Skip to content
This repository has been archived by the owner on Dec 23, 2023. It is now read-only.

Option to trust self-signed certificates #30

Closed
loqster opened this issue May 25, 2022 · 10 comments
Closed

Option to trust self-signed certificates #30

loqster opened this issue May 25, 2022 · 10 comments
Assignees

Comments

@loqster
Copy link

loqster commented May 25, 2022

Hi,

Would there be a way to prevent TLS/SSL certificate verification.

Seams that changes to the config.yml are not working.

Have set the following:
security:
pepper: '123456'
allow_signup: true
verify_users: false
verify_senders: false

But the system still attempts to send the verification email that subsequently fails due to the SMTP relay using a self signed certificate.

± |master ✓| → docker logs mailwhale
2022-05-25T10:09:57.380930606Z [INFO ] ---
2022-05-25T10:09:57.380955667Z [INFO ] This instance is assumed to be publicly accessible at: http://localhost:3000
2022-05-25T10:09:57.380958788Z [INFO ] User registration enabled: true
2022-05-25T10:09:57.380960534Z [INFO ] Account activation required: true
2022-05-25T10:09:57.380962025Z [INFO ] Sender address verification required: true
2022-05-25T10:09:57.380963458Z [INFO ] ---
2022-05-25T10:09:57.382765931Z [INFO ] web server started, listening on 0.0.0.0:3000
.
.
.
2022-05-25T10:10:45.912522437Z [INFO ] created user 'xxxx@xxxxxxxxxx.com'
2022-05-25T10:10:45.912593829Z [INFO ] [request] status=201, method=POST, uri=/api/user, duration=92.273016ms, bytes=119, addr=172.17.0.1:51922
2022-05-25T10:10:45.934366226Z [INFO ] [request] status=200, method=GET, uri=/login, duration=106.7µs, bytes=533, addr=172.17.0.1:51922
2022-05-25T10:10:46.124002533Z [INFO ] [request] status=304, method=GET, uri=/build/bundle.css, duration=58.916µs, bytes=0, addr=172.17.0.1:51922
2022-05-25T10:10:46.124411257Z [INFO ] [request] status=304, method=GET, uri=/build/bundle.js, duration=59.983µs, bytes=0, addr=172.17.0.1:51924
2022-05-25T10:11:07.18150931Z [ERROR] failed to send user verification to 'xxxx@xxxxxxxxxx.com': x509: certificate signed by unknown authority

Please advise if a way exists to disable that check or to trust that certificate or a method to disable the activation / verification requirements.

@muety
Copy link
Owner

muety commented May 25, 2022

Is your SMTP server using TLS, but with a self-signed certificate?

@loqster
Copy link
Author

loqster commented May 25, 2022

Yes.

Its a local postfix instance used as a relay.

It does have a 'openssl' generated cert that is self signed.

Initially the error was as follows

2022-05-25T09:32:46.025029473Z [ERROR] failed to send user verification to 'xxxx@xxxxxx.com': x509: certificate relies on legacy Common Name field, use SANs instead

After the certificate was regenerated with the missing bits the error changed and now 'unknown' authority is the issue.

2022-05-25T10:11:07.18150931Z [ERROR] failed to send user verification to 'xxxx@xxxxxx.com': x509: certificate signed by unknown authority

This error is not a big issue but it would indicate that even if I manage to disable verification / activation it would be encountered while sending actual emails.

@muety
Copy link
Owner

muety commented May 25, 2022

Agreed! Will add this soon.

@muety muety changed the title Local SMTP TLS ERROR Option to trust self-signed certificates May 25, 2022
@muety muety self-assigned this May 25, 2022
@loqster
Copy link
Author

loqster commented May 25, 2022

Thank you.

In the meantime. Is there a way to disable activation / verification.

Account activation required: true
Sender address verification required: true

In my config.yml have this set to 'false' but the app seams to ignore these settings.

@muety
Copy link
Owner

muety commented May 25, 2022

Environment variables override config variables and the Docker image has some set by default (

mailwhale/Dockerfile

Lines 29 to 41 in 065f29f

ENV MW_ENV=prod
ENV MW_SMTP_HOST=''
ENV MW_SMTP_PORT=''
ENV MW_SMTP_USER=''
ENV MW_SMTP_PASS=''
ENV MW_SMTP_TLS=false
ENV MW_WEB_LISTEN_V4=0.0.0.0:3000
ENV MW_WEB_PUBLIC_URL=http://localhost:3000
ENV MW_SECURITY_PEPPER=''
ENV MW_SECURITY_ALLOW_SIGNUP=true
ENV MW_SECURITY_VERIFY_USERS=true
ENV MW_SECURITY_VERIFY_SENDERS=true
ENV MW_STORE_PATH=/data/data.json.db
) (which we might rethink anyway). If you set these variables on your Docker container (using -e with docker run) things should work as expected.

@loqster
Copy link
Author

loqster commented May 25, 2022

Thank you for the advice.

That worked perfectly.

@muety muety closed this as completed in 1b437f4 May 25, 2022
@muety
Copy link
Owner

muety commented May 25, 2022

Please check if my recent changes fit your needs.

@loqster
Copy link
Author

loqster commented May 26, 2022

Yes.

Have rebuild the container image.
Picks up changes in the config.
And the newly introduced flag works.

Still receiving an error but it is unrelated. Simply the local relay is locked down via IP whitelists and provides no authentication.

[ERROR] failed to send user verification to 'xxxx@xxxxxx.com': smtp: server doesn't support AUTH

So if I enable AUTH that should work now. As there is no issue with the self signed certificate.

Unless there is an option to disable authentication attempts from the APP itself.

@muety
Copy link
Owner

muety commented May 27, 2022

Good point, I created a new issue and will hopefully get to it soon.

@loqster
Copy link
Author

loqster commented May 27, 2022

Good point, I created a new issue and will hopefully get to it soon.

Awesome, thank you. Did not expect any work but appreciate as it would be useful.

Got the notification of the ticket created so can test whenever the future gets included.

I'm using this app for InfluxDB v2 as somehow it only works with HTTP APIs and does not have direct configuration for SMTP

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants