-
-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: Cant sending mail plain text to 127.0.0.1 after update to 26.0.4 or cant use STARTTLS with TLS v1. The mail system require min TLS v1.2! #39538
Comments
Hi @sonic42 - Thanks for the report. I'm having difficulty interpreting your report. Are you saying you do not want STARTTLS to be used? That's easy: just configure your SMTP server to not offer it: https://www.postfix.org/postconf.5.html#smtpd_tls_security_level We only use it if it's offered. And we already do TLS v1.2 If that doesn't fix it, please provide the output of |
Hi @joshtrichards Thanks for your answer. The Postfix instance is reachable from the internet. It isn't a good idea to disable STARTTLS. Nexcloud offers only TLS v1. Clearly again "plain text" is plain text and not secure the connection with a STARTTLS command. This can't be same control. With Nextcloud 25 that was two separate controls on configuration page. The primary problem for me is this possibly hard coded TLS v1 and not making a TLS handshake for supported TLS versions / ciphers. An on the same linux system for testing installed Roundcube (separate Apache vhost) works well sending mail: I think, this is not a Apache / PHP or Postfix configuration issue. The only reason to using plain text is this TLS v1 problem. Without, i can disable plain text in Postfix configuration. The Postfix log from starting post says, the connection from Nexcloud (new Symfony mailer) not offering / using higher TLS versions / ciphers as v1. The log from nmap --script ssl-enum-ciphers -p 25 127.0.0.1:
How can i test it? System: |
Add the snippet above to your config.php. If sending an email works then, it's an issue with your certificate (either the server does not trust the CA or the certificate is not valid for the hostname). Symfony Mailer does not provide an option to not use STARTTLS. |
HI @kesselb The problem is not "tlsv1 alert unknown ca" it is TLS library problem: error:0A00010B:SSL routines::wrong version. After diving more into this, the encryption control on configuration page have no effect. All connection attempts from Nextcloud/symfony requires negotiation of TLS/SSL at connection setup inclusive STARTTLS configured. After configuring a postfix port 465 (smtps in master.cf) with option Thanks for your help... |
Did it work?
As I wrote before, the symfony/mailer does not provide an option to not use STARTTLS. SSL/TLS and STARTTLS are not the same. For STARTTLS the connection is established unencrypted, and the applications switch to encrypted when both parties are compatible. The usual configuration in Nextcloud 26 is port = 25 or port 587 and mail_smtpsecure = ''. SSL/TLS port = 465 and mail_smtpsecure = 'ssl'. The smtp connection is wrapped inside a tls connection (similar to http and https). For both cases: If you connect to 127.0.0.1 then your certificate needs to be valid for 127.0.0.1.
You are welcome! Glad we could help. |
followup: I have the same situation, postfix on just tcp/25 and nextcloud throws
Adding this to config.php fixed it :
|
Bug description
After update to nexcloud server from 25.0.0.x to 26.0.0.4, sending mail is impossible.
The mail system require TLS 1.2 or higher.
Postfix log:
Using Plaintext is impossible. Cannot disable STARTTLS in configuration.
Steps to reproduce
Expected behavior
Please repair plaintext option or enable TLS 1.2 or higher by default for mail sending.
"Plain text" is not sending a STARTTLS command.
Installation method
None
Nextcloud Server version
26
Operating system
Other
PHP engine version
PHP 8.1
Web server
Apache (supported)
Database engine version
MariaDB
Is this bug present after an update or on a fresh install?
None
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
Configuration report
List of activated Apps
No response
Nextcloud Signing status
No response
Nextcloud Logs
No response
Additional info
No response
The text was updated successfully, but these errors were encountered: