Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

lack of having the option to not verifying mail server (tls_skip_verify) #498

Closed
erfantkerfan opened this issue Oct 11, 2023 · 5 comments
Closed

lack of having the option to not verifying mail server (tls_skip_verify) #498

erfantkerfan opened this issue Oct 11, 2023 · 5 comments
Assignees
@ishanvyas22

Comments

@erfantkerfan
Copy link

The lack of this feature is causing a lot of problems for us,
Would it be possible to add the option to skip TLS verification of the (SMTP) mail server?
Thanks a lot

https://community.passbolt.com/t/feature-tls-skip-verify-for-self-signed-smtp-email/8640/1
@ishanvyas22
Copy link
Member

Hey @erfantkerfan, we are already tracking this task in our internal system (PB-26156). We'll let you know once we have any update.

@ishanvyas22 ishanvyas22 self-assigned this Feb 27, 2024
@oyxnaut
Copy link

oyxnaut commented Apr 10, 2024
edited
Loading

I think we have the same issue. Our mailrelay allows STARTTLS, and plain mail to be send, and sending a test mail from Passbolt works like a charm. All other mails get a TLS error. Setting EMAIL_TRANSPORT_DEFAULT_TLS=false in the docker-compose.yml doesn't help. This has forced me to maually construct the registration URL from SELECT subject,template_vars FROM email_queue WHERE subject LIKE "Welcome to passbolt%" output.
(In case it helps speeding up the resolution of this issue: We are a paying customer for Passbolt Pro.)

This is the backtrace I can see when sending a mail fails:

Stack trace:
#0 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Console/ConsoleOutput.php(287): fwrite()
#1 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Console/ConsoleOutput.php(214): Cake\Console\ConsoleOutput->_write()
#2 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Log/Engine/ConsoleLog.php(101): Cake\Console\ConsoleOutput->write()
#3 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Log/Log.php(392): Cake\Log\Engine\ConsoleLog->log()
#4 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Error/ErrorLogger.php(78): Cake\Log\Log::write()
#5 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Error/ErrorTrap.php(171): Cake\Error\ErrorLogger->logError()
#6 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Error/ErrorTrap.php(142): Cake\Error\ErrorTrap->logError()
#7 [internal function]: Cake\Error\ErrorTrap->handleError()
#8 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Network/Socket.php(371): fwrite()
#9 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Mailer/Transport/SmtpTransport.php(600): Cake\Network\Socket->write()
#10 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Mailer/Transport/SmtpTransport.php(571): Cake\Mailer\Transport\SmtpTransport->_smtpSend()
#11 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Mailer/Transport/SmtpTransport.php(155): Cake\Mailer\Transport\SmtpTransport->_disconnect()
#12 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Mailer/Transport/SmtpTransport.php(97): Cake\Mailer\Transport\SmtpTransport->disconnect()
#13 [internal function]: Cake\Mailer\Transport\SmtpTransport->__destruct()
#14 {main}
  thrown in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Console/ConsoleOutput.php on line 287
  2024-04-10 13:28:01 warning: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:0A000086:SSL routines::certificate verify failed
Trace:
/usr/share/php/passbolt/vendor/cakephp/cakephp/src/Network/Socket.php /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Network/Socket.php, line 490
Cake\Network\Socket->enableCrypto() /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Mailer/Transport/SmtpTransport.php, line 317
Cake\Mailer\Transport\SmtpTransport->_connect() /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Mailer/Transport/SmtpTransport.php, line 200
Cake\Mailer\Transport\SmtpTransport->send() /usr/share/php/passbolt/src/Mailer/Transport/SmtpTransport.php, line 52
App\Mailer\Transport\SmtpTransport->send() /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Mailer/Mailer.php, line 407
Cake\Mailer\Mailer->deliver() /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Mailer/Mailer.php, line 346
Cake\Mailer\Mailer->send() /usr/share/php/passbolt/plugins/PassboltCe/EmailDigest/src/Service/SendEmailBatchService.php, line 79
Passbolt\EmailDigest\Service\SendEmailBatchService->sendDigest() /usr/share/php/passbolt/plugins/PassboltCe/EmailDigest/src/Service/SendEmailBatchService.php, line 64
Passbolt\EmailDigest\Service\SendEmailBatchService->sendNextEmailsBatch() /usr/share/php/passbolt/plugins/PassboltCe/EmailDigest/src/Command/SenderCommand.php, line 55
Passbolt\EmailDigest\Command\SenderCommand->execute() /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Console/BaseCommand.php, line 190
Cake\Console\BaseCommand->run() /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Console/CommandRunner.php, line 334
Cake\Console\CommandRunner->runCommand() /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Console/CommandRunner.php, line 172
Cake\Console\CommandRunner->run() /usr/share/php/passbolt/bin/cake.php, line 13

Edit: We use our own CA, and the CA Certificate is present in /etc/ssl/certs.

@ishanvyas22
Copy link
Member

Hey @oyxnaut, we will be releasing the support for self-signed certificate for SMTP server with upcoming release (v4.7.0). Also, as a Passbolt Pro user you can reach out to [email protected] for further support.

dlen pushed a commit that referenced this issue Apr 24, 2024
@ishanvyas22
PB-26156 As administrator, I can configure SMTP to use TLS with a sel…
274c6e7 
…f-signed cert on my mail server (GITHUB #498)
dlen pushed a commit that referenced this issue Apr 24, 2024
@cedricalfonsi
Merge branch 'feature/PB-26156_As-administrator-I-can-configure-SMTP-…
2a219ac 
…to-use-TLS-with-a-self-signed-cert-on-my-mail-server-GITHUB-498' into 'common'

PB-26156 As administrator, I can configure SMTP to use TLS with a self-signed cert on my mail server (GITHUB #498)

See merge request passbolt/passbolt-pro-api!1535
@ishanvyas22
Copy link
Member

We have released support this with v4.7 release.

The documentation is under progress, but here's what you can do to tell passbolt to use your custom root CA file:

// config/passbolt.php

return [
    'passbolt' => [
        ...

        'plugins' => [
            ...

            'smtpSettings' => [
                ...
                'security' => [
                    'sslVerifyPeer' => true,
                    'sslVerifyPeerName' => true,
                    'sslAllowSelfSigned' => true,
                    'sslCafile' => '/etc/ssl/certs/ca.crt'
                ],
            ],

            ...

        ],

        ...
    ],
];

Or, you can also use environment variables:

export PASSBOLT_PLUGINS_SMTP_SETTINGS_SECURITY_SSL_VERIFY_PEER=true
export PASSBOLT_PLUGINS_SMTP_SETTINGS_SECURITY_SSL_VERIFY_PEER_NAME=true
export PASSBOLT_PLUGINS_SMTP_SETTINGS_SECURITY_SSL_ALLOW_SELF_SIGNED=true
export PASSBOLT_PLUGINS_SMTP_SETTINGS_SECURITY_SSL_CAFILE="/etc/ssl/certs/ca.crt"

If you want to skip verification (not recommended) then you can set sslVerifyPeer, sslVerifyPeerName to false and sslAllowSelfSigned to true (as described above) in passbolt.php file.

@erfantkerfan
Copy link
Author

I saw the release, but this is great support for your FOSS project, replying me in person.
Kudus to all of your team.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ishanvyas22 ishanvyas22

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ishanvyas22 @erfantkerfan @oyxnaut