SMTP_SSL Environment option in Backend required.

[LectomT]

I plan to use abc-user-feedback based on private subnet. I easily ran it based on the Dockerhub image, but blocked by a 500 error while request code to verify an email.

Initially, with SMTP_USE=false setting, logs were generated showing failed connection attempts to 127.0.0.1:25.

After setting up SMTP and Google email server, a 530 Authorization required (#5.7.1) error occurred, and we confirmed this is a STARTTLS-related error.

Therefore, we tried to set it up using variables like SMTP_SSL, but we couldn't find the relevant variables.
We're curious if there's a way to create an account without email verification, or to connect by fixing SMTP_SSL to TLS or STARTTLS.

Thank you.

[jihun]

@LectomT

Hello, thank you for your interest in our open source project.

As you mentioned, there seem to be two potential solutions for the issue you've asked.

1. Allowing account creation without email verification: This method is not currently supported and would require policy review and development. Therefore, if it is to be implemented, it may take some time.

2. Providing an SMTP_SSL option: This seems to involve offering an SMTP_SSL option when our server is booting up, allowing the SMTP server to send emails securely. This is related to the following code.

Reference code: https://github.com/line/abc-user-feedback/blob/main/apps/api/src/configs/modules/mailer-config/mailer-config.module.ts#L39

Please confirm if the above information is correct.

Also, Please let me know if you need further request.

Thank you.

[LectomT]

@jihun

Hello, Thank you for your reply.

I see the account creation policy, but I wonder why SMTP_USE option is there?

For the sending email security, the reference (https://github.com/line/abc-user-feedback/blob/main/apps/api/src/configs/modules/mailer-config/mailer-config.module.ts#L34) shows

the current security protocol is set to SSLv3.

But Google does not support SSLv3 (ref: https://support.google.com/a/answer/9795993)

So, Could you consider updating the connection security to support higher-level security ciphers?

I think SMTP_SSL option can set the connection security level is the best.

Thank you for your attention to this matter.

My best.

[jihun]

@LectomT

Hello,

As you mentioned, SMTP_USE is configurable but it is an option that is not used internally. There is a history in the product development process, and it can be considered a kind of legacy. It seems that a cleanup of related environment variables is needed, and this is also related to the policy issue mentioned earlier, so it will likely be addressed later.

As you mentioned, since Google's SMTP service does not support SSLv3, we intend to raise the default security level to a higher security level (TLSv1.2). Additionally, we plan to add the following two options, which might be necessary:

1. SMTP_CIPHER_SPEC: Indicates the security level and is injected into the ciphers setting.
2. SMTP_OPPORTUNISTIC_TLS: Injected into the opportunisticTLS setting to use STARTTLS.

Please let us know if you have any additional comments.

Thank you.