starred/healthchecks
1
0
Fork 0
mirror of https://github.com/healthchecks/healthchecks.git synced 2026-04-25 23:15:49 +03:00
Code Issues 56 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #979] Add TLS support for Receiving Emails #682

New issue
Closed
opened 2026-02-25 23:43:15 +03:00 by kerem · 4 comments
kerem commented 2026-02-25 23:43:15 +03:00
Owner
Copy link

Originally created by @JohannesFleischer on GitHub (Mar 26, 2024).
Original GitHub issue: https://github.com/healthchecks/healthchecks/issues/979

I have set up a self-hosted Healthchecks instance and noticed that when pinging the server via smtp, it is only possible to send unencrypted emails because TLS is not supported.

This allows an attacker to perform a replay attack, making it look like a service is still running when it is not.

This is why I would love to see TLS support for this feature.

Originally created by @JohannesFleischer on GitHub (Mar 26, 2024). Original GitHub issue: https://github.com/healthchecks/healthchecks/issues/979 I have set up a self-hosted Healthchecks instance and noticed that when pinging the server via smtp, it is only possible to send unencrypted emails because TLS is not supported. This allows an attacker to perform a replay attack, making it look like a service is still running when it is not. This is why I would love to see TLS support for this feature.
kerem 2026-02-25 23:43:15 +03:00
  • closed this issue
  • added the
    feature
         label
kerem commented 2026-02-25 23:43:16 +03:00
Author
Owner
Copy link

@aque commented on GitHub (Mar 30, 2024):

I suggest not exposing smtpd directly and use postfix or similar as a frontend. Aside from TLS, you can use their features to secure the smtp service like HELO restrctions and DKIM checking. I have my smtpd service listening on localhost:2525 and setup a postfix transport file with healthchecks.domain.tld smtp:[127.0.0.1]:2525.

<!-- gh-comment-id:2028249373 --> @aque commented on GitHub (Mar 30, 2024): I suggest not exposing smtpd directly and use postfix or similar as a frontend. Aside from TLS, you can use their features to secure the smtp service like HELO restrctions and DKIM checking. I have my smtpd service listening on localhost:2525 and setup a postfix `transport` file with `healthchecks.domain.tld smtp:[127.0.0.1]:2525`.
kerem commented 2026-02-25 23:43:16 +03:00
Author
Owner
Copy link

@JPaulMora commented on GitHub (Apr 10, 2024):

Would it be a good idea to make smtp listen on localhost only by default?

<!-- gh-comment-id:2046484168 --> @JPaulMora commented on GitHub (Apr 10, 2024): Would it be a good idea to make smtp listen on localhost only by default?
kerem commented 2026-02-25 23:43:16 +03:00
Author
Owner
Copy link

@aque commented on GitHub (Apr 10, 2024):

You can do that by adding --host localhost.

<!-- gh-comment-id:2047894748 --> @aque commented on GitHub (Apr 10, 2024): You can do that by adding `--host localhost`.
kerem commented 2026-02-25 23:43:16 +03:00
Author
Owner
Copy link

@cuu508 commented on GitHub (Nov 21, 2025):

I'm not planning to work on adding TLS support.

  • Our SMTP listener is pretty rudimentary. As @aque says, a proper frontend would do better job of sanitizing incoming messages, checking DKIM, rate limiting, integrating with LetsEncrypt and so on.
  • The smtp library we use, aiosmtpd, has not had real commits for more than a year. I do not know if it has ever been fuzz tested. Exposing it to the public internet may be a security risk. Or maybe it is solid and safe. I don't know.
<!-- gh-comment-id:3562657643 --> @cuu508 commented on GitHub (Nov 21, 2025): I'm not planning to work on adding TLS support. * Our SMTP listener is pretty rudimentary. As @aque says, a proper frontend would do better job of sanitizing incoming messages, checking DKIM, rate limiting, integrating with LetsEncrypt and so on. * The smtp library we use, aiosmtpd, has not had real commits for more than a year. I do not know if it has ever been fuzz tested. Exposing it to the public internet may be a security risk. Or maybe it is solid and safe. I don't know.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
py2
v4.1.1
v4.1
v4.0
v3.13
v3.12
v3.11.2
v3.11.1
v3.11
v3.10
v3.9
v3.8.2
v3.8.1
v3.8
v3.7
v3.6
v3.5.2
v3.5.1
v3.5
v3.4
v3.3
v3.2
v3.1
v3.0.1
v3.0
v2.10
v2.9.2
v2.9.1
v2.9
v2.8.1
v2.8
v2.7
v2.6.1
v2.6
v2.5
v2.4.1
v2.4
v2.3
v2.2.1
v2.2
v2.1
v2.0.1
v2.0
v1.25.0
v1.24.1
v1.24.0
v1.23.1
v1.23.0
v1.22.0
v1.21.0
v1.20.0
v1.19.0
v1.18.0
v1.17.0
v1.16.0
v1.15.0
v1.14.0
v1.13.0
v1.12.0
v1.11.0
v1.10.0
v1.9.0
v1.8.0
v1.7.0
v1.6.0
v1.5.0
v1.4.0
v1.3.0
v1.2.0
v1.1.0
v1.0.4
v1.0.3
v1.0.2
1.0.2
v1.0.1
v1.0
Labels
Clear labels   
bug

   
bug

   
bug

   
feature

   
good-first-issue

   
new integration

   
pull-request

Mirrored from GitHub Pull Request

  
question
No labels
bug
bug
bug
feature
good-first-issue
new integration
pull-request
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/healthchecks#682
No description provided.