Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add email.tlsname config option #17849

Merged
merged 4 commits into from
Dec 18, 2024

Conversation

cynhr
Copy link
Contributor

@cynhr cynhr commented Oct 18, 2024

The existing email.smtp_host config option is used for two distinct purposes: it is resolved into the IP address to connect to, and used to (request via SNI and) validate the server's certificate if TLS is enabled. This new option allows specifying a different name for the second purpose.

This is especially helpful, if email.smtp_host isn't a global FQDN, but something that resolves only locally (e.g. "localhost" to connect through the loopback interface, or some other internally routed name), that one cannot get a valid certificate for.
Alternatives would of course be to specify a global FQDN as email.smtp_host, or to disable TLS entirely, both of which might be undesirable, depending on the SMTP server configuration.

Pull Request Checklist

  • Pull request is based on the develop branch
  • Pull request includes a changelog file. The entry should:
    • Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from EventStore to EventWorkerStore.".
    • Use markdown where necessary, mostly for code blocks.
    • End with either a period (.) or an exclamation mark (!).
    • Start with a capital letter.
    • Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry.
  • Code style is correct
    (run the linters)

The existing `email.smtp_host` config option is used for two distinct
purposes: it is resolved into the IP address to connect to, and used to
(request via SNI and) validate the server's certificate if TLS is
enabled.  This new option allows specifying a different name for the
second purpose.

This is especially helpful, if `email.smtp_host` isn't a global FQDN,
but something that resolves only locally (e.g. "localhost" to connect
through the loopback interface, or some other internally routed name),
that one cannot get a valid certificate for.
@cynhr cynhr force-pushed the cynhr-email-tlsname branch from 9cc3545 to 685f746 Compare October 18, 2024 13:17
@cynhr cynhr marked this pull request as ready for review October 18, 2024 13:24
@cynhr cynhr requested a review from a team as a code owner October 18, 2024 13:24
Copy link
Contributor

@MadLittleMods MadLittleMods left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems reasonable on face value.

Have you tested to make sure this works?

@cynhr
Copy link
Contributor Author

cynhr commented Nov 1, 2024

Have you tested to make sure this works?

I did test it in one configuration (force_tls: true and Twisted v24.7.0, by applying the patch to the .deb-installed venv) and it did work as expected.

The build_sender_factory(hostname) argument is ultimately also passed to optionsForClientTLS, so it seems reasonable to believe that this has a similar effect with force_tls: false, though I did not test that.

I did not touch the branch for Twisted < v21. Should I try to implement this for old Twisted versions as well? That would basically entail backporting the hostname parameter introduced in Twisted v21 into our _NoTLSESMTPSender class, where that class would also need to close over the tlsname parameter, as it's value isn't provided through the v21 ESTMPSenderFactory. I don't have a system with old Twisted readily available to test that such an implementation.
Or maybe just log an error and refuse to send mail if Twisted < v21 and tlsname != smtphost?

@github-actions github-actions bot deployed to PR Documentation Preview November 4, 2024 17:15 Active
@@ -117,10 +122,10 @@ def build_sender_factory(**kwargs: Any) -> ESMTPSenderFactory:
else:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did not touch the branch for Twisted < v21. Should I try to implement this for old Twisted versions as well? That would basically entail backporting the hostname parameter introduced in Twisted v21 into our _NoTLSESMTPSender class, where that class would also need to close over the tlsname parameter, as it's value isn't provided through the v21 ESTMPSenderFactory. I don't have a system with old Twisted readily available to test that such an implementation.
Or maybe just log an error and refuse to send mail if Twisted < v21 and tlsname != smtphost?

Thanks for bringing this up!

If we're not going to support this option for Twisted < v21, it would be ideal fail early and not start up at all (error when parsing the config). Along with updating the documentation to state the version requirement. But I'm not sure of another spot where we make a similar constraint. Perhaps it's important that we support Twisted < v21 but I don't have that context.

I also don't have a sense for how big or complex the hostname backport would be but seems like it's do-able to you.

I don't have a system with old Twisted readily available to test that such an implementation.

It looks like the trial-olddeps CI job uses the minimum versions from our pyproject.toml which will be Twisted 18.9.0. So as long as we have some tests for this new functionality in tests/handlers/test_send_email.py, we should be covered.

I can run the CI when you want but should be also possible emulate the same thing that the CI job is doing to test it locally as well.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should now also work with Twisted < v21. I also added a check to the tests that we pass the tlsname to Twisted, and successfully ran that with both old and new Twisted. I did not verify that old Twisted actually does with this parameter what we want it to do, but it is at least documented as such. (With new Twisted I mentioned before I tested it with an actual SMTP server. I did repeat that test for the happy path, a cert with commonname = tlsnamesmtp_host is still being accepted.)

I also was not able to reproduce the sytest failure for commit 685f746 locally ($ podman run --rm -it -v "$PWD":/src:ro -v "$PWD"/logs\:/logs -e POSTGRES=1 -e MULTI_POSTGRES=1 -e WORKERS=1 -e REDIS=1 docker.io/matrixdotorg/sytest-synapse:focal completes with run-tests PASSED). The failures also appear to affect parts I didn't really touch. If you nonetheless think it's related to my changes, I can try looking into it.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the diligence @cynhr!

The CI is all green ✅ and the previous failure was probably just a flakey test (unfortunately).

Old twisted versions' ESMTPSenderFactory doesn't support the `hostname`
parameter used to implement the email.tlsname configuration option (and
also the email.enable_tls option).  This backports that parameter by
extending ESMTPSenderFactory when twisted is old.

Were shadowing the attribute `ESMTPSenderFactory.protocol` with the
method `_BackportESMTPSenderFactory.protocol` here, that is on purpose.
That attribute usually contains the `ESMTPSender` class.  It is used by
`ESMTPSenderFactory.buildProtocol` as a Callable to instantiate an
`ESMTPSender`.  By providing this Callable as a method, the previously
set `_BackportESMTPSenderFactory.__hostname` can be provided to the
newly instantiated `_BackportESMTPSender`.

Note the `# type: ignore` annotation required to pass the mypy type
checker.  Mypy assigns the type `Type[ESMTPSender]` to
`ESMTPSenderFactory.protocol`, which is valid (twisted does assign a
`Type[ESMTPSender]`), but AFAICT it is only ever used to instantiate
values of that type, i.e. as a `Callable[[...], ESMTPSender]`, so
overriding it with a method with that signature should be fine.  It is a
public attribute though, so technically it could be accessed somewhere
else, actually requiring a `Type[ESMTPSender]`.  But we do need to get
the `hostname` parameter to our `_BackportESMTPSender` somehow, and this
seems neater compared to the two alternatives I considered:
* Override `ESMTPSenderFactory.buildProtocol` instead of
  `ESMTPSenderFactory.protocol`.  That would require copying the entire
  body of `ESMTPSenderFactory.buildProtocol` into
  `_BackportESMTPSenderFactory.buildProtocol`, most of which isn't
  related to the change we're trying to implement.  That just seems
  unnecessarily brittle (e.g. maybe different old twisted versions could
  have different versions `buildProtocol` (I didn't check), picking one
  of them could lead to an inconsistent object).
* Set `self.protocol` in `_BackportESMTPSenderFactory.__init__` to a
  class defined within `_BackportESMTPSenderFactory.__init__`, such that
  it can close over the `hostname` parameter---i.e. each instantiation
  of the `_BackportESMTPSenderFactory` would define a new class
  extending `ESMTPSender` specific to that instantiation's `hostname`
  parameter.  That's a nice (functional-style) solution, but I think the
  solution implemented here might feel more natural to the average
  python programmer.

This effectively retrofits modern twisted's [1] `hostname` parameter to
old twisted's [2] classes.

[1]: https://github.com/twisted/twisted/blob/twisted-24.11.0/src/twisted/mail/smtp.py#L1992
[2]: https://github.com/twisted/twisted/blob/twisted-21.2.0/src/twisted/mail/smtp.py#L2005
@cynhr cynhr force-pushed the cynhr-email-tlsname branch from b8c3ad7 to beeddf2 Compare December 17, 2024 13:09
Ensure the email.tlsname parameter ends up in the
`ClientTLSOptions._hostname` attribute, which is documented as "The
hostname to verify".
@github-actions github-actions bot deployed to PR Documentation Preview December 17, 2024 20:32 Active
@MadLittleMods MadLittleMods merged commit f1ecf46 into element-hq:develop Dec 18, 2024
41 checks passed
yingziwu added a commit to yingziwu/synapse that referenced this pull request Jan 16, 2025
Please note that this version of Synapse drops support for PostgreSQL 11 and 12. The minimum version of PostgreSQL supported is now version 13.

No significant changes since 1.122.0rc1.

- Remove support for PostgreSQL 11 and 12. Contributed by @clokep. ([\#18034](element-hq/synapse#18034))

- Added the `email.tlsname` config option.  This allows specifying the domain name used to validate the SMTP server's TLS certificate separately from the `email.smtp_host` to connect to. ([\#17849](element-hq/synapse#17849))
- Module developers will have access to the user ID of the requester when adding `check_username_for_spam` callbacks to `spam_checker_module_callbacks`. Contributed by [email protected]. ([\#17916](element-hq/synapse#17916))
- Add endpoints to the Admin API to fetch the number of invites the provided user has sent after a given timestamp,
  fetch the number of rooms the provided user has joined after a given timestamp, and get report IDs of event
  reports against a provided user (i.e. where the user was the sender of the reported event). ([\#17948](element-hq/synapse#17948))
- Support stable account suspension from [MSC3823](matrix-org/matrix-spec-proposals#3823). ([\#17964](element-hq/synapse#17964))
- Add `macaroon_secret_key_path` config option. ([\#17983](element-hq/synapse#17983))

- Fix bug when rejecting withdrew invite with a `third_party_rules` module, where the invite would be stuck for the client. ([\#17930](element-hq/synapse#17930))
- Properly purge state groups tables when purging a room with the Admin API. ([\#18024](element-hq/synapse#18024))
- Fix a bug preventing the admin redaction endpoint from working on messages from remote users. ([\#18029](element-hq/synapse#18029), [\#18043](element-hq/synapse#18043))

- Update `synapse.app.generic_worker` documentation to only recommend `GET` requests for stream writer routes by default, unless the worker is also configured as a stream writer. Contributed by @evoL. ([\#17954](element-hq/synapse#17954))
- Add documentation for the previously-undocumented `last_seen_ts` query parameter to the query user Admin API. ([\#17976](element-hq/synapse#17976))
- Improve documentation for the `TaskScheduler` class. ([\#17992](element-hq/synapse#17992))
- Fix example in reverse proxy docs to include server port. ([\#17994](element-hq/synapse#17994))
- Update Alpine Linux Synapse Package Maintainer within the installation instructions. ([\#17846](element-hq/synapse#17846))

- Add `RoomID` & `EventID` rust types. ([\#17996](element-hq/synapse#17996))
- Fix various type errors across the codebase. ([\#17998](element-hq/synapse#17998))
- Disable DB statement timeout when doing a room purge since it can be quite long. ([\#18017](element-hq/synapse#18017))
- Remove some remaining uses of `twisted.internet.defer.returnValue`. Contributed by Colin Watson. ([\#18020](element-hq/synapse#18020))
- Refactor `get_profile` to no longer include fields with a value of `None`. ([\#18063](element-hq/synapse#18063))

* Bump anyhow from 1.0.93 to 1.0.95. ([\#18012](element-hq/synapse#18012), [\#18045](element-hq/synapse#18045))
* Bump authlib from 1.3.2 to 1.4.0. ([\#18048](element-hq/synapse#18048))
* Bump dawidd6/action-download-artifact from 6 to 7. ([\#17981](element-hq/synapse#17981))
* Bump http from 1.1.0 to 1.2.0. ([\#18013](element-hq/synapse#18013))
- Bump mypy from 1.11.2 to 1.12.1. ([\#17999](element-hq/synapse#17999))
* Bump mypy-zope from 1.0.8 to 1.0.9. ([\#18047](element-hq/synapse#18047))
* Bump pillow from 10.4.0 to 11.0.0. ([\#18015](element-hq/synapse#18015))
* Bump pydantic from 2.9.2 to 2.10.3. ([\#18014](element-hq/synapse#18014))
* Bump pyicu from 2.13.1 to 2.14. ([\#18060](element-hq/synapse#18060))
* Bump pyo3 from 0.23.2 to 0.23.3. ([\#18001](element-hq/synapse#18001))
* Bump python-multipart from 0.0.16 to 0.0.18. ([\#17985](element-hq/synapse#17985))
* Bump sentry-sdk from 2.17.0 to 2.19.2. ([\#18061](element-hq/synapse#18061))
* Bump serde from 1.0.215 to 1.0.217. ([\#18031](element-hq/synapse#18031), [\#18059](element-hq/synapse#18059))
* Bump serde_json from 1.0.133 to 1.0.134. ([\#18044](element-hq/synapse#18044))
* Bump twine from 5.1.1 to 6.0.1. ([\#18049](element-hq/synapse#18049))

**Changelogs for older versions can be found [here](docs/changelogs/).**
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants