- Affected version
- 2.3.3
With XenForo < 2.3 it was possible to configure a SMTP server as
With XenForo 2.3 the configuration options have been changed to
Right now it is only possible to enable checkbox Use SSL/TLS which implicity uses TLS or leave it disabled which will use STARTTLS if supported by the server or Plaintext if not.
So if I am right this somewhat opens up a vector for a man-in-the-middle attack:
If the server supports STARTTLS, the checkbox is left unchecked (assuming that STARTTLS is used automatically as suggested by the explanation text) and an attacker can somehow redirect the communication to a different server that does not support STARTTLS, XenForo will use that server without errors.
This is a regression from 2.2 which would produce errors (and not send email data) in such a scenario.
Ideally it should be possible to force STARTTLS, though that doesn't seem to be supported by Symfony Mailer natively (yet).
github.com
At least the wording IMHO should be refined to avoid confusion and make it clear that implicit TLS is recommended:
- Plaintext
- TLS (=STARTTLS. eg. initial plaintext connection taht is switchted to TLS aver STARTTLS command)
- SSL (=implicit TLS, eg. the entirate connection is TLS)
With XenForo 2.3 the configuration options have been changed to
Right now it is only possible to enable checkbox Use SSL/TLS which implicity uses TLS or leave it disabled which will use STARTTLS if supported by the server or Plaintext if not.
So if I am right this somewhat opens up a vector for a man-in-the-middle attack:
If the server supports STARTTLS, the checkbox is left unchecked (assuming that STARTTLS is used automatically as suggested by the explanation text) and an attacker can somehow redirect the communication to a different server that does not support STARTTLS, XenForo will use that server without errors.
This is a regression from 2.2 which would produce errors (and not send email data) in such a scenario.
Ideally it should be possible to force STARTTLS, though that doesn't seem to be supported by Symfony Mailer natively (yet).
[Mailer] Option to enforce STARTTLS · Issue #48297 · symfony/symfony
Description // https://github.com/symfony/mailer/blob/6.1/Transport/Smtp/EsmtpTransport.php#L136 if (!$stream->isTLS() && \defined('OPENSSL_VERSION_NUMBER') && \array_key_exists('STARTTLS', $this->...
github.com
At least the wording IMHO should be refined to avoid confusion and make it clear that implicit TLS is recommended:
