HPCC-32678 Add support for TLS communication to Std.System.Email.SendEmail()

[dcamper]

Type of change:

• This change is a bug fix (non-breaking change which fixes an issue).
• This change is a new feature (non-breaking change which adds functionality).
• This change improves the code (refactor or other change that does not change the functionality)
• This change fixes warnings (the fix does not alter the functionality or the generated code)
• This change is a breaking change (fix or feature that will cause existing behavior to change).
• This change alters the query API (existing queries will have to be recompiled)

Checklist:

• My code follows the code style of this project.
  • My code does not create any new warnings from compiler, build system, or lint.
• The commit message is properly formatted and free of typos.
  • The commit message title makes sense in a changelog, by itself.
  • The commit is signed.
• My change requires a change to the documentation.
  • I have updated the documentation accordingly, or...
  • I have created a JIRA ticket to update the documentation.
  • Any new interfaces or exported functions are appropriately commented.
• I have read the CONTRIBUTORS document.
• The change has been fully tested:
  • I have added tests to cover my changes.
  • All new and existing tests passed.
  • I have checked that this change does not introduce memory leaks.
  • I have used Valgrind or similar tools to check for potential issues.
• I have given due consideration to all of the following potential concerns:
  • Scalability
  • Performance
  • Security
  • Thread-safety
  • Cloud-compatibility
  • Premature optimization
  • Existing deployed queries will not be broken
  • This change fixes the problem, not just the symptom
  • The target branch of this pull request is appropriate for such a change.
• There are no similar instances of the same problem that should be addressed
  • I have addressed them here
  • I have raised JIRA issues to address them separately
• This is a user interface / front-end modification
  • I have tested my changes in multiple modern browsers
  • The component(s) render as expected

Smoketest:

• Send notifications about my Pull Request position in Smoketest queue.
• Test my draft Pull Request.

Testing:

Testing performed by using a local SMTP dev tool (https://github.com/rnwood/smtp4dev) and monitoring the ESMTP conversation with various configurations.

[github-actions]

Jira Issue: https://hpccsystems.atlassian.net//browse/HPCC-32678

Jirabot Action Result:
Workflow Transition To: Merge Pending
Updated PR

[mckellyln]

Is this used ?

[dcamper]

Good catch. That was part of the test change and If forgot to remove it.

[mckellyln]

Could the "250" occur not at the beginning of buffPtr ?
And if in this block, could buffPtr go past inbuff + inlen ?

[dcamper]

My understanding is that there will always be at least one 250 response that serves as an acknowledgement of the EHLO. In my tests, that line was "250-Nice to meet you." but the exact wording is not dictated.

Response codes will always be at the beginning of the buffer, and 250 responses should be first if there is no error.

[dcamper]

I modified the size of the outer while() to abort earlier to avoid some scans outside of the buffer.

[mckellyln]

Looks good, approved.

[dcamper]

Thanks, Mark! @ghalliday Squashed and ready for merging.

[ghalliday]

@dcamper one issue that probably should be fixed, and a couple of questions.

[ghalliday]

Not for this PR, but does this need the ability to provide a client certificate for mtls? If so this will need enhanced configuration support (from a secret).

[ghalliday]

if (inlen > 12), otherwise a very short response could access invalid memory

[dcamper]

The while condition a couple of lines down guards against an invalid access. Aborting the loop earlier is slightly more efficient, though.

[ghalliday]

Worth commenting that 250 responses must come first. Given the comment my expectation was that this would keep skipping to the next line through the buffer.

[dcamper]

250 codes should be the only non-error responses at this point, but the options that are returned can be in any order. So really, this is a line-by-line scan, aborting as soon as we can process '250 STARTTLS' or '250-STARTTLS'.

[ghalliday]

Does this need to fall back to HELO if EHLO not supported? Can we ignore for any modern mail server?

[dcamper]

ESMTP came out in 1995 (RFC 1869). All mail servers should support ESMTP by now. That said, a misconfiguration on the server side could prompt a fallback to the original protocol. I will add that.

[dcamper]

@ghalliday I incorporated your feedback in this latest commit. It included a slight refactoring to make the flow more sensible. Please give it another look.

[dcamper]

Note additional change: After reviewiing the RFC I discovered that the option name (STARTTLS) should be tested case-insensitive. I made that change to the code as well.

[ghalliday]

@dcamper looks good. One trivial change. Please squash.

[ghalliday]

MCoperatorWarning?

[dcamper]

I copied that from a catch() a little further down in the code. Do you have a better way of doing this?

[dcamper]

@ghalliday Squashed. Thanks!

[ghalliday]

@dcamper one final thought. What is the best version to target? Could this possibly break existing code?

[dcamper]

Any change introduces a possibility for things to go wrong. The most likely failure here lies with an errant external mail server. The possibilities include:

• Server does not support ESMTP. The various RFCs state that the server should return a 502 code after we send EHLO. This would be detected as an error and an exception thrown. In this PR's modifications, the initial EHLO is wrapped in a try/catch for this eventuality, and the code reverts to sending HELO instead (the old behavior). This is an unlikely scenario, as ESMPT was introduced 29 years ago; every mail server that is currently running should support ESMTP.
• ESMTP is supported but TLS is not. In this case the server will not reply with STARTTLS. This PR's modifications make enabling TLS optional, and will upgrade the connection only if the mail server indicates support.
• Misconfigured server. Server detects that client is enabling ESMTP and in the course of activating ESMTP extensions, something goes wrong. This may cause the mail server to not complete the protocol. This would occur within our try/catch and then cause a fallback to SMTP, which should work because we presumably have been communicating with this server in the past, using plain SMTP.

The possibility of a introducing an outright "failure to communicate" is very small, I think. All of that said, we can certainly retarget to 9.8 or even master (9.10) in an abundance of caution.

[dcamper]

Final thought: If this PR is not safe for 9.6.x then I doubt it would be safe for 9.8.x, either. So the choices will be either 9.6.x or master.

[ghalliday]

Merged to 9.8.x for the moment because most production systems are not yet upgraded to that version. So I agree with your assesment of risk, a problem will not have the same potential impact.