Opened 4 years ago

Closed 23 months ago

#31885 closed Bug (fixed)

Update SMTP Email Backend to use an SSLContext.

Reported by: Luis Saavedra Owned by: Luis Saavedra
Component: Core (Mail) Version: dev
Severity: Normal Keywords: SSL
Cc: Carlton Gibson Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description (last modified by Carlton Gibson)

Setting SSL cert and key in `SMTP.starttls()` is deprecated (since Python 3.6) in favour of passing an SSLContext. Update the SMTP backend to use the newer API.

https://github.com/django/django/pull/13305

Change History (7)

comment:1 by Carlton Gibson, 4 years ago

Description: modified (diff)
Has patch: set
Needs documentation: set
Needs tests: set
Owner: changed from nobody to Luis Saavedra
Patch needs improvement: set
Status: newassigned
Summary: add EmalBackend CA parameters #13305Update SMTP Email Backend to use an SSLContext.
Triage Stage: UnreviewedAccepted

Thanks for the report. Yes, an update here sounds good.

We'll need docs and tests for the changes. You've added new settings, those will need documenting too.
Then, do we need to deprecate the old settings, as no longer appropriate?

comment:2 by Luis Saavedra, 4 years ago

The old settings are good because set the authenticity credentials of a client, this pull request add the CA parameters to check the authenticity of the server. A man in the midle attack can pass any certificate to the client and the client can't check the authenticity because dont have CA parameters.

comment:3 by Carlton Gibson, 4 years ago

Needs documentation: unset
Needs tests: unset
Patch needs improvement: unset

Updating flags to put back in the review queue

comment:4 by Carlton Gibson, 4 years ago

Patch needs improvement: set

PR looks good. Just needs to add deprecations for the old keyfile and certfile way of doing things.

comment:5 by Carlton Gibson, 4 years ago

So conclusion on the PR is that we should add the option to accept the parameters for an SSLContext on EmailBackend but not add them as settings. (The default is to use the system CA certs which is what most people want/need.)

We will then recommend subclassing in the docs for more control.

At the same time we should deprecate EMAIL_SSL_CERTFILE and EMAIL_SSL_KEYFILE for the same reasons.

comment:6 by Mariusz Felisiak, 23 months ago

Cc: Carlton Gibson added

EmailBackend uses SSLContext since 2848e5d0ce5cf3c31fe87525536093b21d570f69. Users can subclass EmailBackend and override the ssl_context property to use custom cart/key files. Maybe it's enough to consider this ticket as fixed 🤔

comment:7 by Carlton Gibson, 23 months ago

Resolution: fixed
Status: assignedclosed

...override the ssl_context property to use custom crt/key files.

The ssl_context still uses the settings, so not sure they need to subclass even.
(I still we expose too much of smtplib through the settings here, but progress there is likely Jacob's proposal from https://groups.google.com/g/django-developers/c/R8ebGynQjK0/m/kc-zggaxAgAJ)

I agree the narrow ticket here was resolved in 2848e5d0ce5cf3c31fe87525536093b21d570f69. 👍

Note: See TracTickets for help on using tickets.
Back to Top