
and then
if (m_extensions.contains(u"STARTTLS"_s) && m_useSsl) { qDebug() << "STARTTLS"; startTLS(); } else { authenticate(); }
I think another GUI option and variable is required to control whether STARTTLS is used (as opposed to SMTPS).
The simpler option is to always use STARTTLS if it is offered (assuming QT_NO_OPENSSL isn't defined), but that could lead to compatibility issues.
Unfortunately, I am not in a position at the moment to be able to make a test code change [like enforce STARTTLS by removing the check against m_useSsl] and compile/test the whole application to verify my hypothesis :(

Technically, SMTPS is more secure (the whole transfer is encrypted) but it is not widely supported, whereas STARTTLS is the generally supported by most public SMTP servers as it is more widely compatible (even if the initial connection is unencrypted until the STARTTLS command is issued), so supporting STARTTLS properly would be a good thing these days.

@LewpyUK commented on GitHub (Feb 6, 2026): I wanted to use TLS for SMTP notifications, and came across this issue with qBittorrent v5.1.4 I believe it is because the code is setup to either support unencrypted SMTP (default over port 25) or encrypted SMTPS (default over port 465). What it doesn't correctly support is STARTTLS, where the connection starts unencrypted (defaults are either port 25 [STARTTLS generally optional] or port 587 [STARTTLS generally enforced]) and then moves to an encrypted TLS connection. I believe this is down to a fair simple logic flaw in _smtp.cpp_, whereby the Boolean variable _m_useSsl_ is used to indicate that a SMTPS session has been started but is then also used to control whether a STARTTLS command can be sent. This means the STARTTLS will only be sent if the connection is already encrypted using SMTPS protocol, and will never allow an unencrypted SMTP session to switch to TLS: this kind of defeats the purpose of the STARTTLS command. The enforcement of using TLS encryption is becoming standard across a lot of SMTP servers, so it would be good if qBittorrent could be changed to allow the proper use of STARTTLS. The code in question is `#ifndef QT_NO_OPENSSL if (pref->getMailNotificationSMTPSSL()) { m_socket->connectToHostEncrypted(serverAddress, serverPort.value_or(DEFAULT_PORT_SSL)); m_useSsl = true; } else { #endif m_socket->connectToHost(serverAddress, serverPort.value_or(DEFAULT_PORT)); m_useSsl = false; #ifndef QT_NO_OPENSSL } #endif ` and then ` if (m_extensions.contains(u"STARTTLS"_s) && m_useSsl) { qDebug() << "STARTTLS"; startTLS(); } else { authenticate(); } ` I think another GUI option and variable is required to control whether STARTTLS is used (as opposed to SMTPS). The simpler option is to always use STARTTLS if it is offered (assuming QT_NO_OPENSSL isn't defined), but that could lead to compatibility issues. Unfortunately, I am not in a position at the moment to be able to make a test code change [like enforce STARTTLS by removing the check against m_useSsl] and compile/test the whole application to verify my hypothesis :( Technically, SMTPS is more secure (the whole transfer is encrypted) but it is not widely supported, whereas STARTTLS is the generally supported by most public SMTP servers as it is more widely compatible (even if the initial connection is unencrypted until the STARTTLS command is issued), so supporting STARTTLS properly would be a good thing these days.

deekerman commented

2026-02-22 02:55:16 -05:00

Author

Owner

@LewpyUK commented on GitHub (Feb 13, 2026):

I got some time, so set up my computer to be able to compile qBittorrent successfully.
I then made a simple edit to smtp.cpp and removed the check on m_useSsl before issuing the STARTTLS command, and now my qBittorrent client sends SMTP messages over port 25 using STARTTLS that are encrypted with TLS 1.3 :)
if (m_extensions.contains(u"STARTTLS"_s)) { qDebug() << "STARTTLS"; startTLS(); } else { authenticate(); }
SMTP headers contain this
Received: from <my qBittorrent client> (x.x.x.x) by xxxxxxxx.mail.protection.outlook.com (10.167.240.7) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9611.8 via Frontend Transport; Fri, 13 Feb 2026 08:43:18 +0000
Like I say, I think some better logic is needed to allow STARTTLS to be disabled if it causes problems in some scenarios, but having it working would be good.

@LewpyUK commented on GitHub (Feb 13, 2026): I got some time, so set up my computer to be able to compile qBittorrent successfully. I then made a simple edit to _smtp.cpp_ and removed the check on _m_useSsl_ before issuing the STARTTLS command, and now my qBittorrent client sends SMTP messages over port 25 using STARTTLS that are encrypted with TLS 1.3 :) `if (m_extensions.contains(u"STARTTLS"_s)) { qDebug() << "STARTTLS"; startTLS(); } else { authenticate(); }` SMTP headers contain this `Received: from <my qBittorrent client> (x.x.x.x) by xxxxxxxx.mail.protection.outlook.com (10.167.240.7) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9611.8 via Frontend Transport; Fri, 13 Feb 2026 08:43:18 +0000` Like I say, I think some better logic is needed to allow STARTTLS to be disabled if it causes problems in some scenarios, but having it working would be good.

deekerman commented

2026-02-22 02:55:16 -05:00

Author

Owner

@enoch85 commented on GitHub (Feb 13, 2026):

@LewpyUK maybe you can send a PR?

@enoch85 commented on GitHub (Feb 13, 2026): @LewpyUK maybe you can send a PR?

deekerman commented

2026-02-22 02:55:17 -05:00

Author

Owner

@LewpyUK commented on GitHub (Feb 13, 2026):

maybe you can send a PR?

My modification is a Proof of Concept, really.
Unfortunately, I believe the change requires many more things, like a new preference, a modification to the Settings GUI for a new tick box, etc.
This would then have implications on translation strings for the application as well.
All of these elements I do not understand, so I can't make all the code changes required.
Maybe I will dig deeper in to the Project and the particular code that they use, but I doubt I would have the confidence to be able to submit a "fully fit" PR for it all.
I think a preference such as
[Preferences] MailNotification\use_starttls=true
and then a settings check box above "This server requires a secure connection (SSL)" in the Downloads section that says something like
Use STARTTLS if available (opportunistic encryption)
Then a Boolean variable such as m_useStartTls in smtp.cpp can be used to control STARTTLS, rather than m_useSsl.
So I can see what needs to be done, just not sure how to do it all myself.

@LewpyUK commented on GitHub (Feb 13, 2026): > maybe you can send a PR? My modification is a Proof of Concept, really. Unfortunately, I believe the change requires many more things, like a new preference, a modification to the Settings GUI for a new tick box, etc. This would then have implications on translation strings for the application as well. All of these elements I do not understand, so I can't make all the code changes required. Maybe I will dig deeper in to the Project and the particular code that they use, but I doubt I would have the confidence to be able to submit a "fully fit" PR for it all. I think a preference such as `[Preferences] MailNotification\use_starttls=true` and then a settings check box above "This server requires a secure connection (SSL)" in the Downloads section that says something like `Use STARTTLS if available (opportunistic encryption)` Then a Boolean variable such as _m_useStartTls_ in _smtp.cpp_ can be used to control STARTTLS, rather than _m_useSsl_. So I can see what needs to be done, just not sure how to do it all myself.

deekerman commented

2026-02-22 02:55:17 -05:00

Author

Owner

@LewpyUK commented on GitHub (Feb 14, 2026):

@enoch85 I looked deeper in to the whole qBittorrent source code, and realised it was quite straightforward to add another preference to the settings and GUI [I spent more time messing around with Git 😬]. So I have submitted what I think is a complete PR to deal with this properly.
Maybe a future change would be another option to enforce STARTTLS for the security-conscious, so that the email sending attempt is aborted if STARTTLS isn't available (for those that only want to send encrypted emails and SMTPS isn't available).

@LewpyUK commented on GitHub (Feb 14, 2026): @enoch85 I looked deeper in to the whole qBittorrent source code, and realised it was quite straightforward to add another preference to the settings and GUI [I spent more time messing around with Git :grimacing:]. So I have submitted what I think is a complete PR to deal with this properly. Maybe a future change would be another option to enforce STARTTLS for the security-conscious, so that the email sending attempt is aborted if STARTTLS isn't available (for those that only want to send encrypted emails and SMTPS isn't available).