Possibility to disable the TLS verify for sending mails.

LICENSE.md

@@ -199,3 +199,8 @@
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
+
+Watchtower contains code that is licensed under a BSD-license:
+ - Copyright (c) 2009 The Go Authors. All rights reserved.
+   
+   For details see https://golang.org/LICENSE

README.md

@@ -195,6 +195,7 @@ To receive notifications by email, the following command-line options, or their
 * `--notification-email-from` (env. `WATCHTOWER_NOTIFICATION_EMAIL_FROM`): The e-mail address from which notifications will be sent.
 * `--notification-email-to` (env. `WATCHTOWER_NOTIFICATION_EMAIL_TO`): The e-mail address to which notifications will be sent.
 * `--notification-email-server` (env. `WATCHTOWER_NOTIFICATION_EMAIL_SERVER`): The SMTP server to send e-mails through.
+* `--notification-email-server-tls-skip-verify` (env. `WATCHTOWER_NOTIFICATION_EMAIL_SERVER_TLS_SKIP_VERIFY`): Do not verify the TLS certificate of the mail server. This should be used only for testing.
 * `--notification-email-server-port` (env. `WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT`): The port used to connect to the SMTP server to send e-mails through. Defaults to `25`.
 * `--notification-email-server-user` (env. `WATCHTOWER_NOTIFICATION_EMAIL_SERVER_USER`): The username to authenticate with the SMTP server with.
 * `--notification-email-server-password` (env. `WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD`): The password to authenticate with the SMTP server with.

main.go

@@ -117,6 +117,15 @@ func main() {
 			Value:  25,
 			EnvVar: "WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT",
 		},
+		cli.BoolFlag{
+			Name: "notification-email-server-tls-skip-verify",
+			Usage: "Controls whether watchtower verifies the SMTP server's certificate chain and host name. " +
+				"If set, TLS accepts any certificate " +
+				"presented by the server and any host name in that certificate. " +
+				"In this mode, TLS is susceptible to man-in-the-middle attacks. " +
+				"This should be used only for testing.",
+			EnvVar: "WATCHTOWER_NOTIFICATION_EMAIL_SERVER_TLS_SKIP_VERIFY",
+		},
 		cli.StringFlag{
 			Name:   "notification-email-server-user",
 			Usage:  "SMTP server user for sending notifications",

notifications/email.go

@@ -26,6 +26,7 @@ type emailTypeNotifier struct {
 	From, To               string
 	Server, User, Password string
 	Port                   int
+	tlsSkipVerify          bool
 	entries                []*log.Entry
 }
 
@@ -37,6 +38,7 @@ func newEmailNotifier(c *cli.Context) typeNotifier {
 		User:          c.GlobalString("notification-email-server-user"),
 		Password:      c.GlobalString("notification-email-server-password"),
 		Port:          c.GlobalInt("notification-email-server-port"),
+		tlsSkipVerify: c.GlobalBool("notification-email-server-tls-skip-verify"),
 	}
 
 	log.AddHook(n)
@@ -80,7 +82,7 @@ func (e *emailTypeNotifier) sendEntries(entries []*log.Entry) {
 	msg := e.buildMessage(entries)
 	go func() {
 		auth := smtp.PlainAuth("", e.User, e.Password, e.Server)
-		err := smtp.SendMail(e.Server+":"+strconv.Itoa(e.Port), auth, e.From, []string{e.To}, msg)
+		err := SendMail(e.Server+":"+strconv.Itoa(e.Port), e.tlsSkipVerify, auth, e.From, []string{e.To}, msg)
 		if err != nil {
 			// Use fmt so it doesn't trigger another email.
 			fmt.Println("Failed to send notification email: ", err)

notifications/smtp.go

@@ -0,0 +1,76 @@
+// Copyright 2010 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license.
+package notifications
+
+import (
+	"crypto/tls"
+	"net"
+	"net/smtp"
+)
+
+// SendMail connects to the server at addr, switches to TLS if
+// possible, authenticates with the optional mechanism a if possible,
+// and then sends an email from address from, to addresses to, with
+// message msg.
+// The addr must include a port, as in "mail.example.com:smtp".
+//
+// The addresses in the to parameter are the SMTP RCPT addresses.
+//
+// The msg parameter should be an RFC 822-style email with headers
+// first, a blank line, and then the message body. The lines of msg
+// should be CRLF terminated. The msg headers should usually include
+// fields such as "From", "To", "Subject", and "Cc".  Sending "Bcc"
+// messages is accomplished by including an email address in the to
+// parameter but not including it in the msg headers.
+//
+// The SendMail function and the net/smtp package are low-level
+// mechanisms and provide no support for DKIM signing, MIME
+// attachments (see the mime/multipart package), or other mail
+// functionality. Higher-level packages exist outside of the standard
+// library.
+func SendMail(addr string, insecureSkipVerify bool, a smtp.Auth, from string, to []string, msg []byte) error {
+	c, err := smtp.Dial(addr)
+	if err != nil {
+		return err
+	}
+	defer c.Close()
+	if err = c.Hello("localHost"); err != nil {
+		return err
+	}
+	if ok, _ := c.Extension("STARTTLS"); ok {
+		serverName, _, _ := net.SplitHostPort(addr)
+		config := &tls.Config{ServerName: serverName, InsecureSkipVerify: insecureSkipVerify}
+		if err = c.StartTLS(config); err != nil {
+			return err
+		}
+	}
+	if a != nil {
+		if ok, _ := c.Extension("AUTH"); ok {
+			if err = c.Auth(a); err != nil {
+				return err
+			}
+		}
+	}
+	if err = c.Mail(from); err != nil {
+		return err
+	}
+	for _, addr := range to {
+		if err = c.Rcpt(addr); err != nil {
+			return err
+		}
+	}
+	w, err := c.Data()
+	if err != nil {
+		return err
+	}
+	_, err = w.Write(msg)
+	if err != nil {
+		return err
+	}
+	err = w.Close()
+	if err != nil {
+		return err
+	}
+	return c.Quit()
+}