search

greenbone / gvmd

Greenbone Vulnerability Manager - The database backend for the Greenbone Community Edition
GNU Affero General Public License v3.0
290 stars 157 forks source link

No certificate validation possible when sending mail via gvmd in docker #2316

Open perlfisch opened 1 month ago

perlfisch commented 1 month ago

Expected behavior

The official gvmd Docker container should be able to send mail and validate the submission servers certificate.

Actual behavior

No CAs are available in the container gvmd. ca-certificates is not installed and validation of all certificates fails. The only way to get mail working persistently is by modifying the containers compose to mount the hosts ca-certificates.crt or disabling certificate validation entirely.

Disabling certificate validation, which is dangerous and should not be done, is the only solution that comes up when googling the error and will likely be implemented by many people trying to get mail working in the container.

I've confirmed that manually installing ca-certificates into a running gvmd container fixes the problem.

Steps to reproduce

  1. Setup gvmd via docker based on https://greenbone.github.io/docs/latest/22.4/container/index.html
  2. Configure mail as described in https://greenbone.github.io/docs/latest/22.4/container/workflows.html#setting-up-a-mail-transport-agent-inside-docker-container to any public provider like mailgun, google, m365 etc.
  3. Try sending any mail, either through gvm or manually via sendmail.

GVM versions

Stable official docker containers as of 2024-10-30

Environment

Operating system:

Debian 12 stable

Installation method / source: (packages, source installation)

Official docker compose

Logfiles


email: system failed with ret 17664, 69, read FROM TO < /tmp/gvmd-args-Ln7YTZ; /usr/sbin/sendmail -f "$FROM" "$TO" < /tmp/gvmd-content-8HCXWY > /dev/null 2>&1
cfi-gb commented 1 month ago

Should be a duplicate of / related to greenbone/docs#483 and IIRC the MTA / mail server setup is community based and needs community contributions in form of a PR.

But let's see what the maintainers of this repo are saying / if they will maintain / accept something in the container directly.

perlfisch commented 1 month ago

Installing anything into a Docker container is not persistent and will be gone once it's restarted. Instead of documenting manual changes that have to be reapplied after restarting the container, ca-certificates should be installed via apt as part of the Dockerfile to persistently fix this issue.

cfi-gb commented 1 month ago

You could try to create a PR to the relevant file and see if the repo maintainers are accepting such a change (see previous notes about usually requiring community contributions for such topics).