Project

General

Profile

Feature #9001

Add checkbox to disable SSL peer verification for SMTP notifications

Added by Jim Pingle over 2 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Low
Assignee:
Category:
Notifications
Target version:
Start date:
10/03/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Default

Description

Some mail servers do not use a certificate that can be validated by the current code (e.g. custom self-signed CA or cert), but they can still benefit from TLS if the user opts to not validate the cert.

The current Pear Mail and Net_SMTP code supports this now, but we need a GUI knob and some backend code to enable it.

Should be simple, one checkbox that sets the right socket option. A user has already confirmed the backend change works, but it needs to be made conditional.

See the attached patch for the part that needs added to disable TLS verification, and see https://forum.netgate.com/topic/136299/pfsense-2-4-4-smtp-question/5 for more discussion.

smtp-verify.diff (529 Bytes) smtp-verify.diff Jim Pingle, 10/03/2018 10:20 AM

Associated revisions

Revision 7da466e1 (diff)
Added by Jim Pingle over 2 years ago

Add checkbox to disable SMTP SSL cert verification. Implements #9001

The default action is to validate the certificate. If the user knows the
server does not have a valid certificate (e.g. self-signed), this option
will allow encryption to be used without validating the identity of the
server.

Revision 0b76ff3b (diff)
Added by Jim Pingle over 2 years ago

Add checkbox to disable SMTP SSL cert verification. Implements #9001

The default action is to validate the certificate. If the user knows the
server does not have a valid certificate (e.g. self-signed), this option
will allow encryption to be used without validating the identity of the
server.

(cherry picked from commit 7da466e1c4b6873b9fb80e862faf8f799a6d4531)

History

#1 Updated by Jim Pingle over 2 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#2 Updated by Luiz Souza over 2 years ago

  • Target version changed from 2.4.4-GS to 2.4.4-p1

#3 Updated by Anonymous over 2 years ago

On 2.4.5.a.20181120.0754, feature is present. However, without a misconfigured email server, I can't tell if the feature works as expected.

#4 Updated by Chris Linstruth over 2 years ago

Using a host override to cause a hostname mismatch on a server with a valid certificate I was able to confirm mail could be sent if the verification was disabled and failed if it was enabled. Looks good.

#5 Updated by Jim Pingle over 2 years ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF