@peterhashair opened this Pull Request on November 24th 2022 Contributor

Description:

Fixes: #18563
add allow self singed in mail setting

Review

@sgiehl commented on November 28th 2022 Member

@peterhashair Weren't @mattab's requirements defined in https://github.com/matomo-org/matomo/issues/18563#issuecomment-1312830954 clear enough? Wondering why you implemented only one ini setting instead of the three settings he requested 🤔

@Findus23 commented on November 28th 2022 Member

I would also change the wording of the setting. allow_self_signed implies this allows an additional mode of operation and something that has a limited impact of security (it feels like "only one more thing to support").
But what the setting in fact does is completely remove all TLS verification, allowing anyone in-between Matomo and the mail server to intercept, read and modify e-mails without any issues. (and the fact this also makes self signed certs work is just a side-effect)
So the setting should make it clear that this has strong security implications and should only be set if the person exactly understands what it means and that it is fine in their environment (e.g. the mail server is on localhost)

@peterhashair commented on November 28th 2022 Contributor

@sgiehl ops update it.

Powered by GitHub Issue Mirror