fix: smtp running tls 1.0 with STARTTLS on 2555 and with SSL on 2455

Author: titanism

ansible/playbooks/smtp.yml

@@ -79,10 +79,17 @@
         rule: allow
         port: 2465
         proto: tcp
-    - name: Allow port 2355
+    # tls 1.0 with SSL
+    - name: Allow port 2455
       ufw:
         rule: allow
-        port: 2355
+        port: 2455
+        proto: tcp
+    # tls 1.0 with STARTTLS
+    - name: Allow port 2555
+      ufw:
+        rule: allow
+        port: 2555
         proto: tcp
     - name: Allow http
       ufw:

ecosystem-smtp.json

@@ -85,7 +85,23 @@
       }
     },
     {
-      "name": "smtp-tls-2355",
+      "name": "smtp-tls-2455",
+      "script": "smtp.js",
+      "max_restarts": 999,
+      "max_memory_restart": "8G",
+      "exec_mode": "fork",
+      "wait_ready": true,
+      "instances": "1",
+      "pmx": false,
+      "node_args": "--tls-min-v1.0",
+      "env_production": {
+        "NODE_ENV": "production",
+        "SMTP_PORT": 2555,
+        "SMTP_TLS_MIN_VERSION": "TLSv1"
+      }
+    },
+    {
+      "name": "smtp-ssl-2555",
       "script": "smtp.js",
       "max_restarts": 999,
       "max_memory_restart": "8G",

smtp-server.js

@@ -39,7 +39,7 @@ class SMTP {
     options = {},
     secure = env.SMTP_PORT === 465 ||
       env.SMTP_PORT === 2465 ||
-      env.SMTP_PORT === 2355
+      env.SMTP_PORT === 2455
   ) {
     this.client = options.client;
 
@@ -97,34 +97,35 @@ class SMTP {
       needsUpgrade: secure,
       authMethods: ['PLAIN', 'LOGIN'], // XOAUTH2, CRAM-MD5
 
-      // TLS version control
-      ...(env.SMTP_TLS_MIN_VERSION
-        ? {
-            minVersion: env.SMTP_TLS_MIN_VERSION
-          }
-        : {}),
-      ...(env.SMTP_TLS_MAX_VERSION
-        ? {
-            maxVersion: env.SMTP_TLS_MAX_VERSION
-          }
-        : {}),
-
-      // just in case smtp-server changes default and patch semver bump (unlikely but safeguard)
+      // just in case smtp-server changes default and patch semver bump (unlikely but safeguard )
       allowInsecureAuth:
         config.env === 'production' ? false : env.SMTP_ALLOW_INSECURE_AUTH,
       authOptional: false,
 
       // <https://github.com/nodemailer/wildduck/issues/563>
       // hide8BITMIME: true,
 
-      // keys
+      // keys and TLS options together
       ...(config.env === 'production'
         ? {
             key: fs.readFileSync(env.WEB_SSL_KEY_PATH),
             cert: fs.readFileSync(env.WEB_SSL_CERT_PATH),
-            ca: fs.readFileSync(env.WEB_SSL_CA_PATH)
+            ca: fs.readFileSync(env.WEB_SSL_CA_PATH),
+            ...(env.SMTP_TLS_MIN_VERSION
+              ? { minVersion: env.SMTP_TLS_MIN_VERSION }
+              : {}),
+            ...(env.SMTP_TLS_MAX_VERSION
+              ? { maxVersion: env.SMTP_TLS_MAX_VERSION }
+              : {})
           }
-        : {})
+        : {
+            ...(env.SMTP_TLS_MIN_VERSION
+              ? { minVersion: env.SMTP_TLS_MIN_VERSION }
+              : {}),
+            ...(env.SMTP_TLS_MAX_VERSION
+              ? { maxVersion: env.SMTP_TLS_MAX_VERSION }
+              : {})
+          })
     });
 
     // override logger