Enable STARTTLS Option Missing

NOYB

Is the "Enable STARTTLS" option removal from email notifications config intentional.  If so why?

jimp

The mail backend was changed out

https://github.com/pfsense/pfsense/commit/c8c46e5a8e9551db0172b79aae1fee4553b3bf7d

• Added timeout parameter for SMTP configuration
• Removed STARTTLS option, it's enabled automatically by pear-Mail when
    server supports it

NOYB

That leaves it vulnerable to STRIPTLS attack because the pear-mail client does not require TLS be used and will fall back to plain text if server does not support STARTTLS.  ISP's have been known to be fond of using STRIPTLS.

https://en.wikipedia.org/wiki/Opportunistic_TLS#Weaknesses_and_mitigations

Would like to see the option still available and used for the client to force/require TLS when STARTTLS is enabled.

jimp

Have you tried it, though?

Looking at it briefly it seems like it's always forcing SSL and fails if it doesn't exist. Which may be good, but not if someone has a server out there that doesn't support SSL or STARTTLS… but in this day and age that's probably not a bad thing to reject.

NOYB

Yes.  I've tried it.  Have also patched my 2.4 installation to require STARTTLS.

Pear mail client will use STARTTLS if the server supports it.  Otherwise it will go ahead and send in the clear.  Hence "Opportunistic TLS".

Have a look at pear-mail auth function if statement.  It will only attempt STARTTLS if server response indicates support.

PEAR Mail STRIPTLS Mitigation Request Example:
An option to require STARTTLS should be added to mitigate STRIPTLS attack vector.
http://pear.php.net/bugs/bug.php?id=21117

pfSense Notification Example Attached:

I make to guarantees or warrantees as to the suitability or reliability for any of these examples.  They are intended only as examples and not adequately tested.  Any and all usage is strictly and completely at the users own risk.

pfSense_EMail_Notice_STARTTLS_Require_TLS.patch.txt

jimp

Was that the only change required? Nothing changed in the Pear mail library? If so that looks easy enough to include if you create a PR with it.

NOYB

@jimp:

Was that the only change required? Nothing changed in the Pear mail library? If so that looks easy enough to include if you create a PR with it.

Yup.  That's all I changed.

As for submitting a PR for it.

1. Don't know where the pfSense pear source is.
2. Don't want the liability of this on my shoulders.
   2a) Don't know enough about pear mail to know what ramification may lurk or how reliable at insuring a TLS connection may be, or the possibility of it preventing one.  etc.
   2b) Like I said in previous post.  Not adequately tested.