Enhance TLS Security: Enforce Minimum TLS Version for starttls()

[jackzhuo]

Self Checks

• I have searched for existing issues search for existing issues, including closed ones.
• I confirm that I am using English to submit this report (我已阅读并同意 Language Policy).
• [FOR CHINESE USERS] 请务必使用英文提交 Issue，否则会被关闭。谢谢！:）
• Please do not modify this template :) and fill in all the required fields.

1. Is this request related to a challenge you're experiencing? Tell me about your story.

• Description

The current implementation for SMTP communication using TLS (smtplib.SMTP with starttls()) does not enforce a minimum TLS version. This can potentially expose the application to vulnerabilities if older, insecure TLS versions are negotiated.

• Code Location

The relevant code snippet is located in /api/libs/smtp.py, line 22 to 29 for v0.15.2

            if self.use_tls:
                if self.opportunistic_tls:
                    smtp = smtplib.SMTP(self.server, self.port, timeout=10)
                    smtp.starttls()
                else:
                    smtp = smtplib.SMTP_SSL(self.server, self.port, timeout=10)
            else:
                smtp = smtplib.SMTP(self.server, self.port, timeout=10)

• Proposed Change

To enhance security and follow best practices, we should explicitly set a minimum TLS version when using starttls(). Specifically, we should enforce TLS v1.2 or higher to avoid insecure protocols.

The code should be changed to:

            if self.use_tls:
                if self.opportunistic_tls:
                    context = ssl.create_default_context()
                    context.minimum_version = ssl.TLSVersion.TLSv1_2

                    smtp = smtplib.SMTP(self.server, self.port, timeout=10)
                    smtp.starttls(context=context)
                else:
                    smtp = smtplib.SMTP_SSL(self.server, self.port, timeout=10)
            else:
                smtp = smtplib.SMTP(self.server, self.port, timeout=10)

• Impact

This change will improve security by ensuring that only secure TLS versions are used.

It should not impact functionality, as most modern servers support TLS v1.2 or higher. However, you may need to review your mail server configuration if you experience issues.

• Additional Context

The proposed change uses ssl.create_default_context() to get a default secure context.

It then sets minimum_version to ssl.TLSVersion.TLSv1_2, forcing the connection to use TLS v1.2 or higher.

• Benefits

Mitigates potential security risks associated with older TLS versions.

Aligns with modern security standards.

I am happy to submit a pull request that implements this change.

2. Additional context or comments

In Node.js, the code like following:

const transporter = nodemailer.createTransport({
  host: process.env.EMAIL_HOST,
  port: Number(process.env.EMAIL_PORT),
  secure: false,
  auth: {
    user: process.env.EMAIL_USER,
    pass: process.env.EMAIL_PASS,
  },
  tls: {
    minVersion: 'TLSv1.2',
  },
})

My email server uses Google Workspace's email service. Without making the necessary changes, it will be impossible to connect to Google's email service.

3. Can you help us with this feature?

• I am interested in contributing to this feature.