Support for SMTP Auth and TLS

[markusschaber]

Hi,

As far as I can see, Papercut supports neither SMTP auth, nor TLS via STARTTLS.

(At least we wanted to test our client with Papercut, and didn't find any docs nor config options in the UI to configure this.)

Thus, I file this ticket as a suggestion to either implement it, or document it if it's already there :-)

Thanks a lot for your great work!

[jijiechen]

Very good idea. Thanks. Any thoughts? @Jaben

[Jaben]

I never felt that Papercut should be a reference/test SMTP server due to effort required to fully support more advanced features of an SMTP protocol -- that begin said, I would consider removing the existing SMTP server implementation all together and switching to a better open source/nuget implementation instead which would give Papercut more advanced SMTP options.

Not the highest priority, though.

[markusschaber]

Papercut is advertised as a test SMTP receiver (See "What it does" on https://github.com/ChangemakerStudios/Papercut). And as far as I can see, most software nowadays needs to use STARTTLS and/or SMTP auth in production, open relays are getting extinct due to spammers. So if we want to use Papercut as test endpoint, we need to special case the code path to not use those options when we run against Papercut. :-( That said, I fully understand if this use case is not in your focus, or too much effort.

[jijiechen]

It seems at least the web UI need to support secure connection ASAP, otherwise the notification functionalities will not be available... :-(

https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-powerful-features-on-insecure-origins

[markusschaber]

@jjchen-tw I'm not completely sure about that - the site explicitly states: "http://localhost is treated as a secure origin"

[jijiechen]

@markusschaber You are right, and I am able to verify that. I'm thinking of the scenario of using Papercut at a central service, and several QAs use a same instance. In fact, that's the original reason why I contributed to the web UI feature.

On a local machine, even the HTML5 notification works great.

[markusschaber]

Ah, I never thought about using Papercut in a non-localhost scenario. :-( It seems Papercut needs a good security feature enhancement Upgrade then. :-)

[markusschaber]

I just found those while doing some research for our projects:

https://github.com/cosullivan/SmtpServer seems to be a SMTP server in C# with MIT license.

https://github.com/pmengal/MailSystem.NET also contains SMTP, but it's LGPL, which is technically compatible with the Papercut Apache License, but not in spirit. :-)

[jijiechen]

We are working on switching to the SMTPServer to support SMTP, So we get a chance to review this. I'll follow up soon.

[markusschaber]

That's good news, thanks!

[stale[bot]]

Aloha! I'm ScissorBot :scissors: -- the bot in charge of keeping the issues tidy. It looks like this issue is stale due to lack of activity. Unfortunately, I'll be closing it if there is no further activity. 😞 Please contribute to the issue to keep it open. Thanks!

[markusschaber]

@jijiechen As the ScissorBot woke up, are there any news?

[jijiechen]

Well, I do have a plan to support, but I don’t have enough time in the future 3 months.

Sent from my iPhone

On Feb 7, 2019, at 15:09, Markus Schaber notifications@github.com<mailto:notifications@github.com> wrote:

@jijiechenhttps://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fjijiechen&data=02%7C01%7C%7Cc2cc5f093c31440743d308d68ccb446d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636851201984660164&sdata=giSHQAMEWw3uj7QqU1JK9vjWbM2GaCIdu3pimG583Ks%3D&reserved=0 As the ScissorBot woke up, are there any news?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FChangemakerStudios%2FPapercut%2Fissues%2F102%23issuecomment-461310568&data=02%7C01%7C%7Cc2cc5f093c31440743d308d68ccb446d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636851201984670126&sdata=1jZv0YS%2Fg7wZfvWsW%2FBXJ%2BacsfpwraPyEoYEf94c%2B5c%3D&reserved=0, or mute the threadhttps://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FABIBvD-JcI8K65yB3xOBXeYe6EetAQtvks5vK9FEgaJpZM4S8s5F&data=02%7C01%7C%7Cc2cc5f093c31440743d308d68ccb446d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636851201984690190&sdata=3fOZqvY8zUFYCsXkh93frf8QNUOI4XEv5pAQAT%2B%2B7ok%3D&reserved=0.

[markusschaber]

Hmm. I guess our comments are enough to keep the scissor bot satisifed for the next three months. :-)

[Jaben]

The switch to SmtpServer is done -- but I haven't released it yet. You can check it out in the dev branch.

[markusschaber]

To be honest, we don't use PaperCut in our process any more, right now. But we have some use cases in our backlog which might us make use of PaperCut again, I'll come back then.

[molnarm]

Hi, What's the status of this? I see that the transition to SmtpServer has been completed a couple releases ago, but I still don't see any security-related options in the configuration (e.g. credentials for smtp auth).

[kekkers23]

Hi, What's the status of this? I see that the transition to SmtpServer has been completed a couple releases ago, but I still don't see any security-related options in the configuration (e.g. credentials for smtp auth).

++

[adamtoakley]

Excited about the 6.0 Release! Any Idea when that will come out!?

Thanks for a really cool app! This helps our workflow tremendously!

[Identekit]

Excited about the 6.0 Release too!

I've been using this tool for years now and love it. I'm working on a project now that will add auth to our app when sending emails. Unfortunately this means I can't use Papercut SMTP to test anymore. Support for security would be such a great addition to this software.

[elliotclements-mendix]

+1 additional security options would be a great addition

[0xCaponte]

Regarding this feature, I see it was removed from the To do. Do you have future plans for it or it is on ice until futrher notice?

And of course, thank you for developing and maintaining such a great tool.

[replaysMike]

+1 I'd love to see this (if I have time maybe I'll submit a PR), considering it probably wouldn't be that difficult to add in. I'm 50/50 on agreeing that TLS really isn't the main use case for PaperCut, however it'd be great for testing TLS implementations.

[kokloler]

What? Was this send to the wrong person

On Thu, 15 Jun 2023, 00:35 Michael Brown, @.***> wrote:

+1 I'd love to see this (if I have time maybe I'll submit a PR), considering it probably wouldn't be that difficult to add in. I'm 50/50 on agreeing that TLS really isn't the main use case for PaperCut, however it'd be great for testing TLS implementations.

— Reply to this email directly, view it on GitHub https://github.com/ChangemakerStudios/Papercut-SMTP/issues/102#issuecomment-1592081712, or unsubscribe https://github.com/notifications/unsubscribe-auth/A3HRFFILGWORWY374UIP23DXLI4C3ANCNFSM4EXSZZCQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[microalps]

Regarding TLS encryption - I worked on some POC code some time ago. See https://github.com/microalps/Papercut-SMTP/commit/e3f5e4f8a4ed633ea19d83815594101188df4026 - would there be any interest in a PR?

[edbenson]

Regarding TLS encryption - I worked on some POC code some time ago. See microalps@e3f5e4f - would there be any interest in a PR?

@microalps Thank for your work on this -- I checked out & built your fork as I needed to test a client with TLS encryption.

Your fork worked for me! The hard part for me was to create the certificate.

[microalps]

@edbenson If you don't mind sharing more details about your difficulty (or was it simply just learning curve) and any articles you used to generate the final certificate. I'm sure it would be a good reference for others, and eventually the PR once the maintainers release v7 and are ready to look at the commit.

[edbenson]

@microalps The hard part was learning how TLS certificates work and then how to create & register a self-signed TLS/SSL certificate... For me this webpage was the best at explaining it.