Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add plain TLS support to forwarded backends (465 port) #3021

Closed
kayrus opened this issue Feb 11, 2022 · 6 comments
Closed

Add plain TLS support to forwarded backends (465 port) #3021

kayrus opened this issue Feb 11, 2022 · 6 comments

Comments

@kayrus
Copy link

kayrus commented Feb 11, 2022

Is your feature request related to a problem? Please describe.

When mail server is reachable only via 465 port (TLS), Haraka must support it.

Describe the solution you'd like

There should be a way to configure backend to connect using 465 TLS port.

@msimerson
Copy link
Member

Yes, we should support that.

@manwegit
Copy link

manwegit commented Mar 16, 2022

Is anyone working on this?
If not, what is a possible time frame to a PR merged if I tackle this?

I'm building a cluster smtp relay container where some of the routing targets are 465 Implicit tls services.

@msimerson
Copy link
Member

Is anyone working on this?

Nobody that has spoken up.

If not, what is a possible time frame to a PR merged if I tackle this?

Clean PRs that are easy to review, and that include tests that make a reviewer confident the code does what it says on the tin, normally get merged within days.

@manwegit
Copy link

Ok,
I'll have a look and see what can be done.
No promises at this stage.

Just as a proof of concept I modified this file:
node_modules/Haraka/tls_socket.js
With this code:

// around line 718
    let cryptoSocket
    conn_options.rejectUnauthorized=false
    const tmpCryptoSocket = net.connect(conn_options);
    if (conn_options.port === 465) {
        conn_options.socket = tmpCryptoSocket
        cryptoSocket = tls.connect(conn_options);
    } else {
        cryptoSocket = tmpCryptoSocket
    }

Which means that opening the socket connection is not he problem. Getting the information about need for tls.socket is the tricky part.

@manwegit
Copy link

We've had a focus shift which means that we are no longer using Haraka for the project.
This means that I cannot dedicate the time for this feature.

What I've found so far is that as per my previous example it's technically quite easy. The hard part is how that information is relayed to socket connection time.

One option would be to extend the "exchange/MX" object to support this. This could also be bound like the auth is bound.
I did not yet review what is the least problematic approach.

@msimerson
Copy link
Member

moved to wiki/TODO

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants