From 5e7d5adf179d1a40c40c169d594995ff4de2f391 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 9 Aug 2021 20:10:49 +0200
Subject: [PATCH] AUTH shouldn't happen on port 25

---
 core/admin/mailu/internal/nginx.py | 7 +++++++
 core/nginx/conf/nginx.conf         | 9 +++++++++
 2 files changed, 16 insertions(+)

diff --git a/core/admin/mailu/internal/nginx.py b/core/admin/mailu/internal/nginx.py
index 3f5582cc..0c03b866 100644
--- a/core/admin/mailu/internal/nginx.py
+++ b/core/admin/mailu/internal/nginx.py
@@ -81,6 +81,13 @@ def handle_authentication(headers):
         raw_password = urllib.parse.unquote(headers["Auth-Pass"])
         password = raw_password.encode("iso8859-1").decode("utf8")
         ip = urllib.parse.unquote(headers["Client-Ip"])
+        port = int(urllib.parse.unquote(headers["Auth-Port"]))
+        if port == 25:
+            return {
+                "Auth-Status": "AUTH not supported",
+                "Auth-Error-Code": "502 5.5.1",
+                "Auth-Wait": 0
+            }
         user = models.User.query.get(user_email)
         if check_credentials(user, password, ip, protocol):
             return {
diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 718e90b9..82e7ca36 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -250,6 +250,7 @@ mail {
       listen 10025;
       protocol smtp;
       smtp_auth plain;
+      auth_http_header Auth-Port 10025;
     }
 
     # Default IMAP server for the webmail (no encryption, but authentication)
@@ -257,6 +258,7 @@ mail {
       listen 10143;
       protocol imap;
       smtp_auth plain;
+      auth_http_header Auth-Port 10043;
     }
 
     # SMTP is always enabled, to avoid losing emails when TLS is failing
@@ -271,6 +273,7 @@ mail {
       {% endif %}
       protocol smtp;
       smtp_auth none;
+      auth_http_header Auth-Port 25;
     }
 
     # All other protocols are disabled if TLS is failing
@@ -283,6 +286,7 @@ mail {
       {% endif %}
       protocol imap;
       imap_auth plain;
+      auth_http_header Auth-Port 143;
     }
 
     server {
@@ -293,6 +297,7 @@ mail {
       {% endif %}
       protocol pop3;
       pop3_auth plain;
+      auth_http_header Auth-Port 110;
     }
 
     server {
@@ -303,6 +308,7 @@ mail {
       {% endif %}
       protocol smtp;
       smtp_auth plain;
+      auth_http_header Auth-Port 587;
     }
 
     {% if TLS %}
@@ -311,6 +317,7 @@ mail {
       listen [::]:465 ssl;
       protocol smtp;
       smtp_auth plain;
+      auth_http_header Auth-Port 465;
     }
 
     server {
@@ -318,6 +325,7 @@ mail {
       listen [::]:993 ssl;
       protocol imap;
       imap_auth plain;
+      auth_http_header Auth-Port 993;
     }
 
     server {
@@ -325,6 +333,7 @@ mail {
       listen [::]:995 ssl;
       protocol pop3;
       pop3_auth plain;
+      auth_http_header Auth-Port 995;
     }
     {% endif %}
     {% endif %}