Documentation for TLS #84
Comments
|
Hi @MikeParkin - it isn't currently, but it can be added 😄 |
|
Hi @ian-kent, I would happily update the documentation for this, if you could give some pointers as to how to configure TLS! I had a look at the source and tried googling for a solution - but nothing was obvious. Mike |
|
Thanks @MikeParkin Sorry if my last message wasn't clear, TLS isn't currently supported in MailHog (or, I don't think it is, and I couldn't find anything in the code which suggested it was). Outbound SMTP will use TLS if the remote server supports it (i.e. by advertising Adding TLS support for the UI, API and SMTP server should be relatively straightforward - I'll add it asap! |
|
Hi @ian-kent, Ahh ok - I cannot remember why I thought MailHog supported HTTPS/TLS for the Web UI - I was sure I had read that somewhere. Having just been back through the documentation I cannot find any reference to it - maybe it was the STARTTLS on SMTP like you suggest! That would be great, thank you! Cheers |
|
Hello @ian-kent Pinging this topic as it has been a while and this would make it possible for me to use mailhog. |
|
Ping @ian-kent any update on this, with most of the web moving to TLS it would be great to get this included too. There is normally quite a bit of sensitive data kept within MailHog, so amazing to get it running under a secure protocol. The UI is the main part we would like securing :-) If you require any help with this please point us in the right direction / give guidance about how you see this being implemented (it's about time I learnt some Go!) |
|
Hi all, do you know if MailHog supports START TLS for incoming connections? |
Can I ask how do you use MailHog? I thought it was for testing & development only, not production? Anyway TLS and STARTTLS support for incoming email would be great :- ) |
|
I would love to have this too. I'm working on a system that has to be able to be configured for secure email and it would be great to have mailhog for testing that. |
|
@kajmagnus we use it on staging/development servers, but often those have copies of sensitive customer information, for example email order confirmations of a customers address. We only run HTTPS for our websites, so having to read the email via http://$DOMAIN:PORT is frustrating. (Mainly because I always forget to remove the 's' when i've triggered the email on https://$DOMAIN!) but also obviously for better security :) |
|
@MikeParkin Ok :- ) Thanks for explaining. |
|
@MikeParkin You can setup nginx with https and set upstream to MailHog. The bigger problem is that MailHog doesn't support STARTTLS for smtp. |
|
It's worth noting that Go's own net/smtp disallows sending emails unless TLS is enabled or the recipient is localhost: Snippet from func (a *plainAuth) Start(server *ServerInfo) (string, []byte, error) {
// Must have TLS, or else localhost server.
// Note: If TLS is not true, then we can't trust ANYTHING in ServerInfo.
// In particular, it doesn't matter if the server advertises PLAIN auth.
// That might just be the attacker saying
// "it's ok, you can trust me with your password."
if !server.TLS && !isLocalhost(server.Name) {
return "", nil, errors.New("unencrypted connection")
}
if server.Name != a.host {
return "", nil, errors.New("wrong host name")
}
resp := []byte(a.identity + "\x00" + a.username + "\x00" + a.password)
return "PLAIN", resp, nil
}Despite the fact that MailHog is written in Go, it cannot generally receive messages from Go 🙃 |
|
To improve the quality of my tests, I would also appreciate to have TLS support for SMTP in mailhog. It would be great to have this optional by configuration. |
|
As a workaround you could use Stunnel as a reverse STARTTLS proxy in front of MailHog. |
|
I thought I might chime in on this, after hitting the same road block (see go remark above on non localhost connections). The things I was able to figure out so far: The mailhog/smtp repo looks like it already got basic support for TLS. At least, state machine wise. However, as the code of mailhog overall stands right now, that TLS logic is not triggered, since the appropriate handler is not set. So, that would needs to be done in mailhog/MailHog-Server. So, that would take care of protocol stuff. Now, the tricky part then would be to deliver actually TLS encrypted output back to the caller. This is where I got stuck. My best guess would be to upgrade the connection, but at the appropriate code part in mailhog/MailHog-Server, we don't have any tcp connection, but a bare Taking some inspiration from this repo, it seems we would need to "replace" the connection, with a new TLS wrapped one (or to be more precise, the The rest would then be simple config extension of mailhog/MailHog-Server/config, to parse and store certificates. Well maybe throw in some automatic certificate generation for good measure ;-) So, anyone up to the task? :D |
|
Actually, I POC'd the necessary changes myself, and got a kinda working TLS implementation (well, good enough for testing purposes, in the spirit of this project). It basically boils down to this commit. I needed to fix up quite a bit of other stuff - the repos are IMO not in a very good shape. If you want to check out my work, clone my forked repo, get yourself a self-signed server cert and key, and start via I will test this a bit, and decide where to go from here. Either trying to get this in this repo, or maintain my own fork. NOTE: As the certificate is self-signed, ensure that you either disable host verification in your client, or tell it to trust the server certificate otherwise. EDIT: Now Docker flavored: https://hub.docker.com/r/kernle32dll/mailhog |
|
@kernle32dll Awesome work, will you try to get it merged upstream? |
|
@wilmardo I dunno. I would be all for getting it upstreamed. On the other hand, there seems to be no recent movement in this repo. So, even if I would create some PRs, I don't see them getting merged anytime soon. I would love to maintain a fork, but looking at the sheer number of open issues, I don't think I can handle this anytime soon either. |
|
Hello everyone, I have the same issue our SMTP server authenticate using TLS/STARTLS and mailhog does not support it. |
Does your implementation support both Implicit TLS, and STARTTLS? |
@kernle32dll Looks like this repo is active again, with #296 Created to track the progress of this issue. You can probably submit you pull request against that one. |
|
@kernle32dll Thanks for your work! I used your Docker Image and SwithMail is able to send Mails to MailHog when the Checkbox "TLS / SSL" is checked. In general it is a pity Mailhog does not support incoming SMTP traffic with TLS by default. How can we test our mail implementations when the requirement is to have a secure hint in the users mailclient? |
|
@vanDonselaar thanks for your tip, I got it working. To save the rest some time, with this docker-compose example you'll have STARTTLS out of the box ;) |
|
Hello everyone, I have a quick question please and I have read through all the issues but I couldn't find the best answer for what I want so we run Mailhog presently on our test env with Kubernetes and an NGINX ingress, I am able to see the UI but the smtp server is not reachable. I have tried configuring the ingress controller to allow TCP connections but it still does not solve my problem. Does anyone also run it securely on K8s, what methods did you use? |
Hello,
Looking at the source it appears that you can run Mailhog with an SSL certificate.
Is this possible? If so, are there any docs to explain how to configure this?
Thanks
Mike
The text was updated successfully, but these errors were encountered: