Enable STARTTLS Option Missing



  • Is the "Enable STARTTLS" option removal from email notifications config intentional.  If so why?


  • Rebel Alliance Developer Netgate

    The mail backend was changed out

    https://github.com/pfsense/pfsense/commit/c8c46e5a8e9551db0172b79aae1fee4553b3bf7d

    • Added timeout parameter for SMTP configuration
    • Removed STARTTLS option, it's enabled automatically by pear-Mail when
        server supports it


  • That leaves it vulnerable to STRIPTLS attack because the pear-mail client does not require TLS be used and will fall back to plain text if server does not support STARTTLS.  ISP's have been known to be fond of using STRIPTLS.

    https://en.wikipedia.org/wiki/Opportunistic_TLS#Weaknesses_and_mitigations

    Would like to see the option still available and used for the client to force/require TLS when STARTTLS is enabled.


  • Rebel Alliance Developer Netgate

    Have you tried it, though?

    Looking at it briefly it seems like it's always forcing SSL and fails if it doesn't exist. Which may be good, but not if someone has a server out there that doesn't support SSL or STARTTLS… but in this day and age that's probably not a bad thing to reject.



  • Yes.  I've tried it.  Have also patched my 2.4 installation to require STARTTLS.

    Pear mail client will use STARTTLS if the server supports it.  Otherwise it will go ahead and send in the clear.  Hence "Opportunistic TLS".

    Have a look at pear-mail auth function if statement.  It will only attempt STARTTLS if server response indicates support.

    PEAR Mail STRIPTLS Mitigation Request Example:
    An option to require STARTTLS should be added to mitigate STRIPTLS attack vector.
    http://pear.php.net/bugs/bug.php?id=21117

    pfSense Notification Example Attached:

    I make to guarantees or warrantees as to the suitability or reliability for any of these examples.  They are intended only as examples and not adequately tested.  Any and all usage is strictly and completely at the users own risk.

    pfSense_EMail_Notice_STARTTLS_Require_TLS.patch.txt


  • Rebel Alliance Developer Netgate

    Was that the only change required? Nothing changed in the Pear mail library? If so that looks easy enough to include if you create a PR with it.



  • @jimp:

    Was that the only change required? Nothing changed in the Pear mail library? If so that looks easy enough to include if you create a PR with it.

    Yup.  That's all I changed.

    As for submitting a PR for it.

    1. Don't know where the pfSense pear source is.
    2. Don't want the liability of this on my shoulders.
      2a) Don't know enough about pear mail to know what ramification may lurk or how reliable at insuring a TLS connection may be, or the possibility of it preventing one.  etc.
      2b) Like I said in previous post.  Not adequately tested.

Log in to reply