• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Enable STARTTLS Option Missing

Scheduled Pinned Locked Moved 2.4 Development Snapshots
7 Posts 2 Posters 3.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N
    NOYB
    last edited by Sep 12, 2016, 8:07 PM

    Is the "Enable STARTTLS" option removal from email notifications config intentional.  If so why?

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Sep 20, 2016, 7:00 PM

      The mail backend was changed out

      https://github.com/pfsense/pfsense/commit/c8c46e5a8e9551db0172b79aae1fee4553b3bf7d

      • Added timeout parameter for SMTP configuration
      • Removed STARTTLS option, it's enabled automatically by pear-Mail when
          server supports it

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • N
        NOYB
        last edited by Sep 20, 2016, 9:34 PM

        That leaves it vulnerable to STRIPTLS attack because the pear-mail client does not require TLS be used and will fall back to plain text if server does not support STARTTLS.  ISP's have been known to be fond of using STRIPTLS.

        https://en.wikipedia.org/wiki/Opportunistic_TLS#Weaknesses_and_mitigations

        Would like to see the option still available and used for the client to force/require TLS when STARTTLS is enabled.

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Sep 20, 2016, 10:07 PM

          Have you tried it, though?

          Looking at it briefly it seems like it's always forcing SSL and fails if it doesn't exist. Which may be good, but not if someone has a server out there that doesn't support SSL or STARTTLS… but in this day and age that's probably not a bad thing to reject.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • N
            NOYB
            last edited by Sep 21, 2016, 12:01 AM Sep 20, 2016, 10:56 PM

            Yes.  I've tried it.  Have also patched my 2.4 installation to require STARTTLS.

            Pear mail client will use STARTTLS if the server supports it.  Otherwise it will go ahead and send in the clear.  Hence "Opportunistic TLS".

            Have a look at pear-mail auth function if statement.  It will only attempt STARTTLS if server response indicates support.

            PEAR Mail STRIPTLS Mitigation Request Example:
            An option to require STARTTLS should be added to mitigate STRIPTLS attack vector.
            http://pear.php.net/bugs/bug.php?id=21117

            pfSense Notification Example Attached:

            I make to guarantees or warrantees as to the suitability or reliability for any of these examples.  They are intended only as examples and not adequately tested.  Any and all usage is strictly and completely at the users own risk.

            pfSense_EMail_Notice_STARTTLS_Require_TLS.patch.txt

            1 Reply Last reply Reply Quote 0
            • J
              jimp Rebel Alliance Developer Netgate
              last edited by Sep 21, 2016, 1:00 PM

              Was that the only change required? Nothing changed in the Pear mail library? If so that looks easy enough to include if you create a PR with it.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • N
                NOYB
                last edited by Sep 21, 2016, 9:33 PM

                @jimp:

                Was that the only change required? Nothing changed in the Pear mail library? If so that looks easy enough to include if you create a PR with it.

                Yup.  That's all I changed.

                As for submitting a PR for it.

                1. Don't know where the pfSense pear source is.
                2. Don't want the liability of this on my shoulders.
                  2a) Don't know enough about pear mail to know what ramification may lurk or how reliable at insuring a TLS connection may be, or the possibility of it preventing one.  etc.
                  2b) Like I said in previous post.  Not adequately tested.
                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  [[user:consent.lead]]
                  [[user:consent.not_received]]