MC9000
  •  MC9000
  • 60.2% (Friendly)
  • YAF Camper Topic Starter
2013-11-21T06:41:59Z
SSL SMTP email does not appear to be working.
The SMTP server (located at a colocation center) only uses port 465 (it does not use port 25 for security reasons - so I can't verify).
Here is my mail.config (domain and passwords replaced by x's)

<smtp deliveryMethod="Network" from="forum@xxxxxx.com">
<network host="mail.xxxxxx.net" port="465" password="xxxxxxxx" userName="forum1@xxxxxx.com" />
</smtp>

The app.config key:
<add key="YAF.UseSMTPSSL" value="true" />

Is YAF.Net not compatible with SSL Port 465?
It works fine from Outlook.
Sponsor
squirrel
2013-11-21T06:55:53Z
When applying configuration changes to db.config, app.config or mail.config, YAF application must be restarted before changes will take effect. Once restarted, you can use PM feature - send yourself a PM will test if notifications work (if PM notifications are on), or you can use the install script to test email settings as well.
If you can't find it using the forum search, try my signature link -- searches this site using Google: Google is my Friend 
MC9000
  •  MC9000
  • 60.2% (Friendly)
  • YAF Camper Topic Starter
2013-11-21T09:19:37Z
Is there a way to test this? I tried to test using the Install folder after re-booting the server. Test still fails. I tried the PM (Private Message?) from the admin inbox, but it was instantaneous (so I don't think it's actually going to the mail server).
I tried creating a new user to do a real email test, but I get an error (I'll post that error to another question later).
squirrel
2013-11-21T10:15:49Z
Originally Posted by: MC9000 

Is there a way to test this? I tried to test using the Install folder after re-booting the server. Test still fails. I tried the PM (Private Message?) from the admin inbox, but it was instantaneous (so I don't think it's actually going to the mail server).
I tried creating a new user to do a real email test, but I get an error (I'll post that error to another question later).



What error do you get when test fails?

If you can't find it using the forum search, try my signature link -- searches this site using Google: Google is my Friend 
squirrel
2013-11-21T10:19:36Z
What YAF version?

If you can't find it using the forum search, try my signature link -- searches this site using Google: Google is my Friend 
MC9000
  •  MC9000
  • 60.2% (Friendly)
  • YAF Camper Topic Starter
2013-11-21T19:36:21Z
Failed to connect:

Failure sending mail.


YAF.NET
Version: 2.0.0

SQL Server Version:
What version of SQL Server is running. Microsoft SQL Server 2008 R2 (SP1) - 10.50.2500.0 (X64) Jun 17 2011 00:54:03 Copyright (c) Microsoft Corporation Developer Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1)
Operating System:
What version of operating system is running. Microsoft Windows NT 6.2.9200.0
.NET Runtime Version:
What .NET Runtime is running. .NET 4.0.30319.18051
Processor Cores:
Number of Processor cores. 6
Application memory:
Application memory used. 210 MB of 329 MB
MC9000
  •  MC9000
  • 60.2% (Friendly)
  • YAF Camper Topic Starter
2013-11-21T19:38:20Z
I think I figured it out, just need to rewrite the code to accept self signed SSL Certs.
squirrel
2013-11-21T23:23:31Z
Originally Posted by: MC9000 

I think I figured it out, just need to rewrite the code to accept self signed SSL Certs.



Yeah, that's going to be an issue. YAF by design won't operate in an unsecured fashion if items like SSL are enabled. Self-signed certificates are dangerous because they cannot be verified, and as such are disabled at the Microsoft level, not YAF.

Alternatively, rather than modify code, you could look at installing the server's certificate in your store on the webserver as a trusted cert. Then, the cert would be trusted at the server level and should be invisible at the YAF level other than being SSL enabled. This would also protect you during future upgrades from having to make further modifications for upgrades. (but this still doesn't fix the lack of security being introduced with a self-signed cert) vs. one from a trusted authority. Especially when certs can be had for 20 dollars.
If you can't find it using the forum search, try my signature link -- searches this site using Google: Google is my Friend 
squirrel
2013-11-21T23:25:57Z
Additionally to the above, enabling YAF to accept self-signed certificates opens you right up for a MITM attack with spoofed/corrupted DNS responses regarding the self-signed-server's addressing and how the webserver talks to it. If your site accepts self-signed, and your mail server communications are compromised, then every mail that YAF sends will populate someone else's systems with your member's email addresses at a bare minimum - whatever is obtained from the message text/notification text would be just as valuable depending on what's in the notification...

If you can't find it using the forum search, try my signature link -- searches this site using Google: Google is my Friend 
MC9000
  •  MC9000
  • 60.2% (Friendly)
  • YAF Camper Topic Starter
2013-11-22T19:57:09Z
Self-signed certs beat "in-the-clear" for email server access any day.
Using non-SSL (port 25) for email is extremely dangerous and way too easy to hack.

Because we're talking traffic that only goes from web server to email server - a simple hash/IP check can prevent MITM attack from anyone except the most sophisticated hackers (they would have to create a phony cert with the exact same hash and spoof the IP - extremely difficult to do).

For websites, I always use a 3rd party certificate to keep customers from running away from the site when their browser barks at them.

As far as the uber paranoid are concerned - how much can you trust your 3rd party certificate provider? (GoDaddy and many others already have and will continue to cave in to "authorities" - which, we know we can't trust - and send their keys to them, opening yet another pandora's box of security).

I'll post code to do such checks here soon.

About Us

The YAF.NET is an open source .NET forum project. YAF.NET is supported by an team of international developers who are build community by building community software.

Powered by Resharper Donate with PayPal button

Project Twitter Updates

Copyright © YetAnotherForum.NET & Ingo Herbote. All rights reserved