search

slimta / python-slimta

Python libraries to send, receive, and queue email.
https://slimta.org/
MIT License
171 stars 43 forks source link

do i really need a tls dictionary as a client to starttls? #87

Closed thestick613 closed 8 years ago

thestick613 commented 8 years ago

slimta's code makes it mandatory to have a tls dictionary if you want to starttls as a client. https://github.com/slimta/python-slimta/blob/master/slimta/relay/smtp/client.py#L132

n11c commented 8 years ago

I agree. If we want to do opportunistic TLS on the relay, we don't really need proper certificates I think. We used to be able to pass tls = {'keyfile':None, 'certfile':None} to the relay to make it work.

Perhaps tls=True would be enough for a relay?

n11c commented 8 years ago

Happy to prepare a PR for that, just let us know what you think

toxinu commented 8 years ago

@icgood, just pinging you about this issue in order to prepare a PR.

thestick613 commented 8 years ago

any update on this? https://support.google.com/mail/answer/6330403?hl=en

icgood commented 8 years ago

@socketubs @thestick613 Check out #101 and let me know if you think that would address your concerns. I think using TLS by default unless being told not to is a great idea.

I think the new Python 3.5+ have done a way better job handling SSL/TLS in general, and I wish I could just lock in slimta to use their new features 😄

thestick613 commented 8 years ago

This doesn't cover my initial request. I've sent an email to my gmail account and i still get a red padlock. The slimta client library doesn't STARTTLS. You can try this yourself.

from slimta.relay.smtp.mx import MxSmtpRelay
from slimta.envelope import Envelope

relay = MxSmtpRelay(connect_timeout=10, command_timeout=10,
                    data_timeout=10, idle_timeout=10, ehlo_as='trololololo.com')

e = Envelope()
e.sender="hello@trolololo.com"
e.recipients = ["thestick613@gmail.com"]
e.parse("""Subject: Hello there
From: "hello" <hello@trolololololo.com>

Hello there""")
relay.attempt(e, 0)
screen shot 2016-05-16 at 23 07 31
thestick613 commented 8 years ago

In https://github.com/slimta/python-slimta/blob/master/slimta/relay/smtp/client.py#L132, changing

if self.tls and not self.tls_immediately: with if self.tls or not self.tls_immediately:

You must also pass an empty tls dictionary to MxSmtpRelay or whatever. seems to do the trick:

yahoo: (SMTPS)

Received: from 127.0.0.1  (EHLO trololololo.com) (8X.XX.XXX.XX)
  by mtaXXXX.mail.gq1.yahoo.com with SMTPS; Tue, 17 May XXXXXXXXX

gmail: (TLS)

Received: from trololololo.com ([8X.XX.XXX.XX])
        by mx.google.com with ESMTPS id XXXXXXX.1XXXXXXX
        for <XXXXXXXXXX@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 17 May 2016 03:XXXXXXXX
icgood commented 8 years ago

Closing this. In my testing (with the script above), Gmail reports Standard (TLS) for encryption type with default settings, no tls option passed. I have tagged 3.2.1 with this behavior.

thestick613 commented 8 years ago

Great, thank you!

thestick613 commented 8 years ago

I can confirm that it works fine, but AOL's smtp inbound webservers don't like this; just try replacing the yahoo or gmail address with an AOL one - i've also enabled logging:

python testaol.py 
2016-06-09 17:58:51,642.642 DEBUG __init__ - logline: fd:3:connect peer=('mailin-04.mx.aol.com', 25)
2016-06-09 17:58:51,842.842 DEBUG __init__ - logline: fd:3:recv data='220-mtaig-aae02.mx.aol.com ESMTP Internet Inbou...not have reverse-DNS (PTR records) assigned.\r\n'
2016-06-09 17:58:51,842.842 DEBUG __init__ - logline: fd:3:send data='EHLO trololololo.com\r\n'
2016-06-09 17:58:51,978.978 DEBUG __init__ - logline: fd:3:recv data='250-mtaig-aae02.mx.aol.com\r\n250-STARTTLS\r\n250 DSN\r\n'
2016-06-09 17:58:51,978.978 DEBUG __init__ - logline: fd:3:send data='STARTTLS\r\n'
2016-06-09 17:58:52,520.520 DEBUG __init__ - logline: fd:3:recv data='220 2.0.0 Ready to start TLS\r\n'
2016-06-09 17:58:52,520.520 DEBUG __init__ - logline: fd:3:encrypt certfile=None keyfile=None server_side=False
2016-06-09 18:00:31,991.991 DEBUG __init__ - logline: fd:3:send data='QUIT\r\n'
Traceback (most recent call last):
  File "plma.py", line 32, in <module>
    relay.attempt(e, 0)
  File "/root/venv_smtpout_2/local/lib/python2.7/site-packages/slimta/relay/smtp/mx.py", line 239, in attempt
    return relayer.attempt(envelope, attempts)
  File "/root/venv_smtpout_2/local/lib/python2.7/site-packages/slimta/relay/pool.py", line 93, in attempt
    return result.get()
  File "/root/venv_smtpout_2/local/lib/python2.7/site-packages/gevent/event.py", line 385, in get
    return self.get(block=False)
  File "/root/venv_smtpout_2/local/lib/python2.7/site-packages/gevent/event.py", line 375, in get
    return self._raise_exception()
  File "/root/venv_smtpout_2/local/lib/python2.7/site-packages/gevent/event.py", line 355, in _raise_exception
    reraise(*self.exc_info)
  File "/root/venv_smtpout_2/local/lib/python2.7/site-packages/gevent/_util_py2.py", line 8, in reraise
    raise type, value, tb
slimta.relay.smtp.SmtpTransientRelayError: Transient failure on STARTTLS: 421 4.4.2 Connection timed out

Can you reproduce this?

thestick613 commented 8 years ago

this doesn't seem related to AOL, since i can reproduce it with openssl

openssl s_client -starttls smtp -crlf -connect mailin-03.mx.aol.com:25
CONNECTED(00000003)

and it hangs in there.