Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FR] Add config option to skip cert validation/verification for SMTP #3709

Closed
rahilarious opened this issue Feb 6, 2024 · 5 comments · Fixed by #3732
Closed

[FR] Add config option to skip cert validation/verification for SMTP #3709

rahilarious opened this issue Feb 6, 2024 · 5 comments · Fixed by #3732

Comments

@rahilarious
Copy link

What did you do?
I have a SMTP server with invalid cert. (accessing via different IP than where domain points to)

What did you expect to see?
a configuration option like insecure_skip_verify in tls_config but for SMTP which allows me to use self-signed/invalid certificate for SMTP.

Environment

  • System information:

    Linux 6.6.14-200.fc39.x86_64 x86_64

  • Alertmanager version:

    alertmanager, version 0.26.0 (branch: HEAD, revision: d7b4f0c)
    build user: root@df8d7debeef4
    build date: 20230824-11:11:58
    go version: go1.20.7
    platform: linux/amd64
    tags: netgo

  • Prometheus version:

    prometheus, version 2.49.1 (branch: HEAD, revision: 43e14844a33b65e2a396e3944272af8b3a494071)
    build user: root@6d5f4c649d25
    build date: 20240115-16:58:43
    go version: go1.21.6
    platform: linux/amd64
    tags: netgo,builtinassets,stringlabels

  • Alertmanager configuration file:

---
global:
  smtp_from: '[email protected]'
  # smtp_smarthost: 'mail.blabla.com:465'
  smtp_smarthost: '10.0.0.1:465'
  smtp_auth_username: '[email protected]'
  smtp_auth_password: 'randompasss'
  smtp_require_tls: false
  # http_config:
  #   tls_config:
  #     insecure_skip_verify: true
  
receivers:
  - name: myreceiver
    email_configs:
      - to: '[email protected]'
route:
  group_by: ['...']
  receiver: myreceiver
...
  • Logs:
Feb 06 12:47:16 myhost alertmanager[2900]: ts=2024-02-06T07:17:16.900Z caller=notify.go:745 level=warn component=dispatcher receiver=myreceiver integration=email[0] aggrGroup="{}:{alertname=\"loadavg5\", instance=\"10.0.0.1:9100\", job=\"node\"}" msg="Notify attempt failed, will retry later" attempts=1 err="establish TLS connection to server: tls: failed to verify certificate: x509: cannot validate certificate for 10.0.0.1 because it doesn't contain any IP SANs"
@rahilarious
Copy link
Author

I have a SMTP server with invalid cert. (accessing via different IP than where domain points to)

For example certificate is for mail.blabla.com which resolves to 122.34.56.78 and one want to access it local ip 192.168.1.5. But accessing locally will say certificate is invalid. There needs to option to skip that verification.

As a workaround I added DNS record in host file in my container (docker/podman) with switch --add-host mail.blabla.com:192.168.1.5. You can also do it in Kubernetes/podman pods with hostAliases. This solves it.

@sathieu
Copy link
Contributor

sathieu commented Feb 22, 2024

You can already use:

receivers:
  - name: myreceiver
    email_configs:
      - to: '[email protected]'
        tls_config:
          insecure_skip_verify: true

... but this is per-receiver. An option is needed for global SMTP tls_config.

sathieu added a commit to sathieu/alertmanager that referenced this issue Feb 22, 2024
@sathieu
Support default SMTP TLS config
ba593ea 
Fixes: prometheus#3709

Signed-off-by: Mathieu Parent <[email protected]>
@sathieu sathieu mentioned this issue Feb 22, 2024
Merged
@sathieu
Copy link
Contributor

sathieu commented Feb 22, 2024
edited
Loading

I created #3732, with:

global:
  smtp_from: '[email protected]'
  # smtp_smarthost: 'mail.blabla.com:465'
  smtp_smarthost: '10.0.0.1:465'
  smtp_auth_username: '[email protected]'
  smtp_auth_password: 'randompasss'
  smtp_require_tls: false
  smtp_tls_config:
    insecure_skip_verify: true
  
receivers:
  - name: myreceiver
    email_configs:
      - to: '[email protected]'

sathieu added a commit to sathieu/alertmanager that referenced this issue Feb 22, 2024
@sathieu
Support default SMTP TLS config
69c3bae 
Fixes: prometheus#3709

Signed-off-by: Mathieu Parent <[email protected]>
sathieu added a commit to sathieu/alertmanager that referenced this issue Feb 22, 2024
@sathieu
Support default SMTP TLS config
36f4f8f 
Fixes: prometheus#3709

Signed-off-by: Mathieu Parent <[email protected]>
sathieu added a commit to sathieu/alertmanager that referenced this issue Feb 22, 2024
@sathieu
Support default SMTP TLS config
2de1b19 
Fixes: prometheus#3709

Signed-off-by: Mathieu Parent <[email protected]>
sathieu added a commit to sathieu/alertmanager that referenced this issue Feb 22, 2024
@sathieu
Support default SMTP TLS config
ef5e903 
Fixes: prometheus#3709

Signed-off-by: Mathieu Parent <[email protected]>
@TheMeier
Copy link
Contributor

Independent of the pending improvement for global smtp tls config, i think there is nothing to do here.
So please consider clonsing @rahilarious

@TheMeier
Copy link
Contributor

TheMeier commented Mar 10, 2024
edited
Loading

Also instead of disabling tls_verify I would encourage you to use ca_file

TheMeier pushed a commit to TheMeier/alertmanager that referenced this issue Sep 29, 2024
@sathieu @TheMeier
Support default SMTP TLS config
8106a2c 
Fixes: prometheus#3709

Signed-off-by: Mathieu Parent <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support default SMTP TLS config sathieu/alertmanager
3 participants
@sathieu @TheMeier @rahilarious