Self signed certs

Question

Self signed certs

samstride opened this issue 3 years ago · comments

Vijay commented 3 years ago

Hi,

Thank you for maintaining this repo.

We have an SMTP server that uses a self signed cert.

The previous engineer used a fork of this repo: https://github.com/L11R/mailyak to work around the certificate error.

However that repo isn't actively maintained.

Issue 8 already requested this feature.

Any chance we can get a flag to set InsecureSkipVerify?

I am thinking something along the lines of:

mail := mailyak.New(
    "smtp.company.com:25",
    smtp.PlainAuth("", "username", "password", "smtp.company.com", true)
)

Thanks.

Dom · Answer 1 · Tue Nov 09 2021 21:10:10 GMT+0800 (China Standard Time)

Hey @samstride!

Good news, it's already fully supported!

If you import the "v3" module (github.com/domodwyer/mailyak/v3), there's a NewWithTLS() constructor that allows you to pass in the *tls.Config you wish to use - you can set InsecureSkipVerify here :)

I will leave a note on #8 to point people to this response and hopefully help out others.

Dom

Vijay · Answer 2 · Wed Nov 10 2021 05:50:04 GMT+0800 (China Standard Time)

@domodwyer,

I tried this:

mail, err := mailyak.NewWithTLS(
    "smtp.company.com:25",
    smtp.PlainAuth("", "username", "password", "smtp.company.com", true),
    &tls.Config{ServerName: "smtp.company.com:25", InsecureSkipVerify: true}
)

We have no TLS relays so we end up with this error:

tls: first record does not look like a TLS handshake

Dom · Answer 3 · Wed Nov 10 2021 06:30:48 GMT+0800 (China Standard Time)

Hey @samstride

That looks like you're not taking to a TLS endpoint - port 25 is usually (though not always) plaintext.

Worth double checking your hostname/port combination, that error comes from the standard library's TLS implementation 👍

Dom

Vijay · Answer 4 · Wed Nov 10 2021 06:44:18 GMT+0800 (China Standard Time)

@domodwyer , thanks for replying. I have tried 143 and 587 and they don't work either. The problem is we have no TLS relays since all traffic is internal.

I cloned the repo locally and for testing purposes I added InsecureSkipVerify: true, to func smtpExchange in sender.go.

if tryTLSUpgrade {
		if ok, _ := c.Extension("STARTTLS"); ok {
			//nolint:gosec
			config := &tls.Config{
				ServerName:         serverName,
				InsecureSkipVerify: true, // ------> Added this line
			}
			if err = c.StartTLS(config); err != nil {
				return err
			}
		}
	}

Then this works:

mail := mailyak.New(
    "smtp.company.com:25",
    smtp.PlainAuth("", "username", "password", "smtp.company.com")
)

I believe this is what the fork was allowing to be set: https://github.com/L11R/mailyak/blob/master/mailyak.go#L80