Processed: Bug#662960: ssmtp doesn't validate server TLS certificates
Processing commands for cont...@bugs.debian.org: > severity 662960 wishlist Bug #662960 [ssmtp] ssmtp doesn't validate server TLS certificates Severity set to 'wishlist' from 'serious' > thanks Stopping processing here. Please contact me if you need assistance. -- 662960: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=662960 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#662960: ssmtp doesn't validate server TLS certificates
severity 662960 wishlist thanks The bug have been added tag "security", which is in sync with its TLS deficiencies. However (as you noticed) "Severity" values (while they might look innocently like plain English) have quite specific meanings in BTS, which sometimes might be at odds with their common language usages. Because of that "Severity" is not just a number from 0-5 indicating how much one would like for bug to be fixed, but something else. "Severity: important" would indicate that package is just one small step away from "rendering it completely unusable to everyone", which looks too harsh to me in this case (as in many cases ssmtp is used only for non-TLS plaintext SMTP delivery on LAN from satellite machines to main MTA, which would then speak TLS to outside world etc.) "Severity: wishlist" however (as opposed to "normal") subtly indicates that there is some functionality that is *missing*, and that someone needs to think it over and write it, and that it might be a more complicated task and probably not an one-line-fix (and thus it would probably left to upstream to fix it, as Debian maintainer in most cases won't be fixing it h[im/er]self unless upstream is dead and someone else provides a verified good patch). It also indicates it might be due to design decisions, like here. I do agree completely with you that package should strongly indicate in its docs and description about it's TLS deficiencies. If someone would write such a documentation patch, perhaps it might have a chance to be included. [ As a side note, even with certificate checking in place there are a lot of problems in todays "zillion untrusted CAs which we trust anyway" security model, and even more so if you move from web world (where clients try to be secure, and even people might sometimes check basic credentials) to unattended MTA world where almost nobody does, and vast majority of MTAs will simply by default silently downgrade to plaintext if they think anything might be problematic with TLS support etc. ] -- Opinions above are GNU-copylefted.
Bug#662960: ssmtp doesn't validate server TLS certificates
On Tue, 5 Mar 2019 23:26:58 +0100 Matija Nalis wrote: > Hi Celejar, > > you have raised severity to "serious" on ssmtp Debian package > in bug #662960, which is reserved for "Serious policy violations" as > described at https://www.debian.org/Bugs/Developer#severities > > It is customary to indicate exactly which section of Debian policy > Manual (at https://www.debian.org/doc/debian-policy/) the bug > breaks when setting "serious" severity. I concede that I was probably mistaken in raising the severity to "serious". I was probably just so aggravated at the package promising TLS support but silently failing to perform certificate validation that I conflated the normal English meaning of "serious" with its technical meaning in this context ;) > While I do agree that limitations of TLS implementation should be > prominently noted in package documentation and even description, I do > not think that even completely non-existent TLS support qualifies for > more than "important" severity (and more likely "normal" or > "wishlist"). I do stand by my position that this is at least an "important" bug. I agree that non-existent TLS support would be merely "wishlist" priority - but not if the package assured the user that it was providing TLS but silently failed to do so! Another email in this report argues: > Given its purpose - "extremely simple MTA [...]" - should this issue > really be considered "serious" (and Release Critical) ? Again, while I concede that this may not technically be RC, pointing to the software's self-description as an "extremely simple MTA [...]" misses the point: I have no problem with insecure software (I'm not filing any bugs against telnet ;)), only with software that assures the user of a certain level of security but does not provide it. > Unless someone objects with specific Debian policy section that this > package runs afoul, I'm going to revert its severity back to wishlist. Thank you for your work on Debian, and I apologize for my initial error. Celejar
Bug#662960: ssmtp doesn't validate server TLS certificates
Hi Celejar, you have raised severity to "serious" on ssmtp Debian package in bug #662960, which is reserved for "Serious policy violations" as described at https://www.debian.org/Bugs/Developer#severities It is customary to indicate exactly which section of Debian policy Manual (at https://www.debian.org/doc/debian-policy/) the bug breaks when setting "serious" severity. While I do agree that limitations of TLS implementation should be prominently noted in package documentation and even description, I do not think that even completely non-existent TLS support qualifies for more than "important" severity (and more likely "normal" or "wishlist"). Unless someone objects with specific Debian policy section that this package runs afoul, I'm going to revert its severity back to wishlist. -- Opinions above are GNU-copylefted.
Bug#662960: ssmtp doesn't validate server TLS certificates
On 09/01/2019 16:44, Simon Deziel wrote: > On 2019-01-09 10:23 a.m., Cédric Dufour - Idiap Research Institute wrote: > ssmtp seems like abandonware. Have you tried msmtp(-mta)? It works in a > similar way, is well supported and does the right thing when you want TLS. Indeed. mstmp-mta works like a charm (just tested in Buster). Thanks for the tip. (I liked the extreme lightweight of ssmtp but so be it) PS: one might also look at esmtp(-run)
Bug#662960: ssmtp doesn't validate server TLS certificates
On 2019-01-09 10:23 a.m., Cédric Dufour - Idiap Research Institute wrote: > PS: ssmtp is extremely handy to forward machine-generated messages in large > deployments, internally, iow. where TLS is not required ssmtp seems like abandonware. Have you tried msmtp(-mta)? It works in a similar way, is well supported and does the right thing when you want TLS. Regards, Simon
Bug#662960: ssmtp doesn't validate server TLS certificates
Any chance seeing this issue addressed or its severity lowered, so we can have the package in Buster ? Given its purpose - "extremely simple MTA [...]" - should this issue really be considered "serious" (and Release Critical) ? PS: ssmtp is extremely handy to forward machine-generated messages in large deployments, internally, iow. where TLS is not required
