search

passbolt / passbolt_docker

Get started with Passbolt CE using docker!
https://passbolt.com
GNU Affero General Public License v3.0
876 stars 193 forks source link

Unable to used selfsigned certificate to send email #49

Closed Kamaradeivanov closed 7 years ago

Kamaradeivanov commented 7 years ago

After passing my env value I got the following conf file /var/www/passbolt/app/Config/email.php

public $default = array(
                'transport' => 'Smtp',
                'from' => array('passbolt@XXXXXXXXX.com' => 'Passbolt'),
                'host' => 'mail',
                'port' => 587,
                'timeout' => 30,
                'username' => 'passbolt@XXXXXXXXX.com',
                'password' => 'XXXXXXXXX',
                'tls' => 'true',
        );

But I still had issue when passbolt try to send e-mail.

10/08/2017 16:21:02Warning Error: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
10/08/2017 16:21:02error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in [/var/www/passbolt/lib/Cake/Network/CakeSocket.php, line 451]
10/08/2017 16:21:02
10/08/2017 16:21:02SMTP server did not accept the connection or trying to connect to non TLS SMTP server using TLS.

So I try to send e-mail with another tools (mailx) with the same configuration (ssl-verify=ignore => accept selfsigned certificate)

echo "This is the message body and contains the message" | mailx -v \
 -r "passbolt@XXXXXXXXX.com" \
 -s "This is the subject" \
 -S smtp="mail:587" \
 -S smtp-use-starttls \
 -S smtp-auth=login \
 -S smtp-auth-user="passbolt@XXXXXXXXX.com" \
 -S smtp-auth-password="XXXXXXXXX" \
 -S ssl-verify=ignore \
 testme@yopmail.com

And I can send e-mail with that config. I know that my SMTP server has a self signed certificate so I suppose that the problem come from here.

dlen commented 7 years ago

Hi @Kamaradeivanov thanks for your interest in passbolt.

You could try to mount your email.php adding this value to your setup: 'ssl_allow_self_signed' => false

Kamaradeivanov commented 7 years ago

Hi, I got a SMTP timeout instead ....

10/08/2017 17:58:00crond[67]: USER root pid 111 cmd run-parts /etc/periodic/1min 10/08/2017 17:58:31SMTP timeout. 10/08/2017 17:58:31SMTP timeout. 10/08/2017 17:58:31SMTP timeout. 10/08/2017 17:58:31SMTP timeout. 10/08/2017 17:59:00crond[67]: USER root pid 152 cmd run-parts /etc/periodic/1min

But still no e-mails in my inbox

dlen commented 7 years ago

Sorry, my bad, it was meant to be 'ssl_allow_self_signed' => true

Kamaradeivanov commented 7 years ago

And I copy your answer without thinking .... :D Unfortunately I got the same issue ...

10/08/2017 18:07:00crond[66]: USER root pid 225 cmd run-parts /etc/periodic/1min 10/08/2017 18:07:31SMTP timeout. 10/08/2017 18:08:00crond[66]: USER root pid 267 cmd run-parts /etc/periodic/1min

there is no quote around the true like for 'tls' value ?

dlen commented 7 years ago

Yeah you are right it should be no quoting but I guess that is not the problem. This might be a dumb question but seems to me that you are using ssl instead tls in your mail server, is that correct? In such a case your host line should look like: 'host' => 'ssl://mail', and if your certificate is self signed then keep the previous ssl_allow_self_signed' => true And, of course, remove the tls line.

Kamaradeivanov commented 7 years ago

I am using https://poste.io/ to start a mail server, but they says they use TLS everywhere inside there documentations so normally there is no SSL certificate, only TLS.

Kamaradeivanov commented 7 years ago

When i try to put 'host' => 'ssl://mail', i got the following errors

stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol stream_socket_client(): Failed to enable crypto stream_socket_client(): unable to connect to ssl://mail:587 (Unknown error)

I retry without SSL, with this config file : 

public $default = array(
                'transport' => 'Smtp',
                'from' => array('passbolt@XXXXXXXXX.com' => 'Passbolt'),
                'host' => 'mail',
                'port' => 587,
                'timeout' => 30,
                'username' => 'passbolt@XXXXXXXXXX.com',
                'password' => 'XXXXXXX',
                'tls' => 'true',
                'ssl_allow_self_signed' => true,
        );

And I got the following error, like if 'ssl_allow_self_signed' => true, is not read. Do I need to restart something ?

2017-08-11 10:31:52 Warning: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in [/var/www/passbolt/lib/Cake/Network /CakeSocket.php, line 451] SMTP server did not accept the connection or trying to connect to non TLS SMTP server using TLS.

dlen commented 7 years ago

Hi @Kamaradeivanov, sorry about the delay are there any news on this issue?

Kamaradeivanov commented 7 years ago

Hi, unfortunately no, I still have the same issue. I'm currently on another project. I will try another smtp solution probably next week, maybe my setup of poste.io isn't good.

dlen commented 7 years ago

Hi! I'm closing this issue due to inactivity, feel free to reopen again if needed.

mackcoding commented 5 years ago

I'm having this issue but adding 'ssl_allow_self_signed' => true does not fix the issue. I know the cert is self signed but because I'm on a controlled network I can't fix it. @Kamaradeivanov did you ever figure out a solution?

secresearch-rg commented 1 year ago

Hi!

Just figured out how to give CakePHP / Passbolt an exact path to the self-signed CA it should use to verify encrypted SMTP connections. On the web I could only find suggestions that involved disabling TLS verification for self-signed certs, which is undesirable.

Inside your Passbolt app config file where SMTP settings are located (hostname, creds, ports), you have to use this option to specify the file path to the CA file (I used a PEM certificate format):

'EmailTransport' => [
  'default' => [
    ...    
    'ssl_cafile' => '/usr/local/share/ca-certificates/CustomCA.crt',
    ...
],

Found that while reading the relevant source code of CakePHP, namely this file.

I used that successfully with SMTP over port 465 (smtps). Maybe that will help someone!

HajasDS commented 1 year ago

Edit this file /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Network/Socket.php add these two lines to the end: $this->_config['context']['ssl']['verify_peer'] = false; $this->_config['context']['ssl']['allow_self_signed'] = true;

Here it is already added: 

protected function _setSslContext(string $host): void
    {
        foreach ($this->_config as $key => $value) {
            if (substr($key, 0, 4) !== 'ssl_') {
                continue;
            }
            $contextKey = substr($key, 4);
            if (empty($this->_config['context']['ssl'][$contextKey])) {
                $this->_config['context']['ssl'][$contextKey] = $value;
            }
            unset($this->_config[$key]);
        }
        if (!isset($this->_config['context']['ssl']['SNI_enabled'])) {
            $this->_config['context']['ssl']['SNI_enabled'] = true;
        }
        if (empty($this->_config['context']['ssl']['peer_name'])) {
            $this->_config['context']['ssl']['peer_name'] = $host;
        }
        if (empty($this->_config['context']['ssl']['cafile'])) {
            $this->_config['context']['ssl']['cafile'] = CaBundle::getBundledCaBundlePath();
        }
        if (!empty($this->_config['context']['ssl']['verify_host'])) {
            $this->_config['context']['ssl']['CN_match'] = $host;
        }
        unset($this->_config['context']['ssl']['verify_host']);
        $this->_config['context']['ssl']['verify_peer'] = false;
        $this->_config['context']['ssl']['allow_self_signed'] = true;
    }