-
Notifications
You must be signed in to change notification settings - Fork 234
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add email.tlsname config option #17849
Merged
+69
−38
Merged
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
685f746
Add email.tlsname config option
cynhr 8568436
Support email.tlsname with old Twisted versions
cynhr beeddf2
Merge remote-tracking branch 'origin/develop' into cynhr-email-tlsname
cynhr a219911
Add test for email.tlsname configuration option
cynhr File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Added the `email.tlsname` config option. This allows specifying the domain name used to validate the SMTP server's TLS certificate separately from the `email.smtp_host` to connect to. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -673,8 +673,9 @@ This setting has the following sub-options: | |
TLS via STARTTLS *if the SMTP server supports it*. If this option is set, | ||
Synapse will refuse to connect unless the server supports STARTTLS. | ||
* `enable_tls`: By default, if the server supports TLS, it will be used, and the server | ||
must present a certificate that is valid for 'smtp_host'. If this option | ||
must present a certificate that is valid for `tlsname`. If this option | ||
is set to false, TLS will not be used. | ||
* `tlsname`: The domain name the SMTP server's TLS certificate must be valid for, defaulting to `smtp_host`. | ||
* `notif_from`: defines the "From" address to use when sending emails. | ||
It must be set if email sending is enabled. The placeholder '%(app)s' will be replaced by the application name, | ||
which is normally set in `app_name`, but may be overridden by the | ||
|
@@ -741,6 +742,7 @@ email: | |
force_tls: true | ||
require_transport_security: true | ||
enable_tls: false | ||
tlsname: mail.server.example.com | ||
notif_from: "Your Friendly %(app)s homeserver <[email protected]>" | ||
app_name: my_branded_matrix_server | ||
enable_notifs: true | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for bringing this up!
If we're not going to support this option for Twisted < v21, it would be ideal fail early and not start up at all (error when parsing the config). Along with updating the documentation to state the version requirement. But I'm not sure of another spot where we make a similar constraint. Perhaps it's important that we support Twisted < v21 but I don't have that context.
I also don't have a sense for how big or complex the
hostname
backport would be but seems like it's do-able to you.It looks like the
trial-olddeps
CI job uses the minimum versions from ourpyproject.toml
which will be Twisted 18.9.0. So as long as we have some tests for this new functionality intests/handlers/test_send_email.py
, we should be covered.I can run the CI when you want but should be also possible emulate the same thing that the CI job is doing to test it locally as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should now also work with Twisted < v21. I also added a check to the tests that we pass the
tlsname
to Twisted, and successfully ran that with both old and new Twisted. I did not verify that old Twisted actually does with this parameter what we want it to do, but it is at least documented as such. (With new Twisted I mentioned before I tested it with an actual SMTP server. I did repeat that test for the happy path, a cert with commonname =tlsname
≠smtp_host
is still being accepted.)I also was not able to reproduce the sytest failure for commit 685f746 locally (
$ podman run --rm -it -v "$PWD":/src:ro -v "$PWD"/logs\:/logs -e POSTGRES=1 -e MULTI_POSTGRES=1 -e WORKERS=1 -e REDIS=1 docker.io/matrixdotorg/sytest-synapse:focal
completes withrun-tests PASSED
). The failures also appear to affect parts I didn't really touch. If you nonetheless think it's related to my changes, I can try looking into it.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the diligence @cynhr!
The CI is all green ✅ and the previous failure was probably just a flakey test (unfortunately).