search

docusealco / docuseal

Open source DocuSign alternative. Create, fill, and sign digital documents ✍️
https://www.docuseal.co
GNU Affero General Public License v3.0
6.28k stars 448 forks source link

Port 465: conflicting configs: implicit TLS + auto StartTLS #372

Open nolanholden opened 2 days ago

nolanholden commented 2 days ago

When using port 465 and security setting TLS, my connection times out. Whereas 587 & Auto works fine, mail server is functioning, and port 465 implicit TLS is functioning as confirmed via script:

import smtplib
with smtplib.SMTP_SSL(host, port) as conn:
    # if enabled, fails with smtplib.SMTPNotSupportedError `STARTTLS extension not supported by server`,
    # because the server had no `starttls` clause in the EHLO response:
    # conn.starttls()
    conn.login(username, password)
    conn.sendmail(from_addr, to_addr, 'test')

I believe StartTLS is generally not permitted for implicit TLS (SMTPS), and will fail sends for some servers.

  def build_smtp_configs_hash(email_configs)
    value = email_configs.value

    {
      user_name: value['username'],
      password: value['password'],
      address: value['host'],
      port: value['port'],
      domain: value['domain'],
      openssl_verify_mode: OpenSSL::SSL::VERIFY_NONE,
      authentication: value.fetch('authentication', 'plain'),
      enable_starttls_auto: true,
      open_timeout: OPEN_TIMEOUT,
      read_timeout: READ_TIMEOUT,
      ssl: value['security'] == 'ssl',
      tls: value['security'] == 'tls' || (value['security'].blank? && value['port'].to_s == '465')
    }.compact_blank
  end
end
omohokcoj commented 1 day ago

@nolanholden thanks for reporting this. I've tried to disable starttls_auto but it doesn't seem like starttls_auto conflicts with explicit tls config - enable_starttls_auto: false doesn't change anything for me when testing SMTP on 465 port. Timeout error usually happens when the port is under a firewall - maybe port 465 is locked on your docuseal app server(or your ISP)?

nolanholden commented 1 day ago

At least in my case, 465 is properly accepting trafffic. As I mentioned in OP, that script (with full TLS) works fine for 465 for my mail host.

omohokcoj commented 1 day ago

@nolanholden can you please try the latest app version - we've disabled starttls_auto if 'tls' option is selected. unfortunately i was not able to confirm it work differently than starttls_auto: true and tls: true