Giter Club home page Giter Club logo

Comments (9)

bt90 avatar bt90 commented on May 30, 2024 1

Works 👍

Thanks again for all your help testing these TLS use-cases.

No, I thank you for developing this nice piece of tech 😉

from mailrise.

YoRyan avatar YoRyan commented on May 30, 2024

Right, so I just pushed 89305ba, which logs the arguments being passed to aiosmtpd. Here is what I get with your config:

[2022-12-21 18:32:34] DEBUG:mailrise.skeleton:Arguments for aiosmtpd: authenticator=Basic(1), auth_required=True, auth_require_tls=True, tls_context=<ssl.SSLContext object at 0x7f3b82511370>, ssl_context=None, require_starttls=False

The kicker here is auth_require_tls=True. I assumed that if you're running with TLS, you'll want your credentials encrypted. But this argument also tells aiosmtpd not to send the 250-AUTH message until the client has initiated an encrypted starttls session.

So you need to tell your client to initiate starttls before attempting authentication, or, alternatively, I can add a configuration option to set auth_require_tls to False. Not sure if that makes sense, though? Because then msmtp will probably send the credentials through cleartext...

from mailrise.

bt90 avatar bt90 commented on May 30, 2024

I tried it again using curl:

curl -k --ssl -v smtp://localhost:25 --mail-rcpt [email protected] --user 'pushover:xxxxxxxxxxxxx'  -T - <<<"Test"
*   Trying 127.0.0.1:25...
* Connected to localhost (127.0.0.1) port 25 (#0)
< 220 nxdomain.info Mailrise 0.0.post1.dev1+g8928d73
> EHLO proliant
< 250-nxdomain.info
< 250-SIZE 33554432
< 250-8BITMIME
< 250-SMTPUTF8
< 250-STARTTLS
< 250 HELP
> STARTTLS
< 220 Ready to start TLS
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.0 (OUT), TLS header, Unknown (21):
} [5 bytes data]
* TLSv1.3 (OUT), TLS alert, decode error (562):
} [2 bytes data]
* error:0A000126:SSL routines::unexpected eof while reading
* Closing connection 0

Note that curl is properly trying to upgrade the connection but fails due to an TLS error.

[2022-12-21 18:59:30] ERROR:asyncio:Fatal error: protocol.data_received() call failed.
protocol: <asyncio.sslproto.SSLProtocol object at 0x7f3cdd7e7c50>
transport: <_SelectorSocketTransport fd=10 read=polling write=<idle, bufsize=0>>
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/asyncio/selector_events.py", line 1009, in _read_ready__data_received
    self._protocol.data_received(data)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'SSLProtocol' object has no attribute 'data_received'
[2022-12-21 18:59:30] ERROR:mail.log:('172.18.0.1', 46532) SMTP session exception
Traceback (most recent call last):
  File "/home/mailrise/.local/lib/python3.11/site-packages/aiosmtpd/smtp.py", line 895, in smtp_STARTTLS
    await waiter
  File "/usr/local/lib/python3.11/asyncio/selector_events.py", line 1009, in _read_ready__data_received
    self._protocol.data_received(data)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'SSLProtocol' object has no attribute 'data_received'

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/home/mailrise/.local/lib/python3.11/site-packages/aiosmtpd/smtp.py", line 728, in _handle_client
    await method(arg)
  File "/home/mailrise/.local/lib/python3.11/site-packages/aiosmtpd/smtp.py", line 899, in smtp_STARTTLS
    raise TLSSetupException() from error
aiosmtpd.smtp.TLSSetupException

from mailrise.

bt90 avatar bt90 commented on May 30, 2024

Hmm https://gitlab.com/mailman/mailman/-/issues/936

from mailrise.

bt90 avatar bt90 commented on May 30, 2024

Coincidentally, the fixed version was released 4 hours ago.

https://github.com/aio-libs/aiosmtpd/releases/tag/1.4.3

from mailrise.

YoRyan avatar YoRyan commented on May 30, 2024

Right, starttls was broken in the last stable aiosmtpd. #37 reported it just the other day. I'll upgrade versions ASAP.

(Glad to see that it's finally out; I've been waiting on the new unthreaded controller API.)

from mailrise.

YoRyan avatar YoRyan commented on May 30, 2024

Upgrade complete. Please let me know if all is well with starttls. Cheers!

from mailrise.

bt90 avatar bt90 commented on May 30, 2024

STARTTLS works properly now 🎉

I also tried onconnect but that doesn't seem to work. A TLS connection is established by curl but the server doesn't announce that it requires authentication:

curl -k -s -v smtps://localhost:587 --mail-rcpt [email protected] --user 'pushover:xxxxxxxxxxx'  -T - <<<"Test"
< 220 nxdomain.info Mailrise 0.0.post1.dev1+g5d58a83
> EHLO proliant
< 250-nxdomain.info
< 250-SIZE 33554432
< 250-8BITMIME
< 250-SMTPUTF8
< 250 HELP
> MAIL FROM:<>
< 530 5.7.0 Authentication required
> QUIT
< 221 Bye
Full log 
*   Trying 127.0.0.1:587...
* Connected to localhost (127.0.0.1) port 587 (#0)
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS header, Certificate Status (22):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.2 (IN), TLS header, Finished (20):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [6 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [1314 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [520 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.2 (OUT), TLS header, Finished (20):
} [5 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* Server certificate:
*  subject: CN=nxdomain.info
*  start date: Dec 20 16:15:22 2022 GMT
*  expire date: Dec 17 16:15:22 2032 GMT
*  issuer: CN=nxdomain.info
*  SSL certificate verify result: self-signed certificate (18), continuing anyway.
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [233 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [233 bytes data]
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
< 220 nxdomain.info Mailrise 0.0.post1.dev1+g5d58a83
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
> EHLO proliant
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
< 250-nxdomain.info
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
< 250-SIZE 33554432
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
< 250-8BITMIME
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
< 250-SMTPUTF8
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
< 250 HELP
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
> MAIL FROM:<>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
< 530 5.7.0 Authentication required
* MAIL failed: 530
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
> QUIT
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
< 221 Bye
* Closing connection 0
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS alert, close notify (256):
{ [2 bytes data]
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* TLSv1.3 (OUT), TLS alert, close notify (256):
} [2 bytes data]

Config:

configs:
  pushover:
    urls:
      - pover://xxxxxxxxxxxxxxxx@yyyyyyyyyyyyyyyyyyy
tls:
  mode: onconnect
  certfile: /etc/ssl/cert.pem
  keyfile: /etc/ssl/key.pem
smtp:
  hostname: nxdomain.info
  auth:
    basic:
      pushover: xxxxxxxxxxxxxxxx

from mailrise.

YoRyan avatar YoRyan commented on May 30, 2024

Misinterpreted the use of auth_require_tls. In the on-connect mode, aiosmtpd isn't aware of the TLS wrapper, so that argument should be set to False.

Should be fixed with 8038473. Thanks again for all your help testing these TLS use-cases.

from mailrise.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.