Bug 1557574 - Add SSL support to Net::SMTP Perl module
Summary: Add SSL support to Net::SMTP Perl module
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: perl
Version: 7.4
Hardware: x86_64
OS: Linux
Target Milestone: rc
: ---
Assignee: perl-maint-list
QA Contact: Martin Kyral
Lenka Špačková
Depends On: 1571850 1572546
Blocks: 1551025 1549616
TreeView+ depends on / blocked
Reported: 2018-03-16 22:45 UTC by Rajesh Dulhani
Modified: 2018-10-30 10:55 UTC (History)
6 users (show)

Fixed In Version: perl-5.16.3-293.el7
Doc Type: Release Note
Doc Text:
The *Net::SMTP* Perl module now supports SSL This update adds support for implicit and explicit TLS and SSL encryption to the *Net::SMTP* Perl module. As a result, it is now possible to communicate with SMTP servers through a secured channel.
Clone Of:
Last Closed: 2018-10-30 10:54:53 UTC
Target Upstream Version:

Attachments (Terms of Use)
1/4 Upstream patch ported to perl-5.16.3 (4.95 KB, patch)
2018-03-21 14:46 UTC, Petr Pisar
no flags Details | Diff
2/4 Upstream patch ported to perl-5.16.3 (5.45 KB, patch)
2018-03-21 14:47 UTC, Petr Pisar
no flags Details | Diff
3/4 Upstream patch ported to perl-5.16.3 (2.06 KB, patch)
2018-03-21 14:47 UTC, Petr Pisar
no flags Details | Diff
4/4 Upstream patch ported to perl-5.16.3 (2.29 KB, patch)
2018-03-21 14:48 UTC, Petr Pisar
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
CPAN 93823 0 None None None 2018-03-19 10:16:34 UTC
Red Hat Product Errata RHEA-2018:3183 0 None None None 2018-10-30 10:55:06 UTC

Description Rajesh Dulhani 2018-03-16 22:45:13 UTC
Description of problem:

rebase of the package Perl-5.16.3 to include the core module Net:: SMTP version 2.35 (minimum). This is the version that includes native SSL support.

Comment 2 Petr Pisar 2018-03-19 10:16:34 UTC
Perl 5.16.3 delivers Net::SMTP 2.31.
Next stable Perl that delivers Net::SMTP ≥ 2.35 is Perl 5.22.0. I cannot rebase Perl because it has different ABI.

I will investigate whether I can port SSL support back to existing Net::SMTP module in perl package.

The SSL support was added in libnet-1.28 CPAN distribution <http://cpansearch.perl.org/src/SHAY/libnet-3.11/Changes> with commit <https://github.com/steve-m-hay/perl-libnet/commit/b4a7a274a7fe5344c154abc4b3fdd7c446d36370> (merge commit <https://github.com/steve-m-hay/perl-libnet/commit/c274b798e6881a941d941808c6d89966975cb8c8>).

In the mean time, please consider using Perl 5.24 from Red Hat Software Collections <https://access.redhat.com/documentation/en-us/red_hat_software_collections/2/html/2.3_release_notes/chap-rhscl#sect-RHSCL-Changes-perl>.

Comment 3 Petr Pisar 2018-03-21 14:46:49 UTC
Created attachment 1411231 [details]
1/4 Upstream patch ported to perl-5.16.3

Comment 4 Petr Pisar 2018-03-21 14:47:16 UTC
Created attachment 1411232 [details]
2/4 Upstream patch ported to perl-5.16.3

Comment 5 Petr Pisar 2018-03-21 14:47:46 UTC
Created attachment 1411233 [details]
3/4 Upstream patch ported to perl-5.16.3

Comment 6 Petr Pisar 2018-03-21 14:48:24 UTC
Created attachment 1411234 [details]
4/4 Upstream patch ported to perl-5.16.3

Comment 7 Petr Pisar 2018-03-21 14:52:16 UTC
The attached patchset adds SSL support to Net::SMTP Perl module as delivered in perl package. We recommend using it with updated perl-IO-Socket-SSL (bug #1402588) that used system CA certificate store by default.

Comment 9 Petr Pisar 2018-03-21 15:32:09 UTC
How to test:

(1) Start an SMTP server with implicit and explict SSL support. Or you can use openssl tool to some extent:

$ openssl s_server -accept 465 -CAfile ca -cert ca -key key

(2) Use Net::SMTP with implicit SSL:

$ perl -MNet::SMTP -e '$s=Net::SMTP->new(q{localhost}, SSL =>1); print qq{Exception: $@\n}; print $s->domain, qq{\n}'
Exception: SSL connect attempt failed with unknown error error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Can't call method "domain" on an undefined value at -e line 1.

This must fail because the client does not know the "ca" authority.

(3) Pass a file name with the "ca" authority:

$ perl -MNet::SMTP -e '$s=Net::SMTP->new(q{localhost}, SSL =>1, SSL_ca_file => q{/tmp/ca}); print qq{Exception: $@\n}; print $s->domain, qq{\n}'

and send this text from the SSL server:

200 foo

And then after the server sends EHLO message:

200 bar

The client should succeed and report the "foo" as an server identifier:

$ perl -MNet::SMTP -e '$s=Net::SMTP->new(q{localhost}, SSL =>1, SSL_ca_file => q{/tmp/ca}); print qq{Exception: $@\n}; print $s->domain, qq{\n}'

(4) Perform tests with explicit SSL (STARTLS). You would need a real SMTP server or something better than openssl tool:

$ perl -MNet::SMTP -e '$s=Net::SMTP->new(q{smtp.corp.redhat.com}, Debug => 1); $s->starttls() or die qq{Exception: $@\n}; print $s->verify(q{ppisar@redhat.com}), qq{\n}'
Net::SMTP>>> Net::SMTP(2.31)
Net::SMTP>>>   Net::Cmd(2.29)
Net::SMTP>>>     Exporter(5.68)
Net::SMTP>>>   IO::Socket::INET(1.33)
Net::SMTP>>>     IO::Socket(1.34)
Net::SMTP>>>       IO::Handle(1.33)
Net::SMTP=GLOB(0x1e2c468)<<< 220 smtp.corp.redhat.com ESMTP Postfix
Net::SMTP=GLOB(0x1e2c468)>>> EHLO localhost.localdomain
Net::SMTP=GLOB(0x1e2c468)<<< 250-smtp.corp.redhat.com
Net::SMTP=GLOB(0x1e2c468)<<< 250-PIPELINING
Net::SMTP=GLOB(0x1e2c468)<<< 250-SIZE 30000000
Net::SMTP=GLOB(0x1e2c468)<<< 250-VRFY
Net::SMTP=GLOB(0x1e2c468)<<< 250-ETRN
Net::SMTP=GLOB(0x1e2c468)<<< 250-STARTTLS
Net::SMTP=GLOB(0x1e2c468)<<< 250-8BITMIME
Net::SMTP=GLOB(0x1e2c468)<<< 250 DSN
Net::SMTP=GLOB(0x1e2c468)>>> STARTTLS
Net::SMTP=GLOB(0x1e2c468)<<< 220 2.0.0 Ready to start TLS
Net::SMTP::_SSL=GLOB(0x1e2c468)>>> EHLO localhost.localdomain
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-smtp.corp.redhat.com
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-PIPELINING
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-SIZE 30000000
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-VRFY
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-ETRN
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-8BITMIME
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250 DSN
Net::SMTP::_SSL=GLOB(0x1e2c468)>>> VRFY ppisar@redhat.com
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 252 2.0.0 ppisar@redhat.com

Here you can see VRFY command is used after successful TLS upgrade. That also means the Net::SMTP verified server's certificate. Otherwise it would die before. Do no use domain() method because it will reuse answer from the first answer before STARTTLS.

Comment 11 Petr Pisar 2018-04-18 14:59:20 UTC
A notice for testing. The SSL support is optional, thus perl(IO::Socket::SSL) must be installed. Otherwise an error like "To use SSL please install IO::Socket::SSL at /usr/share/perl5/Net/SMTP.pm line 218." is emitted.

Comment 22 errata-xmlrpc 2018-10-30 10:54:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.