diff --git a/core/admin/mailu/internal/nginx.py b/core/admin/mailu/internal/nginx.py index 027db935..9271df8e 100644 --- a/core/admin/mailu/internal/nginx.py +++ b/core/admin/mailu/internal/nginx.py @@ -27,12 +27,12 @@ STATUSES = { }), } -def check_credentials(user, password, ip, protocol=None): +def check_credentials(user, password, ip, protocol=None, auth_port=None): if not user or not user.enabled or (protocol == "imap" and not user.enable_imap) or (protocol == "pop3" and not user.enable_pop): return False is_ok = False # webmails - if len(password) == 64 and ip == app.config['WEBMAIL_ADDRESS']: + if len(password) == 64 and auth_port in ['10143', '10025']: if user.verify_temp_token(password): is_ok = True # All tokens are 32 characters hex lowercase @@ -100,7 +100,7 @@ def handle_authentication(headers): app.logger.warn(f'Invalid user {user_email!r}: {exc}') else: ip = urllib.parse.unquote(headers["Client-Ip"]) - if check_credentials(user, password, ip, protocol): + if check_credentials(user, password, ip, protocol, headers["Auth-Port"]): server, port = get_server(headers["Auth-Protocol"], True) return { "Auth-Status": "OK", diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf index 71cbf9ee..62e5c54b 100644 --- a/core/nginx/conf/nginx.conf +++ b/core/nginx/conf/nginx.conf @@ -277,7 +277,7 @@ mail { listen 10143; protocol imap; smtp_auth plain; - auth_http_header Auth-Port 10043; + auth_http_header Auth-Port 10143; } # SMTP is always enabled, to avoid losing emails when TLS is failing diff --git a/towncrier/newsfragments/2079.fix b/towncrier/newsfragments/2079.fix new file mode 100644 index 00000000..82350ff6 --- /dev/null +++ b/towncrier/newsfragments/2079.fix @@ -0,0 +1,2 @@ +#2079 Webmail token check does not work if WEBMAIL_ADDRESS is set to a hostname. +#2081 Fix typo in nginx config for webmail port (10043 to 10143) \ No newline at end of file