Incoming mail feature use the trusted certificates
Description
After many tries to configure the IMAP, I finally discover my problem. (thanks to @markglenfletcher for the ruby code)
Our email server have a self-signed certificate and I put him on: /etc/gitlab/ssl/trusted-certs/receive_mail.pem
.
But the server does not validate the certificate:
config_path = Rails.root.join('config', 'mail_room.yml')
config_file = YAML.load(ERB.new(File.read(config_path)).result)
config = config_file[:mailboxes].first
imap = Net::IMAP.new(config[:host], port: config[:port], ssl: config[:ssl])
# Triggered error
# OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed
# from /opt/gitlab/embedded/lib/ruby/2.3.0/net/imap.rb:1492:in `connect'
# from /opt/gitlab/embedded/lib/ruby/2.3.0/net/imap.rb:1492:in `start_tls_session'
# from /opt/gitlab/embedded/lib/ruby/2.3.0/net/imap.rb:1085:in `initialize'
# from (irb):10:in `new'
# from (irb):10
# from /opt/gitlab/embedded/service/gem/ruby/2.3.0/gems/railties-4.2.7.1/lib/rails/commands/console.rb:110:in `start'
# from /opt/gitlab/embedded/service/gem/ruby/2.3.0/gems/railties-4.2.7.1/lib/rails/commands/console.rb:9:in `start'
# from /opt/gitlab/embedded/service/gem/ruby/2.3.0/gems/railties-4.2.7.1/lib/rails/commands/commands_tasks.rb:68:in `console'
# from /opt/gitlab/embedded/service/gem/ruby/2.3.0/gems/railties-4.2.7.1/lib/rails/commands/commands_tasks.rb:39:in `run_command!'
# from /opt/gitlab/embedded/service/gem/ruby/2.3.0/gems/railties-4.2.7.1/lib/rails/commands.rb:17:in `<top (required)>'
# from bin/rails:9:in `require'
# from bin/rails:9:in `<main>'
But when I skip certificate check, all works fine:
config_path = Rails.root.join('config', 'mail_room.yml')
config_file = YAML.load(ERB.new(File.read(config_path)).result)
config = config_file[:mailboxes].first
imap = Net::IMAP.new(config[:host], port: config[:port], :ssl => { :verify_mode => OpenSSL::SSL::VERIFY_NONE })
imap.starttls if config[:start_tls]
imap.login(config[:email], config[:password])
Environment
- CentOS Linux release 7.2.1511 (Core)
- Gitlab 8.15.4
Proposal
Implement the Net::IMAP
receiving the certificates allowed in trusted certificates folder
Links / references
gitlab-ce#23560
https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/tasks/gitlab/check.rake#L724
http://www.redmine.org/boards/1/topics/33669
http://ruby-doc.org/stdlib-1.9.3/libdoc/net/imap/rdoc/Net/IMAP.html
https://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Secure_Ruby_Development_Guide/ch02s07s02.html
Edited by 🤖 GitLab Bot 🤖