Reply by email SSL self signed certificate error

Not sure this is a good idea. As I’ve been saying.

We already have the option for SMTP:

DISCOURSE_SMTP_OPENSSL_VERIFY_MODE: 'none'

We also have the option to turn off SSL with POP:

Use SSL while connecting to the POP3 server. (Recommended)

So this has to be better than that right?

Why not just let admins decide? Discourse wins as it brings the barrier down - not having to get paid (or free) SSL certs, getting additional IPs (not free with most hosts), setting everything up etc

It’s your :skull: baby!

Stop scaring me :scream_cat:

Is the only risk the server getting hacked and the key stolen? Wouldn’t you just generate another certificate?

Or am I missing something? (Admittedly I do not know much about it, apart from that I have used self-signed certs for years without any problems).

(Also I think the situations are different - Sam is posting in a thread about CAS - what is that? An external auth of some sort? I think this is different as it is your own server which you have hopefully secured).

Edit 1: If you’d rather it not be in the Admin Control Panel, why not just add it as an option in app.yml like the current SMTP one? That way the only people who use it will be those who really want to.

Edit 2. This is an interesting read which suggests they are not all that bad after all…

Edit 3: To make things easier, it’d probably be true that if the user has set SMTP verify to none the same will most likely apply to POP, so the code could be changed to:

      if SiteSetting.pop3_polling_ssl
        if GlobalSetting.smtp_openssl_verify_mode == 'none'
          connection.enable_ssl(OpenSSL::SSL::VERIFY_NONE)
        else
          connection.enable_ssl
        end 
      end
1 Like

As long as you don’t implement some kind of verification (only allowing specific certificates), disabling verification makes the certificate almost worthless. You know that your traffic is encrypted, but not with whom you’re communicating.

With the settings you recommend, any active network attacker can easily man-in-the-middle the connection by presenting another self-signed certificate he created himself.

2 Likes

Hi Felix, thanks for the reply.

Could you elaborate on this please? If the mail server is on the same domain and physical server as the client (the Discourse install) how could a network attacker exploit this and present another self-signed cert themselves?

Also I know this is not ideal, so can you think of any way where Discourse can behave like Apple Mail (and most other email clients), where they ask you to trust (and always remember) the certificate when they first come across it? I think that’s what @riking was trying to do in post 13 and me in post 15.

Trusting a specific, hand-verified certificate is fine.

If you’re 100% certain that no network request is involved in all this: You’re safe from a network attacker, but an unencrypted connection would be safe, too.
But are you 100% certain? How is the domain name resolved? By external DNS? What if the attacker forges a DNS response? What IP address is being returned? Could an attacker convince your server that that IP is external, e.g. by ARP spoofing?


Either way, if you want to open up your forum for public use, HTTPS is a must if you want to be on the safe side. Using a self-signed cert for this means a world of pain, so you need a trusted certificate anyway. Why not use it for POP3, too?

2 Likes

Thanks, I agree, I think this is the ideal scenario for me - do you have any ideas why the code in post 13 and 15 is not working?

I am pretty sure that Virtualmin handles it locally if both domains are on the same server - I’ve had the same domain accounts on two servers in the past and have tried to send email from one only to find that if the recipients domain still has an account on that server it will just deliver locally (so pretty sure it does not touch external DNS).

For me there are several pain points:

  • The first is that it’s extra hassle setting it all up…

  • …and then extra hassle when you come to move servers (which I do every couple of years or so).

  • The other is running HTTPS means that you need a dedicated IP for each site, and my host is really stingy with IPs! They only give you one per server and all others have to be purchased, the first two are cheap enough, but after that you have to purchase a block which is (from memory) about the 3rd of the cost of the server itself.

  • Then of course it is moving servers - I’ve never done that with multiple IPs (or dedicated per domain) though I guess this wouldn’t be too much of a problem but it is just extra hassle.

  • On top of that it is the cost of a certificate (I am not sure I would trust a ‘free’ one)

When you have sever forums/sites, it all adds up I guess ( I have 8 forums atm, and plan to add another 2 Discourse and hopefully port some others over), so if could just trust a self signed cert it would make life a lot easier for so many of us : -)

1 Like

I’m sorry – I don’t know how the internals of this work.

Is “pretty sure” enough for you? If you, I’d simply go for unencrypted traffic.

No – why would you need that?

Whether to trust a free certificate isn’t your choice – it’s your users choice, which in 99% of the case delegate the answer to their browser or operating system vendor, of which all relevant ones answer “Yes!”.
Keep in mind that while a rogue CA could issue certificates to unauthorized parties, it cannot read traffic encrypted with your certificate. Not using a free certificate doesn’t prevent a rogue CA from issuing a certificate claiming to be you to a bad guy.

2 Likes

Yeah, I am almost 100% on that.

Unfortunately I can’t go for unencrypted as it is setting in Dovecot and Postfix (and I don’t want to allow it for all my other domains/email in case they are not set up correctly and send/receive email via unencrypted connection).

I thought you needed a dedicated IP per domain for HTTPS? So are you saying I could get a cert, and then use HTTPS on many domains? If so that is much more appealing :slight_smile:

Good point :slight_smile:

Wait, I think you’re mixing up two points.

  • Can you use one certificate for multiple domains? No, except in special circumstances, e.g. if you’re talking about subdomains and have a wildcard certificate.
  • Can you serve multiple HTTPS-secured domains from one IP? Yes, if your users have non-ancient browsers. The client will user SNI to tell your server the domain it wants, and the server can then choose the right certificate to present.
1 Like

Right I think I got it but just to clarify…

  1. I can use one IP for many domains - some can be HTTPS and some HTTP?
  2. I have to have a separate cert for every domain (unless it’s a subdomain)?
  1. Correct. You can even serve one domain in both HTTP and HTTPS.
  2. Correct (for the domains where you want HTTPS).
1 Like

Awesome thanks! I’m gonna look into them :slight_smile:

WHOOO HOOOOO! It’s working!! (Self signed)

Some things to note:

  • In the code in the post above (15) the certificate has to be named .crt (and not .cert!)
  • The hostname when creating the self signed cert should not have ‘www’ in it.
  • The pop3 polling host in the Discourse control panel should just have the hostname (so not mail.domain.com, just domain.com).

I do have other problems tho :mask: RateLimiter::LimitExceeded but at least we’ve moved on a bit!

Hope this thread proves useful for others too :slight_smile:

1 Like