I wanted to setup a simple SMTP server for a very small application. Everything worked fine when I tested it in my linux machine. However, the same is not working properly when i package my application and deploy it as a pod in K8S cluster.
My machine details: python version - 3.8, OS - Ubuntu 20.04
My Pod details: python version - 3.10, OS - rocky linux 8
Output of postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
compatibility_level = 2
cyrus_sasl_config_path = /etc/postfix/sasl
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
mydestination = $myhostname, localhost.$mydomain
mydomain = abc.com
myhostname = 192-168-168-100
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.168.100
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = permit_sasl_authenticated, reject
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/abc/certificates/new/my-ca-cert.pem
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_use_tls = yes
SMTP Context is
ca_cert = "/etc/abc/certificates/new/my-ca-cert.pem"
class SMTPSSLContext:
_instance = None
def __new__(cls):
if cls._instance is None:
cls._instance = super(SMTPSSLContext, cls).__new__(cls)
cls._smtp_ssl_context = None
try:
if ca_cert:
cls._smtp_ssl_context = create_default_context()
cls._smtp_ssl_context.load_verify_locations(cafile=ca_cert)
cls._smtp_ssl_context.check_hostname = False
print("Successfully created SMTP SSL context")
except Exception:
cls._smtp_ssl_context = None
raise
return cls._instance
def get_smtp_ssl_context(self):
return self._smtp_ssl_context
Send Email is
def send_email(self, from_id: str, to_id: str, message: MIMEMultipart):
try:
with smtplib.SMTP(smtp_server, port) as server:
if self.smtp_ssl_context:
print('-------- SSL Context is Available --------------')
server.starttls(context=self.smtp_ssl_context)
if username and password:
server.login(user=username, password=password)
server.sendmail(from_addr=from_id, to_addrs=to_id, msg=message.as_string())
except Exception:
raise
When this code is executed from pod, i am getting the following error
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:997)
Note: This error goes if i change the values of smtpd_tls_cert_file and smtpd_tls_key_file to my own certificates in postfix main.cf.
My questions are:
- Why the behaviour of the ssl handshake is different between a local VM and the pod?
- When I do not want TLS only authentication, why should i specify smtpd_tls_cert_file and smtpd_tls_key_file?