Skip to content

Add STARTTLS initiation to SMTP mail relay in atr/mail.py #683

New issue
New issue
Open
Open
Add STARTTLS initiation to SMTP mail relay in atr/mail.py#683
Assignees
sbp
Labels
ASVSAnything related to ASVS requirementsL1ASVS L1 requirementpriorityNot critical, but should be addressed soonsecurityIssues related to security posture
@andrewmusselman

Description

@andrewmusselman
andrewmusselman
opened on Feb 17, 2026

ASVS Requirement: V12.2.1
CWE: CWE-319 (Cleartext Transmission of Sensitive Information)
Severity: HIGH
File: atr/mail.py (lines ~113–122)

Description

The mail relay connection creates a properly configured TLS context (TLS 1.2 minimum), but connects to port 587 without initiating STARTTLS. Port 587 uses "explicit TLS", meaning the connection starts unencrypted and must be upgraded via STARTTLS. Without start_tls=True or an explicit await smtp.starttls() call, email contents — including vote notifications and release information — may be transmitted in cleartext.

Current code

async def _send_via_relay(from_addr: str, to_addr: str, msg_bytes: bytes) -> None:
    _validate_recipient(to_addr)
    context = ssl.create_default_context()
    context.minimum_version = ssl.TLSVersion.TLSv1_2

    smtp = aiosmtplib.SMTP(hostname=_MAIL_RELAY, port=_SMTP_PORT, timeout=_SMTP_TIMEOUT, tls_context=context)
    await smtp.connect()
    await smtp.ehlo()
    await smtp.sendmail(from_addr, [to_addr], msg_bytes)
    await smtp.quit()

Recommended fix

Add start_tls=True to the SMTP constructor:

smtp = aiosmtplib.SMTP(
    hostname=_MAIL_RELAY,
    port=_SMTP_PORT,
    timeout=_SMTP_TIMEOUT,
    tls_context=context,
    start_tls=True,
)

Metadata

Metadata

Assignees

Labels

ASVSAnything related to ASVS requirementsL1ASVS L1 requirementpriorityNot critical, but should be addressed soonsecurityIssues related to security posture

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions