mailexporter is too strict on checking x509 certs

[burnsjake]

The x509 cert check cannot be bypassed. Would like to check email delivery in test environments that don't use certificates.

[cherti]

Can you give a more specific error? If there is a failure during sending a probe mail, the mailexporter should print the message.

[burnsjake]

The error looks like this... mailexporter -v 2 DEBUG: adding path to watcher: /home/myusert/Maildir/cur 2019/12/11 17:17:49 Starting HTTP-endpoint 2019/12/11 17:17:49 Started mail-detection. 2019/12/11 17:18:01 Started monitoring for config myserver.mydomain.co DEBUG: composed payload: myserver.mydomain.co-X0wRVWy5X0cFkaFd8MP0jBKZG9try9Gg8vbQRnlv-1576084681698822695 DEBUG: sending mail WARNING: error sending probe-mail via myserver.mydomain.co: x509: certificate is valid for otherdomain.com, not myserver.mydomain.co; skipping attempt

My config looks like this: servers:

• name: myserver.mydomain.co # name for internal prometheus-metric server: 34.xxx.xxx.188 # SMTP-server to use port: 25 # port to use on Server for SMTP login: # login name on server (leave empty together with passphrase to disable authentication) passphrase: # SMTP-login-password (leave empty together with login to disable authentication) from: mymonitoringuser@loop.somedomain.com # From-Header of monitoring-Mail (e.g. for filtering) to: user@mydomain.co # address to deliver to detectiondir: /home/user/Maildir/cur # Maildir in which to look for monitoring-mail

[cherti]

I've looked into the issue. The problem is indeed solvable, however, in the current state the mailexporter uses smtp.SendMail, which is implemented here. To skip the verification check, this line would have to be changed to

config := &tls.Config{ServerName: c.serverName, InsecureSkipVerify: true}

to achieve the behavior that would not trigger the error. However, given that the function as implemented in the standard library does not offer any option to add this flag, it would require to vendor it and duplicate its entire logic inside the mailexporter codebase.

Given that mailexporter is too strict on checking certificates is not entirely accurate, as there is of course a reason why providing an incorrect certificate leads to an error and an abortion of the connection, introducing a vendored version of said function does not make too much sense from a maintenance point of view.

If you cannot test without encryption, but cannot obtain a certificate for the correct domain, patching mailexporter for this purpose should be fairly straigtforward. However, for the upstream version I'd like to keep smtp.SendMail from the standard library, to not overly extend the maitenance footprint.

[cherti]

The x509 cert check cannot be bypassed. Would like to check email delivery in test environments that don't use certificates.

If you actually want to check email-delivery in test environements that do not use certificates, it is also possible to just disable TLS on the side of the mailserver. If the mailserver does not offer STARTTLS, smtp.SendMail should not complain and send the mail over an unencrypted connection.