Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: SMTP to port 465 should use TLS from the start #3429

Closed
tangix opened this issue Jul 31, 2020 · 2 comments · Fixed by #3430
Closed

Bug: SMTP to port 465 should use TLS from the start #3429

tangix opened this issue Jul 31, 2020 · 2 comments · Fixed by #3430
Labels
bug Verified issues on the current code behavior or pull requests that will fix them

Comments

@tangix
Copy link
Contributor

tangix commented Jul 31, 2020

Describe the bug
As per this thread on the forum: https://forum.codeigniter.com/thread-77192.html I'd say that the logic when connecting to the SMTP server is flawed. The SMTPCrypto setting complicates matters further since it controls the channel or the upgrade of the channel.
Connection to port 465 should use implicit TLS as per RFC8314 (i.e. the SMTPCrypto should be "ssl" but this is confusing as the server should require TLS). A STARTTLS command may be issued. However, some servers (Amazon SES for example) does not allow STARTTLS on port 465, but requires it on port 587.
Setting $SMTPCrypto = 'ssl' allows connecting to servers on port 587 but doesn't run the STARTTLS command so email submission will fail.

Furthermore, the PHP constant STREAM_CRYPTO_METHOD_TLS_CLIENT only enables TLS version 1.0 so STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT | STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT | STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT should be used in the call to stream_socket_enable_crypto if $SMTPCrypto = 'tls' is used. (Possibly STREAM_CRYPTO_METHOD_ANY_CLIENT may be used, but this would also enable SSL ciphers and I cannot say I understand the security implications of this).

I believe

CodeIgniter 4 version
4.0.4

Affected module(s)
Email Library

Expected behavior, and steps to reproduce if appropriate
When connecting to 465, the Email Library should always use TLS when connecting. SMTPCrypto should be set to blank.
When connecting to 587 SMTPCrypto should be set to tls to enable SMTP command STARTTLS to run.
The setting "ssl" doesn't make any sense but is required to get connection to 465 working.

Context

  • PHP version 7.3.20
@tangix tangix added the bug Verified issues on the current code behavior or pull requests that will fix them label Jul 31, 2020
@crustamet
Copy link
Contributor

crustamet commented Jul 31, 2020
edited
Loading

The thing is there is one more crypto and that is STARTTLS which use port 587.
And this works but i don't see code for it, i guess it works automatically...

I hope this commits gets merged i was using starttls anyway.

@tangix
Copy link
Contributor Author

tangix commented Aug 1, 2020

The thing is there is one more crypto and that is STARTTLS which use port 587.

I am not sure I understand correctly, this would still work with the configuration $SMTPPort = 587 and $SMTPCrypto = 'tls'.
The confusion in the old code is with servers on port 465 where you had to specify $SMTPCrypto = 'ssl' to connect to the server encrypted. That setting would not (and should not) issue STARTTLS.

michalsn added a commit that referenced this issue Aug 1, 2020
@michalsn
Merge pull request #3430 from tangix/mail-tls-fixes
2364200 
Clearing up confusion with TLS and SSL in Email Library, fixes #3429
@kenjis kenjis mentioned this issue May 27, 2023
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Verified issues on the current code behavior or pull requests that will fix them
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Clearing up confusion with TLS and SSL in Email Library
2 participants
@tangix @crustamet