Project

General

Profile

Actions

Bug #8313

open

STARTTLS auto detection not working

Added by David Martin almost 4 years ago. Updated almost 4 years ago.

Status:
New
Priority:
Normal
Category:
Notifications
Target version:
-
Start date:
02/05/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.2_1
Affected Architecture:
amd64

Description

When attempting to setup SMTP notifications to a mailserver which supports STARTTLS the following error occurrs:
Could not send the message to [] -- Error: Failed to set sender: [] [SMTP: Invalid response code received from server (code: 530, response: 5.7.0 Must issue a STARTTLS command first)].

In researching the issue it seems that on August 11th 2016 the web UI element for selecting STARTTLS was removed with the developer who made the change stating that pear-Mail will automatically use STARTTLS when the server supports it (see https://github.com/pfsense/pfsense/commit/c8c46e5a8e9551db0172b79aae1fee4553b3bf7d). Packet captures between the pfSense appliance and mail server reveal that the pfSense mail client fails to issue a STARTTLS command even when it has been advertised by the server (see https://pastebin.com/3CTW0wPC).

On a side note, while it is not necessarily a bug it is poor practice to rely on client-side autodetection of STARTTLS. In this situation an attacker positioned between the SMTP client and server can block STARTTLS advertisements thereby preventing the establishment of an encrypted connection, or they could establish an unencrypted connection to the client and an encrypted connection to the server in a replay attack. The user should have the ability to specify that STARTTLS is to always be used in the connection. It should also be noted that this change alone would not prevent a MITM from creating their own TLS connection to the client in a replay attack. Further measures would need to prevent the client from accepting a fraudulent certificate.


Files

packetcapture.cap (2.09 KB) packetcapture.cap Packet Capture of TCP Session David Martin, 02/05/2018 03:23 PM
Actions #1

Updated by Steve Beaver almost 4 years ago

  • Assignee changed from David Martin to Renato Botelho
Actions #2

Updated by Jim Pingle almost 4 years ago

That code is not ours but that of the Net_SMTP Pear package: https://pear.php.net/package/Net_SMTP -- That package does not have a means by which STARTTLS can be forced. It's possible that package is not successfully reading the feature list in the server response.

Consider reporting the same issue to them upstream. We typically hesitate to modify included package code unless there is no alternative.

Actions

Also available in: Atom PDF