Bug#1029588: bts: Changes in libio-socket-ssl-perl 2.078 make bts fail to send mail to mail-server via SSL/TLS - hostname verification failed

Wed, 22 Mar 2023 07:33:16 -0700 

On Sat, 18 Mar 2023 17:06:08 +0100 Dominique Dumont <d...@debian.org> wrote:

On Tue, 14 Feb 2023 22:21:26 +0100 Lee Garrett <deb...@rocketjump.eu> wrote:
> Bumped severity as this makes bts currently unusable, and probably > breaks for quite a few DDs their workflow. 

This does not break on my system where bts is connected to local sendmail 
(which is the default setup).

Which hints at a workaround: have bts connect to local sendmail and have 
sendmail forward the mail to the SMTPS server.



While this setup might work for some people, this has IMHO quite a few hefty 
drawbacks and requires me to maintain a MTA on my local machine. I could 
elaborate, but I don't think it's on-topic for this bug report.




The change mentioned by Daniel affects only a setup where the host if 
configured via its IP address, not via a host name:

See the change in SSL.pm in commit 
https://github.com/noxxi/p5-io-socket-ssl/commit/c0a063b70f0a3ad033da0a51923c65bd2ff118a0



While Daniel did mention this commit (which might or might not be related to the 
issue), bts fails on a configured SMTPS hostname which otherwise correctly 
validates with other MUA.




Which is not the case here:

$ perl -S -MDevel::SimpleTrace bts --smtp-host smtps://mail.wgdd.de usertag 
1029588 + dod-test-with-tls
bts: failed to open SMTPS connection to smtps://mail.wgdd.de
(hostname verification failed)
        at main::send_mail(mail.wgdd.de)
        at main::mailbtsall(/usr/bin/bts:2839)
        at main::(/usr/bin/bts:825)

Unfortunately, I can no longer investigate this issue as it looks like that my 
IP address is now blacklisted on Daniel's server:

$ perl -MDevel::SimpleTrace scripts/bts.pl --smtp-host smtps://mail.wgdd.de 
usertag 1029588 + dod-test-with-tls
bts.pl: failed to open SMTPS connection to smtps://mail.wgdd.de
(Connection refused)
        at main::send_mail(mail.wgdd.de)
        at main::mailbtsall(scripts/bts.pl:2849)
        at main::(scripts/bts.pl:834)


On a hunch, I would guess that Daniel's server is configured to handle STARTTLS, which is not supported by bts. But I cannot verify this. 
In any case this does not explain why Daniel sees bts working with libio-socket-ssl-perl 2.077 but not with 2.078.



I'm sure that bts supports STARTTLS. I am using bts with my MTA on 587/tcp, 
which enforces STARTTLS and requires credentials (I just double-checked via 
swaks). With the old libio-socket-ssl-perl 2.069-1 this works, so it's clearly a 
regression.




All the best


Greetings,
Lee























					Reply via email to