github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-19 14:42:41 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

Is there any way to configure force use security connection with smtp? #3555

New Issue
Closed
opened 2025-11-02 05:16:59 -06:00 by GiteaMirror · 6 comments
GiteaMirror commented 2025-11-02 05:16:59 -06:00
Owner
Copy Link

Originally created by @zhanhb on GitHub (Jul 9, 2019).

smtp.office365.com such as my-account@outlook.com support only starttls on port 587.
From the source I can see there's no protection for Man-in-the-middle and downgrade attack.
5a438ee3c0/services/mailer/mailer.go (L156-L162)

Originally created by @zhanhb on GitHub (Jul 9, 2019). `smtp.office365.com` such as `my-account@outlook.com` support only starttls on port 587. From the source I can see there's no protection for Man-in-the-middle and downgrade attack. https://github.com/go-gitea/gitea/blob/5a438ee3c0303efcb9d1935ff521917fe8a109e8/services/mailer/mailer.go#L156-L162
GiteaMirror added the type/proposal label 2025-11-02 05:16:59 -06:00
GiteaMirror commented 2025-11-02 05:17:00 -06:00
Author
Owner
Copy Link

@zhanhb commented on GitHub (Jul 9, 2019):

Some mail provider may support both tls/starttls on port 587 such as smtp.gmail.com

@zhanhb commented on GitHub (Jul 9, 2019): Some mail provider may support both tls/starttls on port 587 such as `smtp.gmail.com`
GiteaMirror commented 2025-11-02 05:17:00 -06:00
Author
Owner
Copy Link

@zhanhb commented on GitHub (Jul 10, 2019):

If let me design a smtp client now, the connection configuration value without historical compatible considering will be like like this. And default value set to tls for most public mail service providers support this configuration.

connection=tls-only|starttls|tls|starttls-optional|plain|try-all

tls-only: support only tls connection, usually on port 465
starttls: support only starttls connection, usually on port 587
tls: support tls/starttls, can be configured on both 465/587
starttls-optional: support starttls/plain, can be configured on port 587/25
plain: support only plain, usually on port 25.
try-all: support tls/starttls/plain, can be configured on port 465/587/25

Maybe here gitea should add a key like forcetls to configured the third behaviour.

@zhanhb commented on GitHub (Jul 10, 2019): If let me design a smtp client now, the connection configuration value without historical compatible considering will be like like this. And default value set to tls for most public mail service providers support this configuration. ```ini connection=tls-only|starttls|tls|starttls-optional|plain|try-all ``` ```txt tls-only: support only tls connection, usually on port 465 starttls: support only starttls connection, usually on port 587 tls: support tls/starttls, can be configured on both 465/587 starttls-optional: support starttls/plain, can be configured on port 587/25 plain: support only plain, usually on port 25. try-all: support tls/starttls/plain, can be configured on port 465/587/25 ``` Maybe here gitea should add a key like `forcetls` to configured the third behaviour.
GiteaMirror commented 2025-11-02 05:17:00 -06:00
Author
Owner
Copy Link

@andreymal commented on GitHub (Aug 21, 2019):

I agree, connection=plain is needed for my specific case

@andreymal commented on GitHub (Aug 21, 2019): I agree, `connection=plain` is needed for my specific case
GiteaMirror commented 2025-11-02 05:17:01 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Apr 25, 2023):

The mailer system has been refactored.

https://github.com/go-gitea/gitea/blob/main/custom/conf/app.example.ini

I think it should work for you case. Feel free to reopen if there is any problem

@wxiaoguang commented on GitHub (Apr 25, 2023): The mailer system has been refactored. https://github.com/go-gitea/gitea/blob/main/custom/conf/app.example.ini I think it should work for you case. Feel free to reopen if there is any problem
GiteaMirror commented 2025-11-02 05:17:01 -06:00
Author
Owner
Copy Link

@zhanhb commented on GitHub (May 11, 2023):

I read the source code carefully, and the corresponding relationship with the configuration I specified above is like this

PROTOCOL=smtps  => connection=tls-only
PROTOCOL=smtp+starttls  => connection=starttls-optional  // Downgrade attacks cannot be prevented
PROTOCOL=smtp  => connection=plain

There's no way to configure a value supports only starttls or both starttls and tls.

@zhanhb commented on GitHub (May 11, 2023): I read the source code carefully, and the corresponding relationship with the configuration I specified above is like this ``` PROTOCOL=smtps => connection=tls-only PROTOCOL=smtp+starttls => connection=starttls-optional // Downgrade attacks cannot be prevented PROTOCOL=smtp => connection=plain ``` There's no way to configure a value supports only `starttls` or both `starttls` and `tls`.
GiteaMirror commented 2025-11-02 05:17:01 -06:00
Author
Owner
Copy Link

@zhanhb commented on GitHub (May 12, 2023):

The warnings I'd like to see in the log should look like as following:

startup:
    starttls-optional:
        WARNING("starttls-optional is vulnerable to downgrade attacks") if is not loopback address
    plain:
        WARNING() if is not loopback address
    try-all:
        WARNING("try-all should only be used for debugging the configuration file, use tls/tls-only/starttls/plain instead")
exchange:
    tls-only:
        ERROR("tls connection failed")
    starttls:
        ERROR("The server does not support starttls")
        ERROR("The server reports starttls supported, but failed to connect")
    tls:
         // INFO("tls connection failed")
         ERROR("The server does not support starttls")
         ERROR("The server reports starttls supported, but failed to connect")
    starttls-optional:
         // INFO("The server does not support starttls, use plain instead") // WARN?
         WARN("The server reports starttls supported, but failed to connect, use plain instead")
    try-all:
         might be any message combination above.
@zhanhb commented on GitHub (May 12, 2023): The warnings I'd like to see in the log should look like as following: ```yml startup: starttls-optional: WARNING("starttls-optional is vulnerable to downgrade attacks") if is not loopback address plain: WARNING() if is not loopback address try-all: WARNING("try-all should only be used for debugging the configuration file, use tls/tls-only/starttls/plain instead") exchange: tls-only: ERROR("tls connection failed") starttls: ERROR("The server does not support starttls") ERROR("The server reports starttls supported, but failed to connect") tls: // INFO("tls connection failed") ERROR("The server does not support starttls") ERROR("The server reports starttls supported, but failed to connect") starttls-optional: // INFO("The server does not support starttls, use plain instead") // WARN? WARN("The server reports starttls supported, but failed to connect, use plain instead") try-all: might be any message combination above. ```
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label type/proposal
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#3555
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?