drew/smtprelay
1
0
Fork 1
mirror of https://github.com/decke/smtprelay.git synced 2025-12-25 07:43:06 -07:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #27 from decke/26-tls-reqd-for-auth

Browse Source 
Don't allow configuration requiring authentication with non-TLS listener
This commit is contained in:
Bernhard Fröhlich
2021-04-02 20:41:38 +02:00
committed by GitHub
parent 65f0cfcfbd 247d187576
commit 9e8b5517a6
3 changed files with 106 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
config.go
View File

@@ -3,8 +3,9 @@ package main
import ( import (
"flag" "flag"
"net" "net"
"regexp"
"net/smtp" "net/smtp"
"regexp"
"strings"
"github.com/vharitonsky/iniflags" "github.com/vharitonsky/iniflags"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
@@ -21,7 +22,8 @@ var (
logLevel = flag.String("log_level", "info", "Minimum log level to output") logLevel = flag.String("log_level", "info", "Minimum log level to output")
hostName = flag.String("hostname", "localhost.localdomain", "Server hostname") hostName = flag.String("hostname", "localhost.localdomain", "Server hostname")
welcomeMsg = flag.String("welcome_msg", "", "Welcome message for SMTP session") welcomeMsg = flag.String("welcome_msg", "", "Welcome message for SMTP session")
listen = flag.String("listen", "127.0.0.1:25 [::1]:25", "Address and port to listen for incoming SMTP") listenStr = flag.String("listen", "127.0.0.1:25 [::1]:25", "Address and port to listen for incoming SMTP")
listenAddrs = []protoAddr{}
localCert = flag.String("local_cert", "", "SSL certificate for STARTTLS/TLS") localCert = flag.String("local_cert", "", "SSL certificate for STARTTLS/TLS")
localKey = flag.String("local_key", "", "SSL private key for STARTTLS/TLS") localKey = flag.String("local_key", "", "SSL private key for STARTTLS/TLS")
localForceTLS = flag.Bool("local_forcetls", false, "Force STARTTLS (needs local_cert and local_key)") localForceTLS = flag.Bool("local_forcetls", false, "Force STARTTLS (needs local_cert and local_key)")
@@ -41,6 +43,10 @@ var (
versionInfo = flag.Bool("version", false, "Show version information") versionInfo = flag.Bool("version", false, "Show version information")
) )
func localAuthRequired() bool {
return *allowedUsers != ""
}
func setupAllowedNetworks() { func setupAllowedNetworks() {
for _, netstr := range splitstr(*allowedNetsStr, ' ') { for _, netstr := range splitstr(*allowedNetsStr, ' ') {
@@ -130,6 +136,39 @@ func setupRemoteAuth() {
} }
} }
type protoAddr struct {
protocol string
address string
}
func splitProto(s string) protoAddr {
idx := strings.Index(s, "://")
if idx == -1 {
return protoAddr {
address: s,
}
}
return protoAddr {
protocol: s[0 : idx],
address: s[idx+3 : len(s)],
}
}
func setupListeners() {
for _, listenAddr := range strings.Split(*listenStr, " ") {
pa := splitProto(listenAddr)
if localAuthRequired() && pa.protocol == "" {
log.WithField("address", pa.address).
Fatal("Local authentication (via allowed_users file) " +
"not allowed with non-TLS listener")
}
listenAddrs = append(listenAddrs, pa)
}
}
func ConfigLoad() { func ConfigLoad() {
iniflags.Parse() iniflags.Parse()
@@ -143,4 +182,5 @@ func ConfigLoad() {
setupAllowedNetworks() setupAllowedNetworks()
setupAllowedPatterns() setupAllowedPatterns()
setupRemoteAuth() setupRemoteAuth()
setupListeners()
} }

44
config_test.go Normal file
View File

@@ -0,0 +1,44 @@
package main
import (
"testing"
)
func TestSplitProto(t *testing.T) {
var tests = []struct {
input string
proto string
addr string
}{
{
input: "localhost",
proto: "",
addr: "localhost",
},
{
input: "tls://my.local.domain",
proto: "tls",
addr: "my.local.domain",
},
{
input: "starttls://my.local.domain",
proto: "starttls",
addr: "my.local.domain",
},
}
for i, test := range tests {
testName := test.input
t.Run(testName, func(t *testing.T) {
pa := splitProto(test.input)
if pa.protocol != test.proto {
t.Errorf("Testcase %d: Incorrect proto: expected %v, got %v",
i, test.proto, pa.protocol)
}
if pa.address != test.addr {
t.Errorf("Testcase %d: Incorrect addr: expected %v, got %v",
i, test.addr, pa.address)
}
})
}
}

44
main.go
View File

@@ -81,7 +81,7 @@ func addrAllowed(addr string, allowedAddrs []string) bool {
func senderChecker(peer smtpd.Peer, addr string) error { func senderChecker(peer smtpd.Peer, addr string) error {
// check sender address from auth file if user is authenticated // check sender address from auth file if user is authenticated
if *allowedUsers != "" && peer.Username != "" { if localAuthRequired() && peer.Username != "" {
user, err := AuthFetch(peer.Username) user, err := AuthFetch(peer.Username)
if err != nil { if err != nil {
// Shouldn't happen: authChecker already validated username+password // Shouldn't happen: authChecker already validated username+password
@@ -276,7 +276,7 @@ func main() {
Debug("starting smtprelay") Debug("starting smtprelay")
// Load allowed users file // Load allowed users file
if *allowedUsers != "" { if localAuthRequired() {
err := AuthLoadFile(*allowedUsers) err := AuthLoadFile(*allowedUsers)
if err != nil { if err != nil {
log.WithField("file", *allowedUsers). log.WithField("file", *allowedUsers).
@@ -288,7 +288,9 @@ func main() {
var servers []*smtpd.Server var servers []*smtpd.Server
// Create a server for each desired listen address // Create a server for each desired listen address
for _, listenAddr := range strings.Split(*listen, " ") { for _, listen := range listenAddrs {
logger := log.WithField("address", listen.address)
server := &smtpd.Server{ server := &smtpd.Server{
Hostname: *hostName, Hostname: *hostName,
WelcomeMessage: *welcomeMsg, WelcomeMessage: *welcomeMsg,
@@ -298,44 +300,38 @@ func main() {
Handler: mailHandler, Handler: mailHandler,
} }
if *allowedUsers != "" { if localAuthRequired() {
server.Authenticator = authChecker server.Authenticator = authChecker
} }
var lsnr net.Listener var lsnr net.Listener
var err error var err error
if strings.Index(listenAddr, "://") == -1 { switch listen.protocol {
log.WithField("address", listenAddr). case "":
Info("listening on address") logger.Info("listening on address")
lsnr, err = net.Listen("tcp", listen.address)
lsnr, err = net.Listen("tcp", listenAddr)
} else if strings.HasPrefix(listenAddr, "starttls://") {
listenAddr = strings.TrimPrefix(listenAddr, "starttls://")
case "starttls":
server.TLSConfig = getTLSConfig() server.TLSConfig = getTLSConfig()
server.ForceTLS = *localForceTLS server.ForceTLS = *localForceTLS
log.WithField("address", listenAddr). logger.Info("listening on address (STARTTLS)")
Info("listening on address (STARTTLS)") lsnr, err = net.Listen("tcp", listen.address)
lsnr, err = net.Listen("tcp", listenAddr)
} else if strings.HasPrefix(listenAddr, "tls://") {
listenAddr = strings.TrimPrefix(listenAddr, "tls://")
case "tls":
server.TLSConfig = getTLSConfig() server.TLSConfig = getTLSConfig()
log.WithField("address", listenAddr). logger.Info("listening on address (TLS)")
Info("listening on address (TLS)") lsnr, err = tls.Listen("tcp", listen.address, server.TLSConfig)
lsnr, err = tls.Listen("tcp", listenAddr, server.TLSConfig)
} else { default:
log.WithField("address", listenAddr). logger.WithField("protocol", listen.protocol).
Fatal("unknown protocol in listen address") Fatal("unknown protocol in listen address")
} }
if err != nil { if err != nil {
log.WithFields(logrus.Fields{ logger.WithError(err).Fatal("error starting listener")
"address": listenAddr,
}).WithError(err).Fatal("error starting listener")
} }
servers = append(servers, server) servers = append(servers, server)