SSL for e-mail

[PandemiK911]

Hello,
Still on my deep testing ;-)

May we add an option to use SSL in addition to STARTTLS for e-mail ? Yes, we better use full-TLS than STARTTLS to get an encrypted dialog from the start.

In internal/common/email.go :
Use the TLS variable with :

• false=none : cleartext connection (e.Send)
• true=starttls : STARTTLS connection (e.SendWithStartTLS)
• ssl : e.SendWithTLS (new option). As per https://pkg.go.dev/github.com/jordan-wright/email

This will retain compatibility with already-configured instances. In documentation, switch to "none/starttls/ssl" pragma to be able to disable the true/false option later as it's an incompatible change.

Thanks !

[PandemiK911]

Thanks for this. I can't confirm it's working : I'm getting the error "wrong host name".

This is probably not related to your code. The only reference to this error I can find : jordan-wright/email#103

It's relevant as our SMTP server only accept AUTH login method which is not supported by the email library.

I'll try to find another SMTP server to test the feature.

[PandemiK911]

Just tried with a StartTLS and TLS-capable server. I only changed EMAIL_PORT (587/465) and EMAIL_ENCRYPTION (starttls/tls).
E-mail was sent successfully with starttls and failed with tls (same error "wrong host name").

I've not been able to find where the error is (go-email, net/smtp ?).

All I can say is that go-email use smtp.Dial(addr) in SendWithStartTLS function and tls.Dial("tcp", addr, t) in SendWithTLS. No idea if this could have an impact ...

[h44z]

I tried it with the following settings and it worked:

• EMAIL_HOST=10.10.1.10
• EMAIL_PORT=465
• EMAIL_CERT_VALIDATION=false
• EMAIL_ENCRYPTION=tls

Can you test out if it works if you connect via IP address?

[PandemiK911]

Hello,
I should miss something. I tired a lot of different settings on 2 different server. I even created a TLS-enabled server and tried it with openssl s_client (with AUTH LOGIN), always the same message, despite using the IP or FQDN.

My settings are :
- MAIL_FROM=WireGuard VPN noreply@company.com
- EMAIL_HOST=smtp.domain.com
- EMAIL_PORT=466
- EMAIL_ENCRYPTION=tls
- EMAIL_USERNAME=sendmail@domain.com
- EMAIL_PASSWORD=mypassword
- EMAIL_CERT_VALIDATION=true

Port 466 is due to my last test with a nginx reverse proxy for SMTP.

As last resort, I ran a test container (praqma/network-multitool) with host networking to see if I can also connect with openssl s_client and it worked.

Really dunno what else I can try.

[h44z]

Hi @Azylog ,

what I found out now is that this error is triggered by the mail server if the hostname that is specified in the PlainAuth differs from the mail server hostname.

See https://groups.google.com/g/golang-nuts/c/5j1r43_Q4B8 or prometheus/alertmanager#1174.

I just dont know why the encryption method makes a difference here... Is your mail server configured to respond the same hostname on all ports/protocols?

[PandemiK911]

You sent me on the right direction.
I can find the error here https://golang.org/src/net/smtp/auth.go at line 72.

I don't really understand clearly where the compared strings come from (server.Name != a.host).
Just to be sure : all certificates of my test servers are valid (not self signed) Let's Encrypt certs and aligned with FQDN. This should not be an issue. I also tried with and without the fullchain (aka intermediate certs with server cert), nothing more.

Could it be due to the fact you're creating the Auth structure only with 'hostname' and establishing connection to 'hostname:port' ?

[h44z]

Should be fixed with the new email library.