Can only get Lucee to use TLS when sending mail if I provide a username and password

Ryan_Stille · September 14, 2021, 10:00pm

Hi. I can only get Lucee to use TLS when sending emails if I provide a username and password. Does this sound correct? I did not see anything in the docs about this.

For example this delivers mail without using TLS encryption:

<cfmail from="#from#" to="#to#" subject="Test message" async="false"
spoolenable="false" server="#mailserver#" port="#mailport#" usetls="true">...

If I add a username and password, then the email is sent using TLS:

<cfmail from="#from#" to="#to#" subject="Test message" async="false"
spoolenable="false" server="#mailserver#" port="#mailport#" usetls="true"
	username="foo" password="bar">...

The values of the username and password do not matter, because my server does not require authentication.

I can tell when TLS is being used or not because I am proxying the connection through ncat so I can watch the full SMTP session. The server responds with 250 STARTTLS but Lucee never sends STARTTLS unless I provide a username and password in the cfmail tag.

We are running Lucee 5.3.8.201 on Windows.

Zackster · September 16, 2021, 8:26am

well, best practise assumes you should always use authentication and it works with a dummy username and password, so is it really a problem?

stillnet · September 16, 2021, 12:24pm

I don’t agree that it’s best practice to always use authentication. Lots of internal networks use IP allow-lists rather than authentication.

And it took me a long time to figure out why I could not get TLS to work, then on a whim I just decided to try adding a username and password. So in my opinion, yes it’s a problem. Or at least the documentation should explain that in order to use TLS you must provide dummy credentials. Should I enter a ticket for that? I think I’ve done a PR for a documentation change before, I can figure that out again.

Zackster · September 16, 2021, 12:30pm

feel free to do both

if you bump up the lucee log level for mail.log or remoteclient.log to debug, is there a stacktrace or log entry when it fails?

update, i think this is the problem

github.com

lucee/Lucee/blob/6.0/core/src/main/java/lucee/runtime/net/smtp/SMTPClient.java#L462


      
          			props.put("mail.smtp.socketFactory.class", "javax.net.ssl.SSLSocketFactory");
          			props.put("mail.smtp.socketFactory.port", Caster.toString(port));
          			props.put("mail.smtp.socketFactory.fallback", "false");
          		}
          		else {
          			props.put("mail.smtp.socketFactory.class", "javax.net.SocketFactory");
          			props.remove("mail.smtp.socketFactory.port");
          			props.remove("mail.smtp.socketFactory.fallback");
          		}
          		Authenticator auth = null;
          		if (!StringUtil.isEmpty(username)) {
          			props.put("mail.smtp.auth", "true");
          			props.put("mail.smtp.starttls.enable", tls ? "true" : "false");
          
          
			props.put("mail.smtp.user", username);
          			props.put("mail.smtp.password", password);
          			props.put("password", password);
          			auth = new SMTPAuthenticator(username, password);
          		}
          		else {
          			props.put("mail.smtp.auth", "false");

Ryan_Stille · September 16, 2021, 4:02pm

Yes, that line should probably be the same as 453

props.put("mail.smtp.starttls.enable", tls ? "true" : "false");

Ryan_Stille · September 16, 2021, 4:31pm

LDEV-3715 created.