test(config): cover SMTP_SSL_SERVER_AUTH enabled behavior

Add unit tests in config_test.py that exercise send_mime_email and assert ssl.create_default_context() is called and its context is threaded through to SMTP_SSL and starttls when SMTP_SSL_SERVER_AUTH=True, plus the opt-out path passing context=None. Complements the existing module-level default assertion. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
test(email): explicitly opt out of SMTP_SSL_SERVER_AUTH in test_send_mime_ssl
2026-06-10 01:59:17 +00:00 · 2026-06-09 18:09:22 -07:00 · 2026-06-09 18:07:06 -07:00 · 2026-06-09 18:07:06 -07:00
4 changed files with 136 additions and 2 deletions
--- a/UPDATING.md
+++ b/UPDATING.md
@@ -58,6 +58,18 @@ GLOBAL_ASYNC_QUERIES_JWT_SECRET = "<output of: openssl rand -base64 42>"

 The check is only active when the relevant feature is enabled, so deployments that do not use global async queries (or embedding) are not affected.

+### SMTP server certificate validation enabled by default
+
+`SMTP_SSL_SERVER_AUTH` now defaults to `True` (previously `False`). With this default, STARTTLS/SSL connections to the configured SMTP server validate the server's TLS certificate against the system trusted CA store. This makes outbound email (alerts and reports) verify the mail server's identity out of the box.
+
+If your SMTP server presents a self-signed certificate, or a certificate that is not trusted by the system CA store, email delivery may now fail with a certificate verification error. To restore the previous behavior of skipping certificate validation, set the following in `superset_config.py`:
+
+```python
+SMTP_SSL_SERVER_AUTH = False
+```
+
+The recommended fix is to add the SMTP server's certificate (or its issuing CA) to the system trust store rather than disabling validation.
+
 ### Dataset import validates catalog against the target connection

 Importing a dataset now validates the `catalog` field against the target database connection. When the connection has multi-catalog disabled (`allow_multi_catalog` off) and the dataset's catalog is not the connection's default catalog, the import fails instead of silently persisting the non-default catalog. This matches the validation already enforced on the dataset update path and prevents imported datasets from querying an unintended database.
--- a/superset/config.py
+++ b/superset/config.py
@@ -1681,8 +1681,13 @@ SMTP_PORT = 25
 SMTP_PASSWORD = "superset"  # noqa: S105
 SMTP_MAIL_FROM = "superset@superset.com"
 # If True creates a default SSL context with ssl.Purpose.CLIENT_AUTH using the
-# default system root CA certificates.
-SMTP_SSL_SERVER_AUTH = False
+# default system root CA certificates. This makes STARTTLS/SSL connections to the
+# SMTP server validate the server's certificate against the trusted CA store.
+# Defaults to True so the mail server identity is verified out of the box. Set to
+# False to restore the previous behavior of skipping certificate validation (for
+# example, when using a self-signed certificate that is not in the system CA
+# store).
+SMTP_SSL_SERVER_AUTH = True
 ENABLE_CHUNK_ENCODING = False

 # Whether to bump the logging level to ERROR on the flask_appbuilder package
--- a/tests/integration_tests/email_tests.py
+++ b/tests/integration_tests/email_tests.py
@@ -208,6 +208,7 @@ class TestEmailSmtp(SupersetTestCase):
    @mock.patch("smtplib.SMTP")
    def test_send_mime_ssl(self, mock_smtp, mock_smtp_ssl):
        current_app.config["SMTP_SSL"] = True
+        current_app.config["SMTP_SSL_SERVER_AUTH"] = False
        mock_smtp.return_value = mock.Mock()
        mock_smtp_ssl.return_value = mock.Mock()
        utils.send_mime_email(
--- a/tests/unit_tests/config_test.py
+++ b/tests/unit_tests/config_test.py
@@ -312,3 +312,119 @@ def test_full_setting(
    assert dttm_col.is_dttm
    assert dttm_col.python_date_format == "epoch_s"
    assert dttm_col.expression == "CAST(dttm as INTEGER)"
+
+
+def test_smtp_ssl_server_auth_defaults_to_true() -> None:
+    """
+    The shipped default for SMTP_SSL_SERVER_AUTH validates the SMTP server's
+    TLS certificate. Operators can still opt out by overriding it to False.
+    """
+    from superset import config
+
+    assert config.SMTP_SSL_SERVER_AUTH is True
+
+
+def _smtp_config(**overrides: Any) -> dict[str, Any]:
+    config = {
+        "SMTP_HOST": "localhost",
+        "SMTP_PORT": 25,
+        "SMTP_USER": "",
+        "SMTP_PASSWORD": "",
+        "SMTP_STARTTLS": False,
+        "SMTP_SSL": False,
+        "SMTP_SSL_SERVER_AUTH": True,
+    }
+    config.update(overrides)
+    return config
+
+
+def test_send_mime_email_ssl_server_auth_passes_context(
+    mocker: MockerFixture,
+) -> None:
+    """
+    With SMTP_SSL and SMTP_SSL_SERVER_AUTH enabled, ``send_mime_email`` builds a
+    default SSL context and threads it through to ``smtplib.SMTP_SSL`` so the
+    server certificate is validated.
+    """
+    from email.mime.multipart import MIMEMultipart
+
+    from superset.utils import core as utils
+
+    create_default_context = mocker.patch(
+        "superset.utils.core.ssl.create_default_context"
+    )
+    smtp_ssl = mocker.patch("smtplib.SMTP_SSL")
+    smtp = mocker.patch("smtplib.SMTP")
+
+    utils.send_mime_email(
+        "from",
+        ["to"],
+        MIMEMultipart(),
+        _smtp_config(SMTP_SSL=True, SMTP_SSL_SERVER_AUTH=True),
+        dryrun=False,
+    )
+
+    create_default_context.assert_called_once_with()
+    assert not smtp.called
+    smtp_ssl.assert_called_once_with(
+        "localhost", 25, context=create_default_context.return_value
+    )
+
+
+def test_send_mime_email_starttls_server_auth_passes_context(
+    mocker: MockerFixture,
+) -> None:
+    """
+    With STARTTLS and SMTP_SSL_SERVER_AUTH enabled, ``send_mime_email`` builds a
+    default SSL context and threads it through to ``starttls`` so the server
+    certificate is validated.
+    """
+    from email.mime.multipart import MIMEMultipart
+
+    from superset.utils import core as utils
+
+    create_default_context = mocker.patch(
+        "superset.utils.core.ssl.create_default_context"
+    )
+    smtp = mocker.patch("smtplib.SMTP")
+
+    utils.send_mime_email(
+        "from",
+        ["to"],
+        MIMEMultipart(),
+        _smtp_config(SMTP_STARTTLS=True, SMTP_SSL_SERVER_AUTH=True),
+        dryrun=False,
+    )
+
+    create_default_context.assert_called_once_with()
+    smtp.return_value.starttls.assert_called_once_with(
+        context=create_default_context.return_value
+    )
+
+
+def test_send_mime_email_server_auth_disabled_skips_context(
+    mocker: MockerFixture,
+) -> None:
+    """
+    When SMTP_SSL_SERVER_AUTH is disabled no SSL context is built and ``None`` is
+    passed through, preserving the opt-out (certificate validation skipped).
+    """
+    from email.mime.multipart import MIMEMultipart
+
+    from superset.utils import core as utils
+
+    create_default_context = mocker.patch(
+        "superset.utils.core.ssl.create_default_context"
+    )
+    smtp_ssl = mocker.patch("smtplib.SMTP_SSL")
+
+    utils.send_mime_email(
+        "from",
+        ["to"],
+        MIMEMultipart(),
+        _smtp_config(SMTP_SSL=True, SMTP_SSL_SERVER_AUTH=False),
+        dryrun=False,
+    )
+
+    assert not create_default_context.called
+    smtp_ssl.assert_called_once_with("localhost", 25, context=None)