Re: [Django] #35653: Support EMAIL_SSL_CERTFILE for private certificate authority

[Django]

#35653: Support EMAIL_SSL_CERTFILE for private certificate authority
-----------------------------+--------------------------------------
Reporter: dkaylor | Owner: (none)
Type: New feature | Status: new
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------+--------------------------------------
Comment (by Mike Edmunds):

(Also, since the docs for EMAIL_SSL_CERTIFICATE already say "certificate
chain file," it seems reasonable to expect that could be a private CA
bundle. Which would make this a bug.)
--
Ticket URL: <https://code.djangoproject.com/ticket/35653#comment:7>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#35653: Support EMAIL_SSL_CERTFILE for private certificate authority
-----------------------------+------------------------------------

Reporter: dkaylor | Owner: (none)
Type: New feature | Status: new
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:

Keywords: | Triage Stage: Accepted

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------+------------------------------------

Changes (by Sarah Boyce):

* stage: Unreviewed => Accepted

--
Ticket URL: <https://code.djangoproject.com/ticket/35653#comment:8>

[Django]

#35653: Support EMAIL_SSL_CERTFILE for private certificate authority

-----------------------------+-----------------------------------------
Reporter: dkaylor | Owner: Igor Scheller
Type: New feature | Status: assigned

Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

-----------------------------+-----------------------------------------
Changes (by Igor Scheller):

* has_patch: 0 => 1
* owner: (none) => Igor Scheller
* status: new => assigned

Comment:

I added a [https://github.com/django/django/pull/18456 PR] to implement it
as an additional feature (altho changing the current behaviour might be an
option too)
--
Ticket URL: <https://code.djangoproject.com/ticket/35653#comment:9>

[Django]

#35653: Support EMAIL_SSL_CERTFILE for private certificate authority
-----------------------------+-----------------------------------------
Reporter: dkaylor | Owner: Igor Scheller
Type: New feature | Status: assigned
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 1

Easy pickings: 0 | UI/UX: 0
-----------------------------+-----------------------------------------

Changes (by Sarah Boyce):

* needs_better_patch: 0 => 1

--
Ticket URL: <https://code.djangoproject.com/ticket/35653#comment:10>

[Django]

#35653: Support EMAIL_SSL_CERTFILE for private certificate authority
-----------------------------+-----------------------------------------
Reporter: dkaylor | Owner: Igor Scheller
Type: New feature | Status: assigned
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-----------------------------+-----------------------------------------

Comment (by Igor Scheller):

As noted in the PR discussion, adding another option should be avoided in
favour of the upcoming EMAIL_PROVIDERS setting, discussed in #35514.
The PR now reflects that change by allowing the setting to be set in the
con structor and later from above providers config.
--
Ticket URL: <https://code.djangoproject.com/ticket/35653#comment:11>

[Django]

#35653: Support EMAIL_SSL_CERTFILE for private certificate authority
-----------------------------+-----------------------------------------
Reporter: dkaylor | Owner: Igor Scheller
Type: New feature | Status: assigned
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-----------------------------+-----------------------------------------

Comment (by Mike Edmunds):

This seems like a useful addition, given that:
- Internal private CAs are not all that exotic.
- Django's current documentation seems to suggest that
EMAIL_SSL_CERTIFICATE can be set to a private CA bundle, but this doesn't
actually work.
- Although the problem can be solved by subclassing smtp.EmailBackend to
override ssl_context, that seems to be error prone. A lot of high-ranking
solutions disable certificate checking entirely or introduce other
security issues. (Another common recommendation is downgrading to Django
4.1.)

Question: am I understanding correctly that the proposed `ssl_cafile`
option would also work to securely verify self-signed certs? (That seems
like another semi-common Django email question that generates a lot of
less-secure answers.)
--
Ticket URL: <https://code.djangoproject.com/ticket/35653#comment:12>

[Django]

#35653: Support EMAIL_SSL_CERTFILE for private certificate authority
-----------------------------+-----------------------------------------
Reporter: dkaylor | Owner: Igor Scheller
Type: New feature | Status: assigned
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-----------------------------+-----------------------------------------

Comment (by Igor Scheller):

Yes, it allows you to add a
[https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_verify_locations
root-CA certificate] / bundle of certificates which is used as the trust
anchor, it can either be your own self-signed one or the one your
organisation set up as a private CA.
--
Ticket URL: <https://code.djangoproject.com/ticket/35653#comment:13>

[Django]

#35653: Support EMAIL_SSL_CERTFILE for private certificate authority
-----------------------------+-----------------------------------------
Reporter: dkaylor | Owner: Igor Scheller
Type: New feature | Status: assigned
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
-----------------------------+-----------------------------------------

Changes (by Jacob Walls):

* needs_better_patch: 1 => 0

--
Ticket URL: <https://code.djangoproject.com/ticket/35653#comment:14>

[Django]

#35653: Support EMAIL_SSL_CERTFILE for private certificate authority
-----------------------------+-----------------------------------------
Reporter: dkaylor | Owner: Igor Scheller
Type: New feature | Status: assigned
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 1

Easy pickings: 0 | UI/UX: 0
-----------------------------+-----------------------------------------

Changes (by Sarah Boyce):

* needs_better_patch: 0 => 1

--
Ticket URL: <https://code.djangoproject.com/ticket/35653#comment:15>

[Django]

#35653: Support EMAIL_SSL_CERTFILE for private certificate authority
-----------------------------+-----------------------------------------
Reporter: dkaylor | Owner: Igor Scheller
Type: New feature | Status: assigned
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-----------------------------+-----------------------------------------

Comment (by Mike Edmunds):

Since the last activity on this ticket:

* We've documented how to use self-signed certs and private CAs with
Django's SMTP EmailBackend by updating the system CA bundle. (Added in
[https://docs.djangoproject.com/en/5.1/ref/settings/#email-ssl-
certfile:~:text=EMAIL_SSL_CERTFILE%20should%20not,SSLContext.load_verify_locations().
Django 5.1 settings docs], expanded into its own
[https://docs.djangoproject.com/en/6.1/topics/email/#private-and-self-
signed-smtp-server-certificates section in 6.1].)
* We've implemented dictionary-based `MAILERS` configuration, which allows
adding new EmailBackend options without needing new top-level settings.
* There's been some helpful discussion in the PR about why modifying the
system CA bundle is not always possible or desirable and an SMTP
EmailBackend option makes sense.
(https://github.com/django/django/pull/18456#issuecomment-2604487356 et
seq.).

I think a reasonable next step would be updating the open PR for the
Django 6.2dev codebase (taking advantage of `MAILERS` OPTIONS). Or if
there's still controversy over this, bouncing it to the new-features
process and consolidating all of the pros and cons there.
--
Ticket URL: <https://code.djangoproject.com/ticket/35653#comment:16>