alertmanager icon indicating copy to clipboard operation
alertmanager copied to clipboard
Published 2 months ago verified publisher icon prometheus

[FR] Add config option to skip cert validation/verification for SMTP

Open rahilarious opened this issue 2 years ago • 3 comments

What did you do? I have a SMTP server with invalid cert. (accessing via different IP than where domain points to)

What did you expect to see? a configuration option like insecure_skip_verify in tls_config but for SMTP which allows me to use self-signed/invalid certificate for SMTP.

Environment

  • System information:

    Linux 6.6.14-200.fc39.x86_64 x86_64

  • Alertmanager version:

    alertmanager, version 0.26.0 (branch: HEAD, revision: d7b4f0c7322e7151d6e3b1e31cbc15361e295d8d) build user: root@df8d7debeef4 build date: 20230824-11:11:58 go version: go1.20.7 platform: linux/amd64 tags: netgo

  • Prometheus version:

    prometheus, version 2.49.1 (branch: HEAD, revision: 43e14844a33b65e2a396e3944272af8b3a494071) build user: root@6d5f4c649d25 build date: 20240115-16:58:43 go version: go1.21.6 platform: linux/amd64 tags: netgo,builtinassets,stringlabels

  • Alertmanager configuration file:

---
global:
  smtp_from: '[email protected]'
  # smtp_smarthost: 'mail.blabla.com:465'
  smtp_smarthost: '10.0.0.1:465'
  smtp_auth_username: '[email protected]'
  smtp_auth_password: 'randompasss'
  smtp_require_tls: false
  # http_config:
  #   tls_config:
  #     insecure_skip_verify: true
  
receivers:
  - name: myreceiver
    email_configs:
      - to: '[email protected]'
route:
  group_by: ['...']
  receiver: myreceiver
...
  • Logs:
Feb 06 12:47:16 myhost alertmanager[2900]: ts=2024-02-06T07:17:16.900Z caller=notify.go:745 level=warn component=dispatcher receiver=myreceiver integration=email[0] aggrGroup="{}:{alertname=\"loadavg5\", instance=\"10.0.0.1:9100\", job=\"node\"}" msg="Notify attempt failed, will retry later" attempts=1 err="establish TLS connection to server: tls: failed to verify certificate: x509: cannot validate certificate for 10.0.0.1 because it doesn't contain any IP SANs"

rahilarious avatar Feb 06 '24 07:02 rahilarious

I have a SMTP server with invalid cert. (accessing via different IP than where domain points to)

For example certificate is for mail.blabla.com which resolves to 122.34.56.78 and one want to access it local ip 192.168.1.5. But accessing locally will say certificate is invalid. There needs to option to skip that verification.

As a workaround I added DNS record in host file in my container (docker/podman) with switch --add-host mail.blabla.com:192.168.1.5. You can also do it in Kubernetes/podman pods with hostAliases. This solves it.

rahilarious avatar Feb 06 '24 13:02 rahilarious

You can already use:

receivers:
  - name: myreceiver
    email_configs:
      - to: '[email protected]'
        tls_config:
          insecure_skip_verify: true

... but this is per-receiver. An option is needed for global SMTP tls_config.

sathieu avatar Feb 22 '24 13:02 sathieu

I created #3732, with:

global:
  smtp_from: '[email protected]'
  # smtp_smarthost: 'mail.blabla.com:465'
  smtp_smarthost: '10.0.0.1:465'
  smtp_auth_username: '[email protected]'
  smtp_auth_password: 'randompasss'
  smtp_require_tls: false
  smtp_tls_config:
    insecure_skip_verify: true
  
receivers:
  - name: myreceiver
    email_configs:
      - to: '[email protected]'

sathieu avatar Feb 22 '24 14:02 sathieu

Independent of the pending improvement for global smtp tls config, i think there is nothing to do here. So please consider clonsing @rahilarious

TheMeier avatar Mar 10 '24 11:03 TheMeier

Also instead of disabling tls_verify I would encourage you to use ca_file

TheMeier avatar Mar 10 '24 11:03 TheMeier