search

shenxn / protonmail-bridge-docker

ProtonMail IMAP/SMTP Bridge Docker container
GNU General Public License v3.0
377 stars 75 forks source link

error enabling StartTLS: x509: certificate is valid for 127.0.0.1, not <ip/hostname> #43

Open camps7ee opened 2 years ago

camps7ee commented 2 years ago

Whenever I'm trying to connect an external service through protonmail-bridge smtp, this seems to be what's generated.

If I change the starttls value of whatever service I'm connecting the error message changes to "error authenticating: unencrypted connection".

I've tried setting connection to ExplicitTLS the same error message remains, and if I change it to ImplicitTLS I get

error getting SMTP client: error connecting to server: tls: first record does not look like a TLS handshake

I also tried confirming the smtp connectivity in combination with Plain Auth and this is what I got:

454 4.7.0 Invalid response

I'm suspecting that STARTTLS and Plain Auth don't play nicely together? If this is the case, is there any workaround ?

lbrunkho commented 2 years ago

Also been running in to this issue and I am gong to see if I can figure out how to pass a docker env variable through to the container so we can generate a cert with the correct common name / ip address. I am trying to use this as a LAN only email notification service and I am finding that a lot of services do not support disabling certificate verification.

RafaelSchridi commented 1 year ago

Has anyone been able to figure this out?

caseyWebb commented 1 year ago

I was able to workaround this part of my issue by generating a certificate, and then using import-tls-cert.

openssl req -x509 -newkey rsa:4096 -keyout /tmp/protoncerts/key.pem -out /tmp/protoncerts/cert.pem -sha256 -days 3650 -nodes -subj "/CN=protonmail-bridge"

docker run --rm -it -v /tmp/protoncerts:/root shenxn/protonmail-bridge init

import-tls-cert

# enter /root/cert.pem and /root/key.pem

Note the "/CN=protonmail-bridge" when generating the cert. You want that to be the hostname you're using.

Addendum: I got this working with linuxserver/swag generated certs (using ZeroSSL, but presumably works with LetsEncrypt).

Use -v ./my_swag_volume/etc/letsencrypt:/certs, then use /certs/live/<my_domain>/fullchain.pem and /certs/live/<my_domain>/key.pem. Note, use fullchain.pem not cert.pem or you will get the same untrusted cert authority error.