Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sogo: Add support for SMTP-STARTTLS/SMTP-SSL #89390

Closed
wants to merge 2 commits into from
Closed

sogo: Add support for SMTP-STARTTLS/SMTP-SSL #89390

wants to merge 2 commits into from

Conversation

herrwiese
Copy link
Contributor

@herrwiese herrwiese commented Jun 3, 2020
edited

Motivation for this change

SOGo (resp. SOPE) only supports plain-text SMTP to connect to the upstream SMTP server, which is okay as long as both SOGo and SMTPd run on the same machine, but unfortunate if not.

This pulls in the respective merges from upstream.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@herrwiese herrwiese requested a review from ajs124 June 3, 2020 07:36
@ofborg ofborg bot requested a review from dasJ June 3, 2020 07:43
@Mic92
Copy link
Member

Mic92 commented Jun 3, 2020

@ajs124 @dasJ please test.

@ajs124
Copy link
Member

ajs124 commented Jun 3, 2020

I don't think we should merge this, because this seems like snake oil TLS without Alinto/sope#52.
Actually, it seems like every IMAP+TLS connection sogo opens can be trivially man-in-the-middled, which is just great.

In our setup we're running stunnel in client mode for SMTP over TLS.

@Mic92
Copy link
Member

Mic92 commented Jun 3, 2020

Agreed. This create a false sense of security. Stunnel or VPNs might be a better work-around until this is fixed properly.

@herrwiese
Copy link
Contributor Author

Ah dang, I read about that and totally forgot (I also totally forgot about stunnel...). You're of course right here. Thanks all for reviewing, and especially @ajs124 for getting stunnel back to my mind.

@herrwiese herrwiese closed this Jun 4, 2020
@herrwiese herrwiese deleted the for-master/sogo-smtps branch June 4, 2020 21:41
@dasJ
Copy link
Member

dasJ commented Jun 5, 2020
edited

@herrwiese This is our STARTTLS SMTP stunnel config:

{
  services.stunnel = {
    enable = true;

    clients.smtp = {
      accept = "127.0.0.1:587";
      connect = "smtp.example.com:587";
    };
  };

  environment.etc."stunnel.cfg".text = ''
    protocol = smtp
    CAfile = /etc/ssl/certs/ca-certificates.crt
  '';

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mic92 Mic92 Mic92 left review comments

@ajs124 ajs124 Awaiting requested review from ajs124

@dasJ dasJ Awaiting requested review from dasJ

Assignees
No one assigned
Labels
10.rebuild-darwin: 0 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@herrwiese @Mic92 @ajs124 @dasJ