Enable STARTTLS Option Missing

NOYB · Sep 12, 2016, 8:07 PM

Is the "Enable STARTTLS" option removal from email notifications config intentional. If so why?

jimp · Sep 20, 2016, 7:00 PM

The mail backend was changed out

https://github.com/pfsense/pfsense/commit/c8c46e5a8e9551db0172b79aae1fee4553b3bf7d

Added timeout parameter for SMTP configuration

Removed STARTTLS option, it's enabled automatically by pear-Mail when
server supports it

NOYB · Sep 20, 2016, 9:34 PM

That leaves it vulnerable to STRIPTLS attack because the pear-mail client does not require TLS be used and will fall back to plain text if server does not support STARTTLS. ISP's have been known to be fond of using STRIPTLS.

https://en.wikipedia.org/wiki/Opportunistic_TLS#Weaknesses_and_mitigations

Would like to see the option still available and used for the client to force/require TLS when STARTTLS is enabled.

jimp · Sep 20, 2016, 10:07 PM

Have you tried it, though?

Looking at it briefly it seems like it's always forcing SSL and fails if it doesn't exist. Which may be good, but not if someone has a server out there that doesn't support SSL or STARTTLS… but in this day and age that's probably not a bad thing to reject.

NOYB · Sep 21, 2016, 12:01 AM

Yes. I've tried it. Have also patched my 2.4 installation to require STARTTLS.

Pear mail client will use STARTTLS if the server supports it. Otherwise it will go ahead and send in the clear. Hence "Opportunistic TLS".

Have a look at pear-mail auth function if statement. It will only attempt STARTTLS if server response indicates support.

PEAR Mail STRIPTLS Mitigation Request Example:
An option to require STARTTLS should be added to mitigate STRIPTLS attack vector.
http://pear.php.net/bugs/bug.php?id=21117

pfSense Notification Example Attached:

I make to guarantees or warrantees as to the suitability or reliability for any of these examples. They are intended only as examples and not adequately tested. Any and all usage is strictly and completely at the users own risk.

pfSense_EMail_Notice_STARTTLS_Require_TLS.patch.txt

jimp · Sep 21, 2016, 1:00 PM

Was that the only change required? Nothing changed in the Pear mail library? If so that looks easy enough to include if you create a PR with it.

NOYB · Sep 21, 2016, 9:33 PM

@jimp:

Was that the only change required? Nothing changed in the Pear mail library? If so that looks easy enough to include if you create a PR with it.

Yup. That's all I changed.

As for submitting a PR for it.

Don't know where the pfSense pear source is.
Don't want the liability of this on my shoulders.
2a) Don't know enough about pear mail to know what ramification may lurk or how reliable at insuring a TLS connection may be, or the possibility of it preventing one. etc.
2b) Like I said in previous post. Not adequately tested.