Disabling starttls or certificate verification does not work any more

RGJ · May 26, 2022, 6:54am

There are a lot of posts about this in support so now we seem to have found the cause I thought it might be good to create a bug topic about this containing only the actual issue described here Email Hostname Certificate Mismatch Causing sidekiq Queue Overload, Severe Site Instability - #47 by RGJ

Long story short:

Since 2.9.0 beta 4 the settings
DISCOURSE_SMTP_OPENSSL_VERIFY_MODE and DISCOURSE_SMTP_ENABLE_START_TLS do not work correctly any longer.

This seems to be related to the move to Rails 7, which updated net-smtp from 0.1.0 to 0.3.1, which changed the defaults for these two connection parameters.

The way the smtp gem calls net-smtp does not disable enable_starttls_auto and openssl_verify_mode, it only enables it when enabled.

Related report for the smtp gem: SMTP: allow disabling starttls_auto since it's now true by default in Ruby 3 by jeremy · Pull Request #1435 · mikel/mail · GitHub

Technically this bug is outside the Discourse code since this is happening in the smtp gem, but since that is currently forked for Discourse I think this does warrant a bug topic. If it cannot be fixed easily then these parameters could be removed from the docs and maybe a deprecation warning could be shown so at least all the confusion is gone.

RBoy · May 26, 2022, 12:56pm

Cross linking bug reports:

flink91 · June 8, 2022, 9:48am

This PR should bring back the proper behavior (it’s not merged yet):

github.com/discourse/discourse

FIX: Make disabling TLS in mail possible again

discourse:main ← discourse:loic-net-smtp-starttls

opened 03:04PM - 07 Jun 22 UTC

Flink

+46 -2

Following the Rails 7 upgrade, the `DISCOURSE_SMTP_ENABLE_START_TLS` setting doe…sn’t work anymore. This is because Rails upgraded the `net-smtp` gem to the 0.3.1 version which enables `starttls` by default. The `mail` gem doesn’t support this new behavior yet and doesn’t know how to disable TLS. This should be fixed in an upcoming release. Meanwhile applying this patch allows us to get back the previous behavior which is expected by many.

flink91 · June 8, 2022, 3:28pm

PR has been merged earlier today so by using the tests-passed branch you should be able to disable TLS as before

JammyDodger · June 14, 2022, 3:15pm

11 posts were split to a new topic: Email not working (Port 465)

JammyDodger · July 9, 2022, 2:39pm

This topic was automatically closed after 7 hours. New replies are no longer allowed.

Topic		Replies	Views
E-mail sending stopped working after upgrade Installation	3	746	August 16, 2022
Email Hostname Certificate Mismatch Causing sidekiq Queue Overload, Severe Site Instability Installation	64	4615	September 30, 2023
Email jobs failing after latest update, certificate verify failed (unable to get local issuer certificate) Installation	12	2800	July 2, 2022
E-mail sending not working after upgrade Support	10	2576	October 31, 2019
Email not working (SSL_connect returned=1) Installation	16	2251	July 15, 2022

Disabling starttls or certificate verification does not work any more

Related Topics