New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Recommend mandatory STARTTLS for Google #43594
Conversation
user_name: '<username>', | ||
password: '<password>', | ||
authentication: 'plain', | ||
enable_starttls: true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This option isn't documented here
rails/actionmailer/lib/action_mailer/base.rb
Line 405 in 603631b
# * <tt>:enable_starttls_auto</tt> - Detects if STARTTLS is enabled in your SMTP server and starts |
Should it be?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just realised that enable_starttls
was added in mail version 2.7.0. Surprisingly, the auto-feature was added first.
Action Mailer currently requires version 2.5.4.
I don't think there is any reason to bump the requirement just because of the guide, but the new option definitely deserves to be mentioned. I'll fix.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Arg, I made this fix a long time ago but I somehow failed to push my branch. In the meantime this option has been documented in #44096.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So if you are using an older version of mail
and set this option, will that be fine?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have added a note about this.
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
1f8f998
to
5c57951
Compare
5c57951
to
c0a51d9
Compare
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
@ghiculescu Is this one still good to be merged? |
I think so, but it needs to be reviewed by someone from the core or committer teams. They will get to it, it can jus take a little while. Thank you for keeping it open. |
Summary
The Action Mailer guide recommends using opportunistic TLS (
enable_starttls_auto: true
) for connecting to smtp.google.com.This setting is vulnerable to man-in-the-middle attacks. Google definitely supports STARTTLS, so this should be required using
enable_starttls: true
.