SMTP Cert/Key Configuration

dweinholz · September 29, 2021, 10:09am

Hi,
we use the docker container getindico/indico:3.0 for Indico.
To send emails we would need to specify a matching cert and key file (our email server only allows certain fingerprints through).
Everything is actually available in the code for this - only the corresponding conf variables are not used.

github.com

indico/indico/blob/master/indico/vendor/django_mail/backends/smtp.py

# This file is part of Indico.
# Copyright (C) 2002 - 2021 CERN
#
# Indico is free software; you can redistribute it and/or
# modify it under the terms of the MIT License; see the
# LICENSE file for more details.

# The code in here is taken almost verbatim from `django.core.mail.backends.smtp`,
# which is licensed under the three-clause BSD license and is originally
# available on the following URL:
# https://github.com/django/django/blob/stable/3.1.x/django/core/mail/backends/smtp.py
# Credits of the original code go to the Django Software Foundation
# and their contributors.

"""SMTP email backend class."""
import smtplib
import ssl
import threading

from flask import current_app

This file has been truncated. show original

 self.ssl_keyfile = (
            current_app.config.get('EMAIL_SSL_KEYFILE')
            if ssl_keyfile is None
            else ssl_keyfile
        )
        self.ssl_certfile = (
            current_app.config.get('EMAIL_SSL_CERTFILE')
            if ssl_certfile is None
            else ssl_certfile
        )

  if not self.use_ssl and self.use_tls:
                self.connection.starttls(
                    keyfile=self.ssl_keyfile, certfile=self.ssl_certfile
                )

But the Keys EMAIL_SSL_KEYFILE and EMAIL_SSL_CERTFILE are not passed.

github.com

indico/indico/blob/master/indico/web/flask/app.py

# This file is part of Indico.
# Copyright (C) 2002 - 2021 CERN
#
# Indico is free software; you can redistribute it and/or
# modify it under the terms of the MIT License; see the
# LICENSE file for more details.

import os
import uuid

from babel.numbers import format_currency, get_currency_name
from flask import _app_ctx_stack, render_template, request
from flask.helpers import get_root_path
from flask_pluginengine import current_plugin, plugins_loaded
from markupsafe import Markup
from packaging.version import Version
from pywebpack import WebpackBundleProject
from sqlalchemy.orm import configure_mappers
from sqlalchemy.pool import QueuePool
from werkzeug.exceptions import BadRequest

This file has been truncated. show original

def configure_emails(app, config):
    # TODO: use more straightforward mapping between EMAIL_* app settings and indico.conf settings
    app.config['EMAIL_BACKEND'] = 'indico.vendor.django_mail.backends.smtp.EmailBackend'
    app.config['EMAIL_HOST'] = config.SMTP_SERVER[0]
    app.config['EMAIL_PORT'] = config.SMTP_SERVER[1]
    app.config['EMAIL_HOST_USER'] = config.SMTP_LOGIN
    app.config['EMAIL_HOST_PASSWORD'] = config.SMTP_PASSWORD
    app.config['EMAIL_USE_TLS'] = config.SMTP_USE_TLS
    app.config['EMAIL_USE_SSL'] = False
    app.config['EMAIL_TIMEOUT'] = config.SMTP_TIMEOUT

So currently we patch two files -
indico/web/flask/app.py

app.config['EMAIL_SSL_CERTFILE'] = config.SMTP_CERTFILE
app.config['EMAIL_SSL_KEYFILE'] = config.SMTP_KEYFILE

and indico/core/config.py (to set defaults → None).
With these patches we build an additional docker image.

This is unfortunately quite inconvenient (especially when indico is updated you always have to check if the patches still fit) - so I wanted to ask if I just overlooked something how to pass a cert/key file ?

ThiefMaster · September 29, 2021, 10:14am

So far nobody asked for this - and honestly, I’m surprised that people actually do TLS client cert auth for SMTP. Seems so much more straightforward to just have a randomly generated token/password.

Anyway, if you send a PR (3.0.x) branch we can add this. Please also make sure to add it in config.py and settings.rst