search

domainaware / parsedmarc

A Python package and CLI for parsing aggregate and forensic DMARC reports
https://domainaware.github.io/parsedmarc/
Apache License 2.0
961 stars 209 forks source link

Non SSL IMAP connection fails with SSL "dh key too small" error? #534

Closed Orteko closed 4 days ago

Orteko commented 4 days ago

Edit - it looks like STARTTLS is automatically attempted via the upstream IMAP code if it is advertised by the mailserver with no apparent way of disabling it so there will be no workaround possible in my scenario with this setup so closing now.

mailsuite.imap:

...
        try:
            if not ssl and b"STARTTLS" in self.capabilities():
                logger.info("IMAP server supports STARTTLS ... activating now")
                self.starttls(ssl_context=ssl_context)
...

We have an older internal mailserver that whilst it supports SSL, appears to not have modern enough routines to work with the IMAP connection library.

Given it was internal, we were able to enable plaintext - however, even with ssl = False, parsedmarc still attempts to be using or attempting to automatically upgrade to SSL/STARTTLS as we get an identical error.

I'm not seeing any obvious mention of automatic STARTTLS negotiation or any other ssl related options that could affect this?

The mailsuite IMAP code looks like it should be logging Connecting to IMAP over plain text when SSL is disabled, however i'm not seeing this logged anywhere which is odd.

See the following for example log output & configuration:

Config excerpt:

[imap]
host = imap.example.host
port = 143
user = dmarcreport@example.host
password = examplepassword
ssl = False
skip_certificate_verification = True

[mailbox]
watch = True
delete = False
reports_folder = INBOX
archive_folder = Processed
test = False

Logs:

    INFO:cli.py:1023:Starting parsedmarc
   DEBUG:cli.py:1236:Skipping IMAP certificate verification
   ERROR:cli.py:1253:IMAP Error
Traceback (most recent call last):
  File "/opt/pypy/lib/pypy3.10/site-packages/mailsuite/imap.py", line 161, in __init__
    self.starttls(ssl_context=ssl_context)
  File "/opt/pypy/lib/pypy3.10/site-packages/imapclient/imapclient.py", line 179, in wrapper
    return func(client, *args, **kwargs)
  File "/opt/pypy/lib/pypy3.10/site-packages/imapclient/imapclient.py", line 386, in starttls
    self._imap.sock = tls.wrap_socket(self._imap.sock, ssl_context, self.host)
  File "/opt/pypy/lib/pypy3.10/site-packages/imapclient/tls.py", line 26, in wrap_socket
    return ssl_context.wrap_socket(sock, server_hostname=host)
  File "/opt/pypy/lib/pypy3.10/ssl.py", line 513, in wrap_socket
    return self.sslsocket_class._create(
  File "/opt/pypy/lib/pypy3.10/ssl.py", line 1104, in _create
    self.do_handshake()
  File "/opt/pypy/lib/pypy3.10/ssl.py", line 1397, in do_handshake
    self._sslobj.do_handshake()
  File "/opt/pypy/lib/pypy3.10/_cffi_ssl/_stdssl/__init__.py", line 547, in do_handshake
    raise pyssl_error(self, ret)
_cffi_ssl._stdssl.error.SSLError: [SSL: DH_KEY_TOO_SMALL] dh key too small

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/pypy/lib/pypy3.10/site-packages/parsedmarc/cli.py", line 1241, in _main
    mailbox_connection = IMAPConnection(
  File "/opt/pypy/lib/pypy3.10/site-packages/parsedmarc/mail/imap.py", line 24, in __init__
    self._client = IMAPClient(host, user, password, port=port,
  File "/opt/pypy/lib/pypy3.10/site-packages/mailsuite/imap.py", line 191, in __init__
    raise imapclient.exceptions.IMAPClientError(error)
imaplib.IMAP4.error: [SSL: DH_KEY_TOO_SMALL] dh key too small
Orteko commented 4 days ago

After investigation, STARTTLS is automatically attempted via the upstream IMAP code if it is advertised by the mailserver with no apparent way of disabling it so there will be no workaround possible in my scenario with this setup so closing now.

mailsuite.imap:

... try: if not ssl and b"STARTTLS" in self.capabilities(): logger.info("IMAP server supports STARTTLS ... activating now") self.starttls(ssl_context=ssl_context) ...