Skip to content

Bug: MAILER_ENABLE_STARTTLS=false does not actually disable STARTTLS #536

Description

@castellinosviluppo

Bug: MAILER_ENABLE_STARTTLS=false does not actually disable STARTTLS

Problem

When MAILER_ENABLE_STARTTLS is set to false, STARTTLS is not actually disabled. The underlying gen_smtp library will attempt STARTTLS anyway if the SMTP server advertises it in the EHLO response.

This happens because in config/runtime.exs, the else branch of the starttls? check simply returns the config unchanged, without explicitly setting :tls to :never:

|> then(fn config ->
  if starttls? do
    config
    |> Keyword.put(:tls, :always)
    ...
  else
    config  # tls option is not set, gen_smtp defaults to attempting STARTTLS if offered
  end
end)

When gen_smtp does not find a :tls option in the config, it falls back to its default behavior, which is to attempt STARTTLS if the server offers it. This causes connection failures when TLS negotiation fails, even though the user explicitly set MAILER_ENABLE_STARTTLS=false.

Fix

Explicitly set :tls to :never in the else branch:

|> then(fn config ->
  if starttls? do
    config
    |> Keyword.put(:tls, :always)
    |> Keyword.put(
      :tls_options,
      :tls_certificate_check.options(host) ++ [versions: [:"tlsv1.2"]]
    )
  else
    config
    |> Keyword.put(:tls, :never)
  end
end)

How to reproduce

  1. Set MAILER_ENABLE_STARTTLS=false and MAILER_ENABLE_SSL=false in your environment
  2. Use an SMTP server (e.g. Postfix) that advertises STARTTLS in its EHLO response
  3. Observe that Keila attempts STARTTLS anyway, resulting in a connection error

Notes

This issue is particularly relevant for self-hosted setups where Keila connects to a local SMTP server for system emails (e.g. Postfix with inet_interfaces = localhost) and TLS is not needed or desired for local connections.


If you think my change is okay, I can start a PR.
But I have a question regarding the CLA.
My GitHub account belongs to an organization account, my company.
In the CLA signature, can I use my username as legal name, or would you prefer the businessname of the company I work for?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions