fix: tell tls what the smtps server name is #634
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Related issue
As discussed with @aeneasr via email.
Previously there was no way to use smtps to send email without adding
?skip_ssl_verify=true
to the end of the courier.smtp.connection_uri. In practice this means that anyone with the ability to poison DNS records (for any kratos installation that supports password reset emails) will be able to register an ssl certificate for any-old-domain and receive all password reset emails (since there is no way to configure kratos to verify the ssl server name for the email provider).Proposed changes
Allow the tls module to correctly validate the hostname of the smtp server, by telling it what hostname you're expecting to connect to.
Checklist
vulnerability. If this pull request addresses a security. vulnerability, I
confirm that I got green light (please contact
security@ory.sh) from the maintainers to push
the changes.
works.
Once this patch is applied, it is possible to send mail via
smtps://...@smtp.sendgrid.net:465/
without any warnings or errors (using their free tier). I'm not sure what other tests or documentation changes would be valuable.