Closed thestick613 closed 8 years ago
I agree.
If we want to do opportunistic TLS on the relay, we don't really need proper certificates I think.
We used to be able to pass tls = {'keyfile':None, 'certfile':None}
to the relay to make it work.
Perhaps tls=True
would be enough for a relay?
Happy to prepare a PR for that, just let us know what you think
@icgood, just pinging you about this issue in order to prepare a PR.
any update on this? https://support.google.com/mail/answer/6330403?hl=en
@socketubs @thestick613 Check out #101 and let me know if you think that would address your concerns. I think using TLS by default unless being told not to is a great idea.
I think the new Python 3.5+ have done a way better job handling SSL/TLS in general, and I wish I could just lock in slimta to use their new features 😄
This doesn't cover my initial request. I've sent an email to my gmail account and i still get a red padlock. The slimta client library doesn't STARTTLS. You can try this yourself.
from slimta.relay.smtp.mx import MxSmtpRelay
from slimta.envelope import Envelope
relay = MxSmtpRelay(connect_timeout=10, command_timeout=10,
data_timeout=10, idle_timeout=10, ehlo_as='trololololo.com')
e = Envelope()
e.sender="hello@trolololo.com"
e.recipients = ["thestick613@gmail.com"]
e.parse("""Subject: Hello there
From: "hello" <hello@trolololololo.com>
Hello there""")
relay.attempt(e, 0)
In https://github.com/slimta/python-slimta/blob/master/slimta/relay/smtp/client.py#L132, changing
if self.tls and not self.tls_immediately:
with
if self.tls or not self.tls_immediately:
You must also pass an empty tls dictionary to MxSmtpRelay or whatever. seems to do the trick:
yahoo: (SMTPS)
Received: from 127.0.0.1 (EHLO trololololo.com) (8X.XX.XXX.XX)
by mtaXXXX.mail.gq1.yahoo.com with SMTPS; Tue, 17 May XXXXXXXXX
gmail: (TLS)
Received: from trololololo.com ([8X.XX.XXX.XX])
by mx.google.com with ESMTPS id XXXXXXX.1XXXXXXX
for <XXXXXXXXXX@gmail.com>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Tue, 17 May 2016 03:XXXXXXXX
Closing this. In my testing (with the script above), Gmail reports Standard (TLS)
for encryption type with default settings, no tls
option passed. I have tagged 3.2.1
with this behavior.
Great, thank you!
I can confirm that it works fine, but AOL's smtp inbound webservers don't like this; just try replacing the yahoo or gmail address with an AOL one - i've also enabled logging:
python testaol.py
2016-06-09 17:58:51,642.642 DEBUG __init__ - logline: fd:3:connect peer=('mailin-04.mx.aol.com', 25)
2016-06-09 17:58:51,842.842 DEBUG __init__ - logline: fd:3:recv data='220-mtaig-aae02.mx.aol.com ESMTP Internet Inbou...not have reverse-DNS (PTR records) assigned.\r\n'
2016-06-09 17:58:51,842.842 DEBUG __init__ - logline: fd:3:send data='EHLO trololololo.com\r\n'
2016-06-09 17:58:51,978.978 DEBUG __init__ - logline: fd:3:recv data='250-mtaig-aae02.mx.aol.com\r\n250-STARTTLS\r\n250 DSN\r\n'
2016-06-09 17:58:51,978.978 DEBUG __init__ - logline: fd:3:send data='STARTTLS\r\n'
2016-06-09 17:58:52,520.520 DEBUG __init__ - logline: fd:3:recv data='220 2.0.0 Ready to start TLS\r\n'
2016-06-09 17:58:52,520.520 DEBUG __init__ - logline: fd:3:encrypt certfile=None keyfile=None server_side=False
2016-06-09 18:00:31,991.991 DEBUG __init__ - logline: fd:3:send data='QUIT\r\n'
Traceback (most recent call last):
File "plma.py", line 32, in <module>
relay.attempt(e, 0)
File "/root/venv_smtpout_2/local/lib/python2.7/site-packages/slimta/relay/smtp/mx.py", line 239, in attempt
return relayer.attempt(envelope, attempts)
File "/root/venv_smtpout_2/local/lib/python2.7/site-packages/slimta/relay/pool.py", line 93, in attempt
return result.get()
File "/root/venv_smtpout_2/local/lib/python2.7/site-packages/gevent/event.py", line 385, in get
return self.get(block=False)
File "/root/venv_smtpout_2/local/lib/python2.7/site-packages/gevent/event.py", line 375, in get
return self._raise_exception()
File "/root/venv_smtpout_2/local/lib/python2.7/site-packages/gevent/event.py", line 355, in _raise_exception
reraise(*self.exc_info)
File "/root/venv_smtpout_2/local/lib/python2.7/site-packages/gevent/_util_py2.py", line 8, in reraise
raise type, value, tb
slimta.relay.smtp.SmtpTransientRelayError: Transient failure on STARTTLS: 421 4.4.2 Connection timed out
Can you reproduce this?
this doesn't seem related to AOL, since i can reproduce it with openssl
openssl s_client -starttls smtp -crlf -connect mailin-03.mx.aol.com:25
CONNECTED(00000003)
and it hangs in there.
slimta's code makes it mandatory to have a tls dictionary if you want to starttls as a client. https://github.com/slimta/python-slimta/blob/master/slimta/relay/smtp/client.py#L132