symfony
[Mailer] Option to enforce STARTTLS
Description
// https://github.com/symfony/mailer/blob/6.1/Transport/Smtp/EsmtpTransport.php#L136
if (!$stream->isTLS() && \defined('OPENSSL_VERSION_NUMBER') && \array_key_exists('STARTTLS', $this->capabilities)) {
That line will be true only if server reports that it has STARTTLS support, but during a man-in-the-middle attack one could remove this capability and communication would happen in cleartext.
It would be great if there was an option to enforce STARTTLS :pray:
Example
No response
This sounds a lot like MTA-STS.
The RFC says This document defines a mechanism for recipient domains to publish policies, via a combination of DNS and HTTPS, but that's not exactly what I'm suggesting, since I have no control over recipient servers.
I'm working on a hotel management software, where each hotel can specify SMTP recipient server for mailing their hotel emails and I'd like to make it more secure for cases when port 587 is used or when hotel staff knows that the recipient server port supports STARTTLS.
e.g. a checkbox in our UI "Enforce STARTTLS". When enabled, it would forcefully attempt STARTTLS and if it cannot be established then mail sending would throw an error, instead of continuing in cleartext.
The alternative is to use port 465 (implicit SSL/TLS), but not all recipient servers support TLS on that port (some only SSL, which is outdated).
Thank you for this suggestion. There has not been a lot of activity here for a while. Would you still like to see this feature?
I would like to see this feature.
In my use-case, I have an open source application with configurable SMTP details, so it's used with many different mail services. I want to be able to provide assurance that that emails are being sent over TLS or STARTTLS. Initially I incorrectly assumed that TLS and STARTTLS would be equally supported by email services, so I forced full TLS usage in these scenarios but this caused problems where only STARTTLS is supported, and not full TLS.
I tried to extend the existing Esmtp transport but I could not find a clean way of doing this. For now I'm keeping a fork which patches in the ability to require TLS or STARTTLS. Note: this is not PR ready since it's targeting an old branch and lacks added tests.
I'd be happy to work on and provide a PR for this. Would Symfony be willing to review a PR if I put one forward?
@Swanty Would it work for you if the option enforces either STARTTLS or TLS? Or do you need specific indication of STARTTLS usage (so fail if TLS is used instead)?
@Swanty Would it work for you if the option enforces either STARTTLS or TLS? Or do you need specific indication of STARTTLS usage (so fail if TLS is used instead)?
Yes, your patch works great for my use case - thank you 🙏 As long as there's no chance for mails to be sent in cleartext I'm happy :>
@xabbuh #53621 was about disabling STARTTLS while this issue is about enforcing it. Those are two different things.
#53621 paved the way to show how this should be done. Could be by renaming auto_tls to just tls and support bool|auto as a value. PR welcome.
Thank you for this suggestion. There has not been a lot of activity here for a while. Would you still like to see this feature?
Could I get an answer? If I do not hear anything I will assume this issue is resolved or abandoned. Please get back to me <3
Hey,
I didn't hear anything so I'm going to close it. Feel free to comment if this is still relevant, I can always reopen!
It's somewhat sad to see that this was closed automatically.
Being able to make sure a SMTP session uses TLS would be very useful, especially regarding Art. 25 GDPR https://gdpr-info.eu/art-25-gdpr/
The thing is, if nobody builds a certain feature, we just won't have it. The auto-close of the ticket does not mean that it's a won't fix. We would still accept a PR that delivers the feature.
If you believe that this feature is useful, or even better, you actually need it, you would be in the best position to build it.