Correct way to specify openssl_verify_mode for support_ticket

General Discussion
1

Hello,
We’re trying to configure the support_ticket capability for our OOD 3.1.10 deployment. We have postfix running on our OOD portal node listening on localhost:25 only, then configured to relay to our main SMTP server and are just trying to configure OOD to do SMTP → localhost:25 but it’s getting hung up on the self-signed certificate generated by postfix.

Either I need to just disable it trying to use TLS or get it to accept OpenSSL::SSL::VERIFY_NONE, but I can’t quite get the YAML right for either case.

image

I saw the following in ./ondemand/root/usr/share/gems/3.1/ondemand/3.1.10-1/gems/mail-2.8.1/lib/mail/network/delivery_methods/smtp.rb

  # === Certificate verification
  #
  # When using TLS, some mail servers provide certificates that are self-signed
  # or whose names do not exactly match the hostname given in the address.
  # OpenSSL will reject these by default. The best remedy is to use the correct
  # hostname or update the certificate authorities trusted by your ruby. If
  # that isn't possible, you can control this behavior with
  # an :openssl_verify_mode setting. Its value may be either an OpenSSL
  # verify mode constant (OpenSSL::SSL::VERIFY_NONE, OpenSSL::SSL::VERIFY_PEER),
  # or a string containing the name of an OpenSSL verify mode (none, peer).

Here is what I’ve tried in my for YAML VERIFY_NONE, but with no luck:

support_ticket:
  attachments:
    max_items: 1
    max_size: 10485760
  email:
    to: "oodsupport@epa.gov"
    delivery_method: "smtp"
    deliver_settings:
      address: 'localhost'
      port: 25
      domain: 'epa.gov'
      enable_starttls_auto: auto
      openssl_verify_mode: 'none'
      enable_starttls: true

I’ve also tried to just disable TLS:

    delivery_settings:
      address: 'localhost'
      port: 25
      domain: 'epa.gov'
      tls: false
      enable_starttls: false
      enable_starttls_auto: false

which gives the same error and can’t seem to get the correct YAML option set for either no TLS or just accept the self signed certificate. However, if I manually edit the class SMTP code:

  class SMTP
    attr_accessor :settings

    DEFAULTS = {
      :address              => 'localhost',
      :port                 => 25,
      :domain               => 'localhost.localdomain',
      :user_name            => nil,
      :password             => nil,
      :authentication       => nil,
      :enable_starttls      => nil,
      :enable_starttls_auto => true,
      :openssl_verify_mode  => nil,
      :ssl                  => nil,
      :tls                  => nil,
      :open_timeout         => 5,
      :read_timeout         => 5
    }

and set :openssl_verify_mode => OpenSSL::SSL::VERIFY_NONE and restart the PUN, I was able to send a message no problem. So the issue is entirely how do I correctly set the Ruby equivalent of :openssl_verify_mode => OpenSSL::SSL::VERIFY_NONE from the YAML. I figure I am just missing something obvious, so any pointers is appreciated.

Thanks!

2

Would another option be to add that self-signed cert to the trusted store on the system?

3

Yea I don’t think you’ll be able to specify OpenSSL::SSL::VERIFY_NONE as it is because we don’t evaluate the YAML like that (it’s all strings, not a Ruby constant).

You could maybe do it in an initializer? Maybe, don’t specify anything here other than email.to and leave the rest default and do the rest of the configuration in an initializer where you can use Ruby constants. That may work, but yea I’d second @hansen-m’s comment about making the self-signed certificate more legit.

4

What about just turning off the enable_starttls_auto and disabling TLS? There is code to just not use TLS in ./ondemand/root/usr/share/gems/3.1/ondemand/3.1.10-1/gems/mail-2.8.1/lib/mail/network/delivery_methods/smtp.rb, but it doesn’t seem to be working if I set those fields in the YAML, so how do I just tell OOD’s Ruby SMTP to no use TLS?

If I change this in the Ruby code:

  class SMTP
    attr_accessor :settings

    DEFAULTS = {
      :address              => 'localhost',
      :port                 => 25,
      :domain               => 'localhost.localdomain',
      :user_name            => nil,
      :password             => nil,
      :authentication       => nil,
      :enable_starttls      => false,
      :enable_starttls_auto => false,
      :openssl_verify_mode  => nil,
      :ssl                  => nil,
      :tls                  => nil,
      :open_timeout         => 5,
      :read_timeout         => 5
    }

Then it also works, but if I set the following in the YAML

    delivery_settings:
      address: 'localhost'
      port: 25
      domain: 'epa.gov'
      tls: false
      enable_starttls: false
      enable_starttls_auto: false

It doesn’t. You have code in smtp.rb to look at / honor enable_starttls and enable_starttls_auto, but it doesn’t seem to be working. Do I have my YAML wrong?

More specifically, I am wondering if I have my YAML level(s) off and the enable_starttls and enable_starttls_auto setting isn’t being correctly picked up. I say that because looking at this code:

      def build_smtp_session
        Net::SMTP.new(settings[:address], settings[:port]).tap do |smtp|
          tls = settings[:tls] || settings[:ssl]
          if !tls.nil?
            case tls
            when true
              smtp.enable_tls(ssl_context)
            when false
              smtp.disable_tls
            else
              raise ArgumentError, "Unrecognized :tls value #{settings[:tls].inspect}; expected true, false, or nil"
            end
          elsif settings.include?(:enable_starttls) && !settings[:enable_starttls].nil?
            case settings[:enable_starttls]
            when true
              smtp.enable_starttls(ssl_context)
            when false
              smtp.disable_starttls
            else
              raise ArgumentError, "Unrecognized :enable_starttls value #{settings[:enable_starttls].inspect}; expected true, false, or nil"
            end

If I set tls: 'something', in my YAML, so my full YAML is:

support_ticket:
  attachments:
    max_items: 1
    max_size: 10485760
  description: |
      Send support message.
  email:
    to: "oodsupport@epa.gov"
    delivery_method: "smtp"
    delivery_settings:
      address: 'localhost'
      port: 25
      domain: 'epa.gov'
      tls: 'something'

It doesn’t trigger the raise ArgumentError, "Unrecognized :tls value #{settings[:tls].inspect}; expected true, false, or nil", so that make me think I’ve got a problem in my YAML.

Thanks!

5

Ok,
After some time away, I went back through my settings and was able to set

  email:
      tls: false
      enable_starttls: false
      enable_starttls_auto: false

And that worked, I swear I tested that earlier, before I opened the ticket, but just disabling TLS in the YAML works fine for my case (since it’s connecting to localhost) anyway.

Thanks!

2 Likes