ciso-assistant-community icon indicating copy to clipboard operation
ciso-assistant-community copied to clipboard
verified publisher icon intuitem

Email server with self-signed certificate

Open PPCM opened this issue 10 months ago • 6 comments

CISO Assistant is working well with the docker setup (latest), except for emails So for applications not able to connect to M365, we use an email server with a self-signed certificate, and even if we setup CISO Assistant to not use TLS or SSL, it stops the email sending

2025-01-23T22:10:53.898338Z [error ] primary mailer failure, trying rescue [iam.models] ciso_assistant_url=https://ciso.domain.com email_host=email.host.com [email protected] email_port=587 email_use_tls=False error=SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1000)') ip=127.0.0.1 [email protected] request_id=dbd98da0-4f5b-4c41-b7cc-f18a7456c608 subject='CISO Assistant: Password Reset' user_id=None

Is there a way to ignore self-signed certificate?

Thanks for your help

PPCM avatar Jan 23 '25 22:01 PPCM

Hello @PPCM , What is the behavior you're getting when the flag EMAIL_USE_TLS is not set (nor True or False)?

ab-smith avatar Jan 25 '25 14:01 ab-smith

@ab-smith thanks for the answer

I tryed 2 things

  • Set an empty EMAIL_USE_TLS - The following error is raised
2025-01-25T14:58:08.482599Z [error    ] primary mailer failure, trying rescue [iam.models] ciso_assistant_url=https://ciso.domain.com email_host=email.host.com [email protected] email_port=587 email_use_tls=  error=SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1000)') ip=127.0.0.1
  • Removes the variable EMAIL_USE_TLS - The following error is raised
2025-01-25T14:59:54.538887Z [error    ] primary mailer failure, trying rescue [iam.models] ciso_assistant_url=https://ciso.domain.com email_host=email.host.com [email protected] email_port=587 email_use_tls=None error=SMTPNotSupportedError('SMTP AUTH extension not supported by server.') ip=127.0.0.1 [email protected] request_id=52687cdd-8544-4b7d-b150-8ada530e0b03 subject='CISO Assistant : réinitialisation de mot de passe' user_id=None
SMTP AUTH extension not supported by server.

In both, an error raised

On my email server, SSL is needed for AUTH but with a self-signed certificate

An idea?

PPCM avatar Jan 25 '25 15:01 PPCM

ok, so on a first research, it would require to change the behaviour of verify_mode:

https://docs.python.org/3/library/ssl.html#ssl.SSLContext.verify_mode

Would probably require some extra code to manage this specific edge case.

I'll see what we can do and get back to you.

ab-smith avatar Jan 25 '25 15:01 ab-smith

Merci beaucoup! :-)

PPCM avatar Jan 25 '25 18:01 PPCM

Hello @PPCM , can you try with the latest version?

ab-smith avatar Apr 12 '25 04:04 ab-smith

Hello,

With the version (2.5.8) i'm still having the issue.

I have already tried everything what I can do, and I can't find a solution for this problem.

We did the troubleshoot and the problem isn't about our SMTP internal server.

Thank you in advance, @ab-smith.

mastersecurityguin avatar Jun 04 '25 11:06 mastersecurityguin