Bug 1557574

Summary: Add SSL support to Net::SMTP Perl module
Product: Red Hat Enterprise Linux 7 Reporter: Rajesh Dulhani <rdulhani>
Component: perlAssignee: perl-maint-list
Status: CLOSED ERRATA QA Contact: Martin Kyral <mkyral>
Severity: medium Docs Contact: Lenka Špačková <lkuprova>
Priority: unspecified    
Version: 7.4CC: bgollahe, bnater, djez, jorton, mkyral, ppisar
Target Milestone: rcKeywords: FutureFeature, Patch
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: perl-5.16.3-293.el7 Doc Type: Release Note
Doc Text:
The *Net::SMTP* Perl module now supports SSL This update adds support for implicit and explicit TLS and SSL encryption to the *Net::SMTP* Perl module. As a result, it is now possible to communicate with SMTP servers through a secured channel.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:54:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1571850, 1572546    
Bug Blocks: 1549616, 1551025    
Attachments:
Description Flags
1/4 Upstream patch ported to perl-5.16.3
none
2/4 Upstream patch ported to perl-5.16.3
none
3/4 Upstream patch ported to perl-5.16.3
none
4/4 Upstream patch ported to perl-5.16.3 none

Description Rajesh Dulhani 2018-03-16 22:45:13 UTC 
Description of problem:

rebase of the package Perl-5.16.3 to include the core module Net:: SMTP version 2.35 (minimum). This is the version that includes native SSL support.
Comment 2 Petr Pisar 2018-03-19 10:16:34 UTC 
Perl 5.16.3 delivers Net::SMTP 2.31.
Next stable Perl that delivers Net::SMTP ≥ 2.35 is Perl 5.22.0. I cannot rebase Perl because it has different ABI.

I will investigate whether I can port SSL support back to existing Net::SMTP module in perl package.

The SSL support was added in libnet-1.28 CPAN distribution <http://cpansearch.perl.org/src/SHAY/libnet-3.11/Changes> with commit <https://github.com/steve-m-hay/perl-libnet/commit/b4a7a274a7fe5344c154abc4b3fdd7c446d36370> (merge commit <https://github.com/steve-m-hay/perl-libnet/commit/c274b798e6881a941d941808c6d89966975cb8c8>).

In the mean time, please consider using Perl 5.24 from Red Hat Software Collections <https://access.redhat.com/documentation/en-us/red_hat_software_collections/2/html/2.3_release_notes/chap-rhscl#sect-RHSCL-Changes-perl>.
Comment 3 Petr Pisar 2018-03-21 14:46:49 UTC 
Created attachment 1411231 [details]
1/4 Upstream patch ported to perl-5.16.3
Comment 4 Petr Pisar 2018-03-21 14:47:16 UTC 
Created attachment 1411232 [details]
2/4 Upstream patch ported to perl-5.16.3
Comment 5 Petr Pisar 2018-03-21 14:47:46 UTC 
Created attachment 1411233 [details]
3/4 Upstream patch ported to perl-5.16.3
Comment 6 Petr Pisar 2018-03-21 14:48:24 UTC 
Created attachment 1411234 [details]
4/4 Upstream patch ported to perl-5.16.3
Comment 7 Petr Pisar 2018-03-21 14:52:16 UTC 
The attached patchset adds SSL support to Net::SMTP Perl module as delivered in perl package. We recommend using it with updated perl-IO-Socket-SSL (bug #1402588) that used system CA certificate store by default.
Comment 9 Petr Pisar 2018-03-21 15:32:09 UTC 
How to test:

(1) Start an SMTP server with implicit and explict SSL support. Or you can use openssl tool to some extent:

$ openssl s_server -accept 465 -CAfile ca -cert ca -key key

(2) Use Net::SMTP with implicit SSL:

$ perl -MNet::SMTP -e '$s=Net::SMTP->new(q{localhost}, SSL =>1); print qq{Exception: $@\n}; print $s->domain, qq{\n}'
Exception: SSL connect attempt failed with unknown error error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Can't call method "domain" on an undefined value at -e line 1.

This must fail because the client does not know the "ca" authority.

(3) Pass a file name with the "ca" authority:

$ perl -MNet::SMTP -e '$s=Net::SMTP->new(q{localhost}, SSL =>1, SSL_ca_file => q{/tmp/ca}); print qq{Exception: $@\n}; print $s->domain, qq{\n}'

and send this text from the SSL server:

200 foo

And then after the server sends EHLO message:

200 bar

The client should succeed and report the "foo" as an server identifier:

$ perl -MNet::SMTP -e '$s=Net::SMTP->new(q{localhost}, SSL =>1, SSL_ca_file => q{/tmp/ca}); print qq{Exception: $@\n}; print $s->domain, qq{\n}'
Exception:
foo

(4) Perform tests with explicit SSL (STARTLS). You would need a real SMTP server or something better than openssl tool:

$ perl -MNet::SMTP -e '$s=Net::SMTP->new(q{smtp.corp.redhat.com}, Debug => 1); $s->starttls() or die qq{Exception: $@\n}; print $s->verify(q{ppisar}), qq{\n}'
Net::SMTP>>> Net::SMTP(2.31)
Net::SMTP>>>   Net::Cmd(2.29)
Net::SMTP>>>     Exporter(5.68)
Net::SMTP>>>   IO::Socket::INET(1.33)
Net::SMTP>>>     IO::Socket(1.34)
Net::SMTP>>>       IO::Handle(1.33)
Net::SMTP=GLOB(0x1e2c468)<<< 220 smtp.corp.redhat.com ESMTP Postfix
Net::SMTP=GLOB(0x1e2c468)>>> EHLO localhost.localdomain
Net::SMTP=GLOB(0x1e2c468)<<< 250-smtp.corp.redhat.com
Net::SMTP=GLOB(0x1e2c468)<<< 250-PIPELINING
Net::SMTP=GLOB(0x1e2c468)<<< 250-SIZE 30000000
Net::SMTP=GLOB(0x1e2c468)<<< 250-VRFY
Net::SMTP=GLOB(0x1e2c468)<<< 250-ETRN
Net::SMTP=GLOB(0x1e2c468)<<< 250-STARTTLS
Net::SMTP=GLOB(0x1e2c468)<<< 250-ENHANCEDSTATUSCODES
Net::SMTP=GLOB(0x1e2c468)<<< 250-8BITMIME
Net::SMTP=GLOB(0x1e2c468)<<< 250 DSN
Net::SMTP=GLOB(0x1e2c468)>>> STARTTLS
Net::SMTP=GLOB(0x1e2c468)<<< 220 2.0.0 Ready to start TLS
Net::SMTP::_SSL=GLOB(0x1e2c468)>>> EHLO localhost.localdomain
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-smtp.corp.redhat.com
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-PIPELINING
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-SIZE 30000000
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-VRFY
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-ETRN
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-ENHANCEDSTATUSCODES
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-8BITMIME
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250 DSN
Net::SMTP::_SSL=GLOB(0x1e2c468)>>> VRFY ppisar
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 252 2.0.0 ppisar
1

Here you can see VRFY command is used after successful TLS upgrade. That also means the Net::SMTP verified server's certificate. Otherwise it would die before. Do no use domain() method because it will reuse answer from the first answer before STARTTLS.
Comment 11 Petr Pisar 2018-04-18 14:59:20 UTC 
A notice for testing. The SSL support is optional, thus perl(IO::Socket::SSL) must be installed. Otherwise an error like "To use SSL please install IO::Socket::SSL at /usr/share/perl5/Net/SMTP.pm line 218." is emitted.
Comment 22 errata-xmlrpc 2018-10-30 10:54:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:3183