haraka / Haraka

A fast, highly extensible, and event driven SMTP server
https://haraka.github.io
MIT License
5.09k stars 662 forks source link

Old clients: SSL issue and no_tls_hosts #3368

Closed thenitai closed 5 months ago

thenitai commented 5 months ago

Hi,

I have some very old Java v8 apps that used to be able to send over Haraka without an issue. However, since upgrading to v3 I see errors of:

SSL routines:tls_early_post_process_client_hello:unsupported protocol

As in the past, I added the IP to the no_tls_hosts section within the smtp.ini. The client can connect, but the issue is that the client doesn't authenticate, i.e., it shows that it cannot send emails from unauthenticated (which kinda defeats no_tls_hosts, no?)

Is there anything I can do to get this resolved? Thank you.

Update: Forgot to mention I'm on node v20.13.1 and haraka v3.0.3

msimerson commented 5 months ago

Authentication is not allowed unless the connection is secured. This is a design choice for security. Ways to handle this (from worse to better):

  1. disable the secure connection check in the authentication plug-in. This is a very bad idea, but it would work.
  2. upgrade your Java apps to use modern (and secure) TLS.
  3. Enable relaying for just those Java 8 apps by their IP address with the relay plugin. Then they don't need to AUTH.
thenitai commented 5 months ago

Authentication is not allowed unless the connection is secured. This is a design choice for security. Ways to handle this (from worse to better):

  1. disable the secure connection check in the authentication plug-in. This is a very bad idea, but it would work.
  2. upgrade your Java apps to use modern (and secure) TLS.
  3. Enable relaying for just those Java 8 apps by their IP address with the relay plugin. Then they don't need to AUTH.

Hi,

I've done step 3 in the past and it's still active (but maybe something changed with v3?) and it doesn't work. Could it be that relay.ini has acl=true set? Otherwise I got the IP in relay_acl_allow set.

Thank you for the swift response :)

msimerson commented 5 months ago

You definitely need acl=true to enable the ACL processing, and you need the relay plug-in enabled in config/plugins. You should be getting relay messages in your log entries that provide clues.

thenitai commented 5 months ago

Yes, I've figured :)

It always fails at SSL with "...SSL routines:tls_early_post_process...".

I will install sendmail on those Java machines and relay them to Haraka. It's easier to do than to figure out what is going on and fiddle with those "damn" Java settings :)

msimerson commented 5 months ago

Oh, you need to add the IPs of the clients to the no_tls_hosts (double check in tls docs) so Haraka doesn't offer them STARTTLS.