Open richvdh opened 3 years ago
I suppose try fixing the cert and see if the issue persists?
Edit: Ah, this is for local testing. That is a bit trickier.
my complaint is not the fact that there's an error, so much as the fact that the error is unnecessarily verbose and yet tells me nothing about what the problem is.
We could except
on that Exception. I'm not sure whether it would only be TLS issues that would raise it though. But we could put a generic failure message in that would at least remove the large, useless trackback.
right. Isn't there a way to tell if TLS was the problem? If not, that might be a thing we should fix in Twisted.
I have a very similar, if not the same problem:
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/synapse/handlers/identity.py", line 382, in send_threepid_validation
await send_email_func(email_address, token, client_secret, session_id)
File "/usr/local/lib/python3.8/site-packages/synapse/push/mailer.py", line 207, in send_add_threepid_mail
await self.send_email(
File "/usr/local/lib/python3.8/site-packages/synapse/push/mailer.py", line 349, in send_email
await make_deferred_yieldable(
twisted.internet.error.ConnectionAborted: Connection was aborted locally using ITCPTransport.abortConnection.
I would suggest adding an option
mail:
skip_verify: true
to accept self-signed certificates.
As a workaround I tried adding the certificate of my mailserver to the Docker image using
FROM matrixdotorg/synapse:v1.29.0
RUN mkdir -p /usr/local/share/ca-certificates \
&& echo quit | \
openssl s_client -connect mail.example.com:587 -starttls smtp | \
openssl x509 -outform PEM -out /usr/local/share/ca-certificates/mail.example.com.crt \
&& update-ca-certificates
which makes OpenSSL accept the certificate, but Twisted doesn't seem to use OpenSSL's trust store.
I'd really like to keep this issue focussing on the incomprehensible exception, rather than feature-creeping it into disabling TLS or whatever.
I have a data point to add to this issue, and depending on whether this fixes the original issue or not might be a separate one… Anyway.
We debugged a problem leading to similar issues as presented above in our setup, and have found out that twisted insists on the certificate presented by the mail-server on STARTTLS being issued to the hostname twisted/synapse uses to connect to said mail server. This change stems from https://github.com/twisted/twisted/pull/1225, the new context
comes from https://twistedmatrix.com/documents/18.4.0/api/twisted.internet.ssl.optionsForClientTLS.html which stipulates:
first, and most importantly, it verifies that the certificate received from the server correctly identifies the specified hostname
This might also be interesting for the configuration documentation, as the default localhost
will probably not work in most cases where the mail server also does STARTSSL
.
Can confirm that this breaks the default configuration. The only way to stop this from happening right now seems to either be to put in the effort of generating a valid TLS certificate for localhost using your own CA, or changing the mail server config to disallow STARTTLS on the loopback interface completely. For postfix, you can do it by editing /etc/postfix/master.cf
like so:
<your external interface>:smtp inet n - y - - smtpd
127.0.0.1:smtp inet n - y - - smtpd
-o smtpd_tls_security_level=none
I've raised https://twistedmatrix.com/trac/ticket/10210 to track this on the Twisted side.
for the record: as of #10546, you can disable TLS for the SMTP connection.
I think this is happening because my SMTP server is presenting a self-signed cert (and I can't stop synapse trying to STARTTLS, per https://github.com/matrix-org/synapse/issues/8046)