Certificate verification error when connecting from Go

[muety]

When attempting to send mail from a Go application via an smtp4dev instance that runs with a self-signed certificate, I'm getting the following error:

tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead

There used to be a flag that you could set to instruct Go to ignore this error (see here), but apparently it has been removed after Go 1.17.

Minimal code example:

package main

import (
	"fmt"
	"net/smtp"
	"os"
)

func main() {
	auth := smtp.PlainAuth("", "admin", "admin", "localhost.localdomain")
	err := smtp.SendMail("localhost.localdomain:2525", auth, "[email protected]", []string{ "[email protected]" }, []byte("Just a test"))
	if err != nil {
		fmt.Println(err)
		os.Exit(1)
	}
}

[muety]

Would love to get this fixed! It's pretty much a deal breaker for me right now.

@rnwood Is the project still being maintained? I see only very few commits recently and a lot of open PRs 🤔

[rnwood]

Yes this project still has some maintenance, but only as my interest comes and goes. There is some automation to reduce the effort that is used on the important job of keeping dependencies up to date, and that's mostly what you've seen in the pending PRs. PRs and other community involvement is welcome. For this issue, I will investigate it shortly as looks like the common practice with certs has moved on. Go is ahead of the curve on enforcing it, but likely other will or do.

…

________________________________ From: Ferdinand Mütsch ***@***.***> Sent: Monday, January 20, 2025 10:39:54 AM To: rnwood/smtp4dev ***@***.***> Cc: Rob Wood ***@***.***>; Mention ***@***.***> Subject: Re: [rnwood/smtp4dev] Certificate verification error when connecting from Go (Issue #1610) Would love to get this fixed! It's pretty much a deal breaker for me right now. @rnwood<https://github.com/rnwood> Is the project still being maintained? I see only very few commits recently and a lot of open PRs 🤔 — Reply to this email directly, view it on GitHub<#1610 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAKEGF7OBEWSM3JUGKQHPLT2LTG7VAVCNFSM6AAAAABTUX66H6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMBSGA2TKOBWHA>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[rnwood]

This issue should be resolved in the latest pre release builds. Please let me know if this is not the case with your use case.

Thanks
Rob

[muety]

Wow, thanks a lot for fixing this! Seems to first at first glance. I'm still getting a certificate validation error due to using a self-signed cert:

tls: failed to verify certificate: x509: certificate signed by unknown authority

But I presume that can be worked around by configuring the client to trust it anyway (specifically for Go, see here).