Project

General

Profile

Bug #7222

Encryption No Longer Enforced for Email Notifications

Added by NOYB NOYB 8 months ago. Updated 8 months ago.

Status:
Needs Patch
Priority:
Normal
Assignee:
-
Category:
Notifications
Target version:
Start date:
02/07/2017
Due date:
% Done:

0%

Affected version:
2.4
Affected Architecture:

Description

The "Enable SMTP over SSL/TLS" option does not enforce the use of encryption.

Previous versions also had "Enable STARTTLS" option which made the pfSense email client require the SMTP server to support STARTTLS and use SSL/TLS encryption.

Details of the issue and potential fix are available here:
https://forum.pfsense.org/index.php?topic=118183

Please return option to have pfSense client require encryption.

History

#1 Updated by NOYB NOYB 8 months ago

That wasn't worded very well. Strike that first sentence. This has nothing to do with the "Enable SMTP over SSL/TLS" option.

Lets try it again...

Previous versions had an "Enable STARTTLS" option implemented such that when enabled the pfSense email client would require the SMTP server to support STARTTLS and use TLS encryption. Without this option there is no way to ensure/force the use of STARTTLS and TLS encryption.

That leaves it vulnerable to STRIPTLS attack because the pear-mail client does not require TLS be used and will fall back to plain text if server does not support STARTTLS. ISP's have been known to be fond of using STRIPTLS.

Opportunistic TLS - Weaknesses and mitigations (STRIPTLS)
https://en.wikipedia.org/wiki/Opportunistic_TLS#Weaknesses_and_mitigations

Would like to see this option restored and used for the client to force/require TLS when STARTTLS is enabled.

A discussion of the issue and a potential fix are available here:
https://forum.pfsense.org/index.php?topic=118183

#2 Updated by Jim Pingle 8 months ago

  • Target version changed from 2.4.0 to Future

We switched over to the Pear Mail package and at the moment I'm not seeing any equivalent option in their code. It would need to be added upstream before we could pick it up.

#3 Updated by NOYB NOYB 8 months ago

Why can't pfSense customization be made to the pear Mail package, like is done for some others packages, to add the require_tls param like shown in the pear Mail patch referenced in the thread?

#4 Updated by Kill Bill 8 months ago

Well, I'd hazard to say because it's just another thing to maintain with pretty much no gain? Want to be sure TLS is used? Use explicit and not STARTTLS.

#5 Updated by NOYB NOYB 8 months ago

Kill Bill wrote:

Well, I'd hazard to say because it's just another thing to maintain with pretty much no gain? Want to be sure TLS is used? Use explicit and not STARTTLS.

I want to continue using STARTTLS like current system and config is doing. Probably others will also. See no reason for the require STARTTLS capability to be removed. The param can be added to pear mail reasonably easily.

#6 Updated by Jim Pingle 8 months ago

  • Status changed from New to Needs Patch

Lobby to the PEAR crew to import the patch and we'll add support once it's in there. We have maintained a lot of custom code/patches in the past but it's a lot of technical debt to take on, and we are trying to keep that to a minimum.

As you mentioned on the thread "Don't want the liability of this on my shoulders." -- this is the responsibility of PEAR, not any of us. Same with your other points there. These are all things the PEAR maintainers need to take on and test, not us.

#7 Updated by NOYB NOYB 8 months ago

Jim Pingle wrote:

Lobby to the PEAR crew to import the patch and we'll add support once it's in there. We have maintained a lot of custom code/patches in the past but it's a lot of technical debt to take on, and we are trying to keep that to a minimum.

As you mentioned on the thread "Don't want the liability of this on my shoulders." -- this is the responsibility of PEAR, not any of us. Same with your other points there. These are all things the PEAR maintainers need to take on and test, not us.

That's a reasoned explanation I can accept. Don't like it but can accept it. Thank you.

Hope there will be a release note to give people a heads up that STARTTLS is no longer enforced. To let them know if they are upgrading systems that currently uses STARTTLS option, the "Enable SMTP over SSL/TLS" option is now the only way to ensure encryption is used.

I will be implementing the STARTTLS option anyway. Shame it won't be available too others. My guess is pear Mail will never be patched to fix this STRIPTLS security hole. As usually, once again security takes a backseat.

#8 Updated by Kill Bill 8 months ago

NOYB NOYB wrote:

My guess is pear Mail will never be patched to fix this STRIPTLS security hole.

Well, certainly not if noone requests it. https://pear.php.net/bugs/search.php?cmd=display&package_name[]=Net_SMTP&status=All

#9 Updated by NOYB NOYB 8 months ago

Kill Bill wrote:

NOYB NOYB wrote:

My guess is pear Mail will never be patched to fix this STRIPTLS security hole.

Well, certainly not if noone requests it. https://pear.php.net/bugs/search.php?cmd=display&package_name[]=Net_SMTP&status=All

PEAR Mail STRIPTLS Mitigation Request Example:
An option to require STARTTLS should be added to mitigate STRIPTLS attack vector.
http://pear.php.net/bugs/bug.php?id=21117

Request #21117 Mitigate STRIPTLS Attack Vector

Submitted: 2016-09-15 00:42 UTC 
From: noyb 
Assigned: 
Status: Open
Package: Mail (version 1.3.0)
PHP Version: 5.6.25
OS: FreeBSD 11.0-RC2
Roadmaps: Not assigned)

Also available in: Atom PDF