Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

swiftmailer uses starttls with strict certificate checking #752

Closed
nickhilliard opened this issue Nov 18, 2021 · 5 comments
Closed

swiftmailer uses starttls with strict certificate checking #752

nickhilliard opened this issue Nov 18, 2021 · 5 comments
Labels
Improvement

Comments

@nickhilliard
Copy link
Member

If STARTTLS fails, it throws up something like the following error:

Server Error :: stream_socket_enable_crypto(): Peer certificate CN=`blah.example.com' did not match expected CN=`localhost'

There's no clear indication here that the root cause is starttls, or that the documented workaround is to use MAIL_ENCRYPTION=false to prevent the error.

Can this exception be caught, parsed and replaced with a UI warning message that SMTP TLS has failed and to check the mail config in .env with a reference to https://docs.ixpmanager.org/usage/email/ ?
@barryo
Copy link
Member

barryo commented Nov 25, 2021

Relevant - https://laracasts.com/discuss/channels/laravel/stream-socket-enable-crypto-error-laravel?page=1&replyId=349567

UI not a suitable option here as emails can be async and via artisan.

Catching the exception and providing help in the test tool plus docs should cover it.

@listerr
Copy link
Contributor

listerr commented Nov 27, 2021
edited
Loading

Not sure how relevant this is, but seems Swift Mailer will stop being maintained at the end of November 2021:

https://swiftmailer.symfony.com/docs/introduction.html

But I guess Laravel will switch in due course.

I had a little trouble with this when testing out a new install for 6.2.0, for example when enabling

IXP_FE_LAYER2_ADDRESSES_EMAIL_ON_CUSTOMER_CHANGE notifications. It would pop up an AJAX / API Error
about network connection, although the MAC change would be updated to the database fine.

Eventually tracked it down to it not being able to send mail via SMTP, but in my debugging I noticed that the comment in
the supplied stock .env file says:

# The default setting is 'sendmail' which tries to use your local systems mail client.
#
# MAIL_MAILER="sendmail"
# MAIL_HOST="localhost"
# MAIL_PORT=25
# MAIL_ENCRYPTION="tls"

However, sendmail is not the default, according to config/mail.php:

    /*
    |--------------------------------------------------------------------------
    | Default Mailer
    |--------------------------------------------------------------------------
    |
    | This option controls the default mailer that is used to send any email
    | messages sent by your application. Alternative mailers may be setup
    | and used as needed; however, this mailer will be used by default.
    |
    */

    'default' => env('MAIL_MAILER', 'smtp'),

Further down it has this:

        'sendmail' => [
            'transport' => 'sendmail',
            'path' => '/usr/sbin/sendmail -bs',
        ],

This implies that none of the other settings are actually going to be used if you uncomment the suggested conf MAIL_MAILER="sendmail" in the .env example file.

For debugging, I also added a new setting into config/mail.php so that I can change the path:

        'sendmail' => [
            'transport' => 'sendmail',
            'path' => env('MAIL_SENDMAIL_PATH', '/usr/sbin/sendmail -bs'),
        ],

msmtp seems unhappy with the default options hardcoded into config/mail.php:

root@53MUU8K:/var# /usr/sbin/sendmail -bs
sendmail: unsupported operation mode bs

There is also an issue with tls which we need to fix.

So now to override this I can put in .env:

MAIL_MAILER="sendmail"
MAIL_SENDMAIL_PATH="/usr/bin/msmtp -t --tls=off --from=ixp-auto@your.domain --auto-from=off"

Ubuntu 20.04.3 LTS has an older version of msmtp than latest debian at the moment. The options for --from have changed and don't work on the old version of msmtp. When sending mail for local users that don't exist, msmtpd just doesn't get the envelope sender right so we have to force the issue. (If you change the msmtp default behaviour for auto_from to fix it for IXP Manager, it breaks for other local mail for example messages from cron, and the new --from options are not supported in the version of msmtp that ships with Ubuntu 20.04.) msmtpd munges the envelope sender to "msmtpd@domain" but we need for this to be an actual routable email address in case something bounces, and so we can more easily tell where messages are originating from.

Tested configs:

# Send directly to mail server
MAIL_MAILER="smtp"
MAIL_HOST="mail.server.here"

# Send directly to mail server, no TLS:
MAIL_MAILER="smtp"
MAIL_HOST="mail.server.here"
# MAIL_PORT=25
MAIL_ENCRYPTION=""

# Send using SMTP via local msmtpd
# (Ubuntu default port for msmtpd is 10025, if there's no other MTA then it's easier to change msmtpd to use port 25)
MAIL_MAILER="smtp"
MAIL_HOST="localhost"
MAIL_PORT=10025
MAIL_ENCRYPTION=""

# Send using local sendmail emulation. Defaults break envelope-sender, so override:
MAIL_MAILER="sendmail"
MAIL_SENDMAIL_PATH="/usr/bin/msmtp -t --tls=off --from=ixp-auto@your.domain --auto-from=off"

@barryo
Copy link
Member

barryo commented Nov 28, 2021

Not sure how relevant this is, but seems Swift Mailer will stop being maintained at the end of November 2021:

https://swiftmailer.symfony.com/docs/introduction.html

But I guess Laravel will switch in due course.

Already sorted in the next version: laravel/framework#38481

@barryo
Copy link
Member

barryo commented Nov 28, 2021

Thanks on the note re .env.example and config/mail.php being out of sync @listerr. Now fixed in ed8ee84.

I have also updated the docs: https://docs.ixpmanager.org/usage/email/ (note there is some information there on testing)

If you read the docs, you'll note that I'm very much trying to push people down the route of using a local (or internal) SMTP daemon:

We would generally expect an IXP to have an internal SMTP relay server within the management network to handle the sending of email from monitoring systems, cron processes, IXP Manager, etc.

also:

MAIL_MAILER="smtp" - this is the mail transport to use. The other available options are outside the scope of this documentation.

As well as trying to reduce the support burden, I actually think this is the better production set-up (and allows for, e.g., a pair of highly resilient mail servers using keepalived).

Hopefully the changed defaults (i.e. localhost smtp without tls) solve most issues.

@barryo
Copy link
Member

barryo commented Nov 28, 2021

Closing now as:

  • Docs include email testing tool - https://docs.ixpmanager.org/usage/email/#testing-smtp
  • Verified testing tool provides correct exception: Error: stream_socket_enable_crypto(): Peer certificate CN=mail.ibn.ie' did not match expected CN=46.182.8.12'
  • The ability to disable strict TLS checking is not part of IXP Manager / Laravel (and shouldn't be imho - may as well send plaintext)
  • Per @nickhilliard - .env.example updated to ref docs and defaults to localhost and no tls
  • .env.example updated per @listerr's findings also
  • Note added to draft release notes for next release on changes

@barryo barryo closed this as completed Nov 28, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Improvement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@barryo @nickhilliard @listerr