1610: add option to enforce inbound starttls r=mergify[bot] a=lub

## What type of PR?

Feature

## What does this PR do?
It implements a check in the auth_http handler to check for Auth-SSL == on and otherwise returns a 530 starttls error.
If INBOUND_TLS_ENFORCE is not set the behaviour is still the same as before, so existing installations should be unaffected.

Although there is a small difference to e.g. smtpd_tls_security_level of Postfix.

Postfix already throws a 530 after mail from, but this solution only throws it after rcpt to. auth_http is only the request after rcpt to, so it's not possible to do it earlier.

### Related issue(s)
#1328 is kinda related, although this PR doesn't solve the issue that the headers will still display ESMTP instead of ESMTPS

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: lub <git@lubiland.de>
master
bors[bot] 4 years ago committed by GitHub
commit 327884e07c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -31,6 +31,7 @@ DEFAULT_CONFIG = {
'HOSTNAMES': 'mail.mailu.io,alternative.mailu.io,yetanother.mailu.io', 'HOSTNAMES': 'mail.mailu.io,alternative.mailu.io,yetanother.mailu.io',
'POSTMASTER': 'postmaster', 'POSTMASTER': 'postmaster',
'TLS_FLAVOR': 'cert', 'TLS_FLAVOR': 'cert',
'INBOUND_TLS_ENFORCE': False,
'AUTH_RATELIMIT': '10/minute;1000/hour', 'AUTH_RATELIMIT': '10/minute;1000/hour',
'AUTH_RATELIMIT_SUBNET': True, 'AUTH_RATELIMIT_SUBNET': True,
'DISABLE_STATISTICS': False, 'DISABLE_STATISTICS': False,

@ -17,6 +17,9 @@ STATUSES = {
"smtp": "535 5.7.8", "smtp": "535 5.7.8",
"pop3": "-ERR Authentication failed" "pop3": "-ERR Authentication failed"
}), }),
"encryption": ("Must issue a STARTTLS command first", {
"smtp": "530 5.7.0"
}),
} }
def check_credentials(user, password, ip, protocol=None): def check_credentials(user, password, ip, protocol=None):
@ -42,12 +45,27 @@ def handle_authentication(headers):
protocol = headers["Auth-Protocol"] protocol = headers["Auth-Protocol"]
# Incoming mail, no authentication # Incoming mail, no authentication
if method == "none" and protocol == "smtp": if method == "none" and protocol == "smtp":
server, port = get_server(headers["Auth-Protocol"], False) server, port = get_server(protocol, False)
return { if app.config["INBOUND_TLS_ENFORCE"]:
"Auth-Status": "OK", if "Auth-SSL" in headers and headers["Auth-SSL"] == "on":
"Auth-Server": server, return {
"Auth-Port": port "Auth-Status": "OK",
} "Auth-Server": server,
"Auth-Port": port
}
else:
status, code = get_status(protocol, "encryption")
return {
"Auth-Status": status,
"Auth-Error-Code" : code,
"Auth-Wait": 0
}
else:
return {
"Auth-Status": "OK",
"Auth-Server": server,
"Auth-Port": port
}
# Authenticated user # Authenticated user
elif method == "plain": elif method == "plain":
server, port = get_server(headers["Auth-Protocol"], True) server, port = get_server(headers["Auth-Protocol"], True)

@ -73,6 +73,13 @@ By default postfix uses "opportunistic TLS" for outbound mail. This can be chang
by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt``. This setting is highly recommended by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt``. This setting is highly recommended
if you are a relayhost that supports TLS. if you are a relayhost that supports TLS.
Similarily by default nginx uses "opportunistic TLS" for inbound mail. This can be changed
by setting ``INBOUND_TLS_ENFORCE`` to ``True``. Please note that this is forbidden for
internet facing hosts according to e.g. `RFC 3207`_ , because this prevents MTAs without STARTTLS
support or e.g. mismatching TLS versions to deliver emails to Mailu.
.. _`RFC 3207`: https://tools.ietf.org/html/rfc3207
.. _fetchmail: .. _fetchmail:
The ``FETCHMAIL_DELAY`` is a delay (in seconds) for the fetchmail service to The ``FETCHMAIL_DELAY`` is a delay (in seconds) for the fetchmail service to

@ -0,0 +1 @@
Add possibility to enforce inbound STARTTLS via INBOUND_TLS_LEVEL=true
Loading…
Cancel
Save