-
-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failed to send a testing email to '[email]': gomail: could not send email 1: Auth: unencrypted connection #7966
Comments
If you can find your way around to do this task, I suggest you set up an intermediate server. For instance, if you're running Gitea in a Linux box you can use postfix locally with an ad-hoc certificate to serve Gitea. You then make postfix use your real mail server as a relay. This however is something that requires some patience to set up, and at least some skills on the platform you're using. On Windows there are some free smtp servers too that you can use for this (though none comes to mind at the moment). |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions. |
@stale nope |
Cannot reproduce this when |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions. |
@lunny successfully reproduced with |
This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions. |
@stale nope |
@andreymal we're gonna need some more information. Are you really still getting the same message because I can't completely trace a route for Gitea to end up displaying that. I take it this is still failing on 1.11/1.12/master? |
This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions. |
@stale maybe I'll retest it in a clean environment someday |
I met the problem,too. Our email server stmp port is 25, and I failed to send a testing email to '[email]': gomail: could not send email 1: Auth: unencrypted connection, and my gitea version is 1.11.5 @andreymal |
@wu9961 that error ultimately comes from here: https://golang.org/src/net/smtp/auth.go#L68 The surrounding function is: func (a *plainAuth) Start(server *ServerInfo) (string, []byte, error) {
// Must have TLS, or else localhost server.
// Note: If TLS is not true, then we can't trust ANYTHING in ServerInfo.
// In particular, it doesn't matter if the server advertises PLAIN auth.
// That might just be the attacker saying
// "it's ok, you can trust me with your password."
if !server.TLS && !isLocalhost(server.Name) {
return "", nil, errors.New("unencrypted connection")
}
if server.Name != a.host {
return "", nil, errors.New("wrong host name")
}
resp := []byte(a.identity + "\x00" + a.username + "\x00" + a.password)
return "PLAIN", resp, nil
} Therefore the reason is that Go does not permit authentication unless TLS is enabled or the server is localhost. |
References go-gitea#7966 Signed-off-by: Andrew Thornton <art27@cantab.net>
* Add warning to mailer documentation about authentication References #7966 Signed-off-by: Andrew Thornton <art27@cantab.net> * As per @guillep2k and @mrsdizzie * as per @mrsdizzie Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
OK I've made changes to the docs to better explain what is going on. Therefore I'll close this. |
It's deliberate by Golang to prevent STRIPTLS attacks: https://www.digicert.com/blog/striptls-attacks-and-email-security/ http://www.emaildiscussions.com/showthread.php?t=71133&highlight=smtp+encryption https://securityonline.info/striptls-stripping-attacks/ We cannot allow Authentication with non-encrypted SMTP servers because of MITM attacks. |
By specifying When a program tries to be smarter than a user, it results in stupidity. |
could you enable CRAM-MD5 authentication on that server? |
Like TLS, this is not needed on local IP. I just want to ignore any security considerations and use PLAIN without TLS because I know what I'm doing ¯\_(ツ)_/¯ (Unfortunately, I can't disable authentication at all because my server may be used by other users. They can't MITM, but they can use the server) |
OK First Copy and adjust appropriately: type plainAuth struct {
identity, username, password string
host string
}
// PlainAuth returns an Auth that implements the PLAIN authentication
// mechanism as defined in RFC 4616. The returned Auth uses the given
// username and password to authenticate to host and act as identity.
// Usually identity should be the empty string, to act as username.
//
// PlainAuth will only send the credentials if the connection is using TLS
// or is connected to localhost. Otherwise authentication will fail with an
// error, without sending the credentials.
func PlainAuth(identity, username, password, host string) Auth {
return &plainAuth{identity, username, password, host}
}
func isLocalhost(name string) bool {
return name == "localhost" || name == "127.0.0.1" || name == "::1"
}
func (a *plainAuth) Start(server *ServerInfo) (string, []byte, error) {
// Must have TLS, or else localhost server.
// Note: If TLS is not true, then we can't trust ANYTHING in ServerInfo.
// In particular, it doesn't matter if the server advertises PLAIN auth.
// That might just be the attacker saying
// "it's ok, you can trust me with your password."
if !server.TLS && !isLocalhost(server.Name) {
return "", nil, errors.New("unencrypted connection")
}
if server.Name != a.host {
return "", nil, errors.New("wrong host name")
}
resp := []byte(a.identity + "\x00" + a.username + "\x00" + a.password)
return "PLAIN", resp, nil
}
func (a *plainAuth) Next(fromServer []byte, more bool) ([]byte, error) {
if more {
// We've already sent everything.
return nil, errors.New("unexpected server challenge")
}
return nil, nil
} in to services/mailer/mailer.go We would need explicit settings to exclude these safety parameters - likely some sort of rationalisation of IS_TLS_ENABLED - perhaps as it currently standards one should become USE_SMTPS with it being true, false, default. |
This comment has been minimized.
This comment has been minimized.
Or just implement the PR I've suggested above which means we avoid the golang issue entirely and do it within Gitea. |
I have a mail server that requires username and password, but does not use TLS (yup, this is unsafe SASL PLAIN). And email in Gitea does not work with this server. Thunderbird works fine.
IS_TLS_ENABLED is false of course.
Probably related to #5967 (reopen?)
The text was updated successfully, but these errors were encountered: