-smtp-require-tls ignored when specifying authentication and password file

[AAAlvesJr]

I am not sure if it is a bug, or a feature, but as I have understood the documentation, it should be possible to activate SSL/TLS and also specify a password file to enable logins on smtp.

I am getting the situation below :

$  ./mailpit --smtp-tls-cert cert.pem --smtp-tls-key key.pem  --smtp-require-tls  --smtp-auth-file passwdfile  --smtp-require-tls
INFO[2025/02/17 21:44:49] [smtpd] enabling login authentication        
INFO[2025/02/17 21:44:49] [smtpd] starting on [::]:1025 (STARTTLS required) 
INFO[2025/02/17 21:44:49] [http] starting on [::]:8025                 
INFO[2025/02/17 21:44:49] [http] accessible via http://localhost:8025/ 

Mailpit runs with (STARTTLS required).

However, when I remove --smtp-auth-file passwdfile, I get the situation below:

$  ./mailpit --smtp-tls-cert cert.pem --smtp-tls-key key.pem --smtp-require-tls
INFO[2025/02/17 21:54:16] [smtpd] starting on [::]:1025 (SSL/TLS required) 
INFO[2025/02/17 21:54:16] [http] starting on [::]:8025                 
INFO[2025/02/17 21:54:16] [http] accessible via http://localhost:8025/ 

I am running the latest release v1.22.3 on linux 64bits.

Am I doing something wrong? How to get SSL/TLS and authentication ?

[axllent]

You may have discovered a bug, but I'll need to get back to you on this in the next day or two as I have been very busy with other commitments, sorry.

[axllent]

I actually believe this is just an error in the Mailpit server output, and not and error in the implementation itself. From what I can tell --smtp-require-tls enforces TLS correctly.

Can you please confirm for me whether you're actually having issues with TLS & authentication, ignoring what Mailpit it telling you while running?

[AAAlvesJr]

Hello, thanks for the prompt reaction.

Indeed, good point this one you raised. I have no issues in my application, which REQUIRES TLS to send emails.
Maybe it is just what you said, a minor issue with the logging.

Is there a more direct and specific way to assert this?
Please, let me know.
Cheers

[axllent]

Most email applications actually automatically go straight to TLS when set to STARTTLS. They are basically the exact same thing, except that STARTTLS is designed to respond to unencrypted SMTP commands until the authentication part (from which point everything must be over TLS). When a server is running with TLS it will just close the connection if your try send anything unencrypted.

Connecting with telnet to STARTTLS:

telnet localhost 1025
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 grunty Mailpit ESMTP Service ready
ehlo example.com         
250-grunty greets example.com
250-SIZE 0
250-STARTTLS
250-AUTH LOGIN PLAIN
250 ENHANCEDSTATUSCODES
...

Connecting with telnet to TLS:

telnet localhost 1025
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
ehlo example.com
Connection closed by foreign host.

There's definitely the correct responses from Mailpit, and I found the issue that caused it to return the wrong information in the log.

I have pushed a fix for this into the develop branch, however given that it's not actually a functionality bug but rather a cosmetic error, I won't release a new version until I have more to add. This will definitely be included in the next release, and in the meantime please just ignore the output. Thanks for your input.