View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0005078 | SOGo | Backend Mail | public | 2020-07-09 16:40 | 2021-02-26 05:36 |
Reporter | zhb | Assigned To | francis | ||
Priority | high | Severity | major | Reproducibility | always |
Status | resolved | Resolution | fixed | ||
Product Version | 4.3.2 | ||||
Fixed in Version | 5.0.0 | ||||
Summary | 0005078: Does the latest nightly build support STARTTLS and SSL for SMTP service? | ||||
Description | Dear developers, According to issue 31[1], STARTTLS and SSL support for smtp service had been merged to SOPE and SOGO projects. i tried to enable STARTTLS support with latest nightly build (4.3.2.20200709): SOGoMailingMechanism = smtp; but SOGo raises error message on web UI: "cannot send message: (smtp) authentication failure". ################## Software versions: sope49-gdl1-contentstore-4.3.2.20200709-1.el7.x86_64 | ||||
Tags | No tags attached. | ||||
Yes, these changes are implemented. However, you probably won't get a valid certificate for 127.0.0.1, please specify the fqdn instead (or disable tls) |
|
Is it possible to disable cert validation? |
|
I understand it's the best to validate cert, but in testing server, we still need to test TLS/SSL support. |
|
Currently, this is not possible. You may, however set up your own CA, add it to your root store and then sign a certificate for your endpoint with your CA. |
|
There's no point in enabling TLS/SSL if you don't want the certificate to be verified. Read comments in related tickets. |
|
@francis I don't agree that.
If ssl cert verification is enforced, sogo can not send email with SOGoSMTPServer set to "smtp://127.0.0.1/?tls=YES" or "127.0.0.1", or "smtp://127.0.0.1". |
|
This commit mentions "specify fqdn requirement for SSL/TLS", but it doesn't solve the issue with IP address + TLS/SSL: https://github.com/inverse-inc/sogo/commit/a91a00e33cea3e365d8c43b4a9b15a9d55479afb |
|
@zhb But the certificate is signed with some domain in the subject, right? For now, you could just set that particular domain in your 127.0.0.1 some.mail.domain And then set |
|
ok, let me ask in another way: Any plan to support disabling cert validation? |
|
I started looking into this quickly on https://github.com/the-nic/sope/tree/optional-tls-validation, but havent really continued. Note that I am not associated with inverse in any way, I'm doing this in my free time, so dont expect any particular support. I have also shown multiple ways how you may fix your setup. You can still help with the implementation, though ;-) |
|
Dear @the_nic, Thanks for your contribution. :) I understand you already offered few suggestions, but disabling cert validation is quite common, not just in a quick testing environment, but also on production (connect to 127.0.0.1 instead of FQDN, of course we can argue this, but why disallow sysadmin to use 127.0.0.1?). |
|
Dear @the_nic, Are you still working on the optional ssl validation feature? :) |
|
@zhb, I havent looked into it again, yet. Why dont the other solutions work for you, by the way? |
|
My free + open source project "iRedMail" installs and configure SOGo for users, at initial installation stage, the installer doesn't know whether the server has a valid ssl cert, so usually we use "127.0.0.1" as IMAP/SMTP/Sieve server address, it's localhost and it's considered as secure, so we prefer to stick to "127.0.0.1" in the installer. With default iRedMail configuration, port 25 is used to accept incoming emails, and 587 (TLS) is used for submission, in this case if SOGo supports TLS without verification ssl cert (again, cert for host "127.0.0.1" in our case) that would be the best for us, no additional (insecure) smtp port for SOGo without TLS/SSL. If sysadmin gets a valid ssl cert, it's ok to replace 127.0.0.1 by the server hostname as server address. But this is not handled by iRedMail installer, so it's not an option for us. |
|
So maybe an option like |
|
I think a parameter in the URI might be better. For example: smtp://127.0.0.1:587/?tls=YES&verify_cert=NO
|
|
SOPE: https://github.com/inverse-inc/sope/pull/58 This will allow you to disable TLS validation if the remote is a localhost (localhost, 127.0.0.1/8, ...) : |
|
The value "allowInsecureLocalhost" is too weird.
|
|
Forgot to say "THANK YOU" for the contribution. :) |
|
Exactly that. It follows the same features like
This is really not intended for that. For that, you should really run a PKI. Please do not decrease security by default for your clients by disabling TLS validation. That is really bad behavior. Also, according your description you'd need your clients to install a valid certificate for the smtp/imap servers anyways before your setup is going to work. Make them fill up the real host name in the SOGo config, too. |
|
I understand the security concerns, but it's better giving sysadmins such option. For example, connecting to an IMAP server in DMZ or a fully trusted LAN network. |
|
As a system administrator with root access you already have plenty of options to dilute the security of the system as needed. |
|
OK, i don't want to go further and currently this option is enough for a standalone mail server when IMAP is running on same host. Thank you very much for the help, and hope SOGo team will merge it soon. :) |
|
Yes, it is even there (you'll find it in the code), I just want to leave it undocumented, as people tend to enable these options without understanding the consequences or fixing the issue properly. |
|
Pull requests were merged. Thanks @the_nic! |
|
Dear @the_nic,
|
|
Hey @zhb, thanks for the feedback. Interestingly, I added a test for localhost ips: https://github.com/inverse-inc/sogo/blob/master/Tests/Unit/TestNGInternetSocketAddress.m#L35 IPv6 does not work, at all. SOPE does not support ipv6 addresses, unfortunately. |
|
The problem is, "127.0.0.1" doesn't work. :( |
|
@zhb i have just tried with imap, and it works. Can you tell me which one (SMTP/IMAP/sieve) does not work with |
|
Dear @the_nic, Yes IMAP works, failed one is SMTP service. I didn't test managesieve yet, it was rush last time i test it. sorry. |
|
@zhb As said before, please share your config. It really sounds like an error on your end, like not setting the SMTP port 587 explicitly. |
|
Interesting, this time it works with either |
|
Hi @the_nic It's very weird that sometimes it works but sometimes not. sogo.conf:
Postfix
It says "Access denied", although it looks like an ACL issue, but we have Tried using |
|
Forgot to mention OS and SOGo versions:
|
|
Here's the debug log with |
|
why is |
|
That's the cause. I thought when It's ok to close this now. |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2020-07-09 16:40 | zhb | New Issue | |
2020-07-09 16:53 | the_nic | Note Added: 0014487 | |
2020-07-09 16:57 | zhb | Note Added: 0014489 | |
2020-07-09 16:58 | zhb | Note Added: 0014490 | |
2020-07-10 08:13 | the_nic | Note Added: 0014509 | |
2020-07-10 14:10 | francis | Relationship added | related to 0005079 |
2020-07-10 14:24 | francis | Assigned To | => francis |
2020-07-10 14:24 | francis | Status | new => closed |
2020-07-10 14:24 | francis | Resolution | open => won't fix |
2020-07-10 14:24 | francis | Note Added: 0014514 | |
2020-07-10 15:40 | zhb | Status | closed => feedback |
2020-07-10 15:40 | zhb | Resolution | won't fix => reopened |
2020-07-10 15:40 | zhb | Note Added: 0014517 | |
2020-07-10 15:54 | zhb | Note Added: 0014518 | |
2020-07-10 15:54 | zhb | Status | feedback => assigned |
2020-07-13 12:32 | the_nic | Note Added: 0014521 | |
2020-07-13 15:37 | zhb | Note Added: 0014522 | |
2020-07-13 15:53 | the_nic | Note Added: 0014523 | |
2020-07-13 16:04 | zhb | Note Added: 0014525 | |
2020-07-25 05:56 | zhb | Note Added: 0014583 | |
2020-07-25 10:27 | the_nic | Note Added: 0014584 | |
2020-07-25 10:52 | zhb | Note Added: 0014585 | |
2020-07-25 11:32 | the_nic | Note Added: 0014586 | |
2020-07-25 14:35 | zhb | Note Added: 0014587 | |
2020-08-02 13:05 | the_nic | Note Added: 0014606 | |
2020-08-02 14:04 | zhb | Note Added: 0014607 | |
2020-08-02 14:06 | zhb | Note Added: 0014608 | |
2020-08-02 17:07 | the_nic | Note Added: 0014609 | |
2020-08-03 14:34 | zhb | Note Added: 0014611 | |
2020-08-03 15:24 | the_nic | Note Added: 0014612 | |
2020-08-03 15:41 | zhb | Note Added: 0014613 | |
2020-08-03 15:43 | the_nic | Note Added: 0014614 | |
2020-08-05 19:22 | francis | Status | assigned => resolved |
2020-08-05 19:22 | francis | Resolution | reopened => fixed |
2020-08-05 19:22 | francis | Fixed in Version | => 5.0.0 |
2020-08-05 19:22 | francis | Note Added: 0014640 | |
2020-08-11 08:43 | zhb | Status | resolved => feedback |
2020-08-11 08:43 | zhb | Resolution | fixed => reopened |
2020-08-11 08:43 | zhb | Note Added: 0014663 | |
2020-08-11 08:52 | the_nic | Note Added: 0014664 | |
2020-08-11 11:28 | zhb | Note Added: 0014666 | |
2020-08-11 11:28 | zhb | Status | feedback => assigned |
2020-08-11 17:49 | the_nic | Note Added: 0014668 | |
2020-08-12 01:01 | zhb | Note Added: 0014681 | |
2020-08-12 06:44 | the_nic | Note Added: 0014682 | |
2020-08-12 08:37 | zhb | Note Added: 0014690 | |
2020-08-12 13:11 | francis | Status | assigned => resolved |
2020-08-19 06:19 | zhb | Status | resolved => feedback |
2020-08-19 06:19 | zhb | Note Added: 0014704 | |
2020-08-19 06:21 | zhb | Note Added: 0014705 | |
2020-08-19 06:21 | zhb | Status | feedback => assigned |
2020-08-19 07:05 | zhb | Note Added: 0014708 | |
2020-08-19 07:08 | the_nic | Note Added: 0014709 | |
2020-08-19 07:20 | zhb | Note Added: 0014711 | |
2020-08-19 10:24 | ludovic | Status | assigned => closed |
2020-08-19 11:58 | francis | Status | closed => resolved |
2020-08-19 11:58 | francis | Resolution | reopened => fixed |