From f0f873ffe7f176d480dc9a80cb68242f1fe8a69d Mon Sep 17 00:00:00 2001
From: lub <git@lubiland.de>
Date: Tue, 1 Sep 2020 21:48:09 +0200
Subject: [PATCH 1/3] add option to enforce inbound starttls

---
 core/admin/mailu/configuration.py  |  1 +
 core/admin/mailu/internal/nginx.py | 30 ++++++++++++++++++++++++------
 docs/configuration.rst             |  7 +++++++
 3 files changed, 32 insertions(+), 6 deletions(-)

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 66b0b832..7fcd1ee7 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -31,6 +31,7 @@ DEFAULT_CONFIG = {
     'HOSTNAMES': 'mail.mailu.io,alternative.mailu.io,yetanother.mailu.io',
     'POSTMASTER': 'postmaster',
     'TLS_FLAVOR': 'cert',
+    'INBOUND_TLS_ENFORCE': False,
     'AUTH_RATELIMIT': '10/minute;1000/hour',
     'AUTH_RATELIMIT_SUBNET': True,
     'DISABLE_STATISTICS': False,
diff --git a/core/admin/mailu/internal/nginx.py b/core/admin/mailu/internal/nginx.py
index fa127584..a7771f91 100644
--- a/core/admin/mailu/internal/nginx.py
+++ b/core/admin/mailu/internal/nginx.py
@@ -17,6 +17,9 @@ STATUSES = {
         "smtp": "535 5.7.8",
         "pop3": "-ERR Authentication failed"
     }),
+    "encryption": ("Must issue a STARTTLS command first", {
+        "smtp": "530 5.7.0"
+    }),
 }
 
 
@@ -28,12 +31,27 @@ def handle_authentication(headers):
     protocol = headers["Auth-Protocol"]
     # Incoming mail, no authentication
     if method == "none" and protocol == "smtp":
-        server, port = get_server(headers["Auth-Protocol"], False)
-        return {
-            "Auth-Status": "OK",
-            "Auth-Server": server,
-            "Auth-Port": port
-        }
+        server, port = get_server(protocol, False)
+        if app.config["INBOUND_TLS_ENFORCE"]:
+            if "Auth-SSl" in headers and headers["Auth-SSL"] == "on":
+                return {
+                    "Auth-Status": "OK",
+                    "Auth-Server": server,
+                    "Auth-Port": port
+                }
+            else:
+                status, code = get_status(protocol, "encryption")
+                return {
+                    "Auth-Status": status,
+                    "Auth-Error-Code" : code,
+                    "Auth-Wait": 0
+                }
+        else:
+            return {
+                "Auth-Status": "OK",
+                "Auth-Server": server,
+                "Auth-Port": port
+            }
     # Authenticated user
     elif method == "plain":
         server, port = get_server(headers["Auth-Protocol"], True)
diff --git a/docs/configuration.rst b/docs/configuration.rst
index 4b211925..3438b7fe 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -73,6 +73,13 @@ By default postfix uses "opportunistic TLS" for outbound mail. This can be chang
 by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt``. This setting is highly recommended
 if you are a relayhost that supports TLS.
 
+Similarily by default nginx uses "opportunistic TLS" for inbound mail. This can be changed
+by setting ``INBOUND_TLS_ENFORCE`` to ``True``. Please note that this is forbidden for
+internet facing hosts according to e.g. `RFC 3207`_ , because this prevents MTAs without STARTTLS
+support or e.g. mismatching TLS versions to deliver emails to Mailu.
+
+.. _`RFC 3207`: https://tools.ietf.org/html/rfc3207
+
 The ``FETCHMAIL_DELAY`` is a delay (in seconds) for the fetchmail service to
 go and fetch new email if available. Do not use too short delays if you do not
 want to be blacklisted by external services, but not too long delays if you

From d348477efc933e5f2d1fa85c027b7d7fb2ccf623 Mon Sep 17 00:00:00 2001
From: lub <git@lubiland.de>
Date: Tue, 1 Sep 2020 21:50:21 +0200
Subject: [PATCH 2/3] add towncrier for 1610

---
 towncrier/newsfragments/1610.feature | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 towncrier/newsfragments/1610.feature

diff --git a/towncrier/newsfragments/1610.feature b/towncrier/newsfragments/1610.feature
new file mode 100644
index 00000000..b56ac332
--- /dev/null
+++ b/towncrier/newsfragments/1610.feature
@@ -0,0 +1 @@
+Add possibility to enforce inbound STARTTLS via INBOUND_TLS_LEVEL=true

From 05e2af180256b6a9387cd437d023c8d3f968a651 Mon Sep 17 00:00:00 2001
From: lub <git@lubiland.de>
Date: Wed, 2 Sep 2020 15:16:10 +0200
Subject: [PATCH 3/3] fix small typo in Auth-SSL

---
 core/admin/mailu/internal/nginx.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/internal/nginx.py b/core/admin/mailu/internal/nginx.py
index a7771f91..e1f8cb7a 100644
--- a/core/admin/mailu/internal/nginx.py
+++ b/core/admin/mailu/internal/nginx.py
@@ -33,7 +33,7 @@ def handle_authentication(headers):
     if method == "none" and protocol == "smtp":
         server, port = get_server(protocol, False)
         if app.config["INBOUND_TLS_ENFORCE"]:
-            if "Auth-SSl" in headers and headers["Auth-SSL"] == "on":
+            if "Auth-SSL" in headers and headers["Auth-SSL"] == "on":
                 return {
                     "Auth-Status": "OK",
                     "Auth-Server": server,