Comments (11)
We want to check and enforce secure connection before AUTH command to prevent credential leak.
That's the default behavior. AllowInsecureAuth
will turn that off.
from go-smtp.
If i understand the source code[1] correctly, with AllowInsecureAuth=false
, go-smtp disables AUTH
(by not advertising the AUTH
support) but it continues the smtp session, right? What we want is terminating or closing the smtp session instead.
Lines 253 to 260 in b4236a6
from go-smtp.
I don't understand why one would want to advertise AUTH while always sending an error while it's used.
from go-smtp.
Misconfiguration.
from go-smtp.
Please elaborate... If I had to guess, is it to give users a clear error when they try to setup their client but forget to enable encryption?
from go-smtp.
Hi @emersion
Thanks for the patience and helping.
Our smtp "clients" are multiple MTAs, not MUA. And we force secure smtp connection for secure traffic. If a MTA doesn't enable / establish secure connection, we reject (with a clear error message, of course) and terminate the connection to prevent leaking credentials in AUTH directive until it's properly configured.
In this case, AllowInsecureAuth is not the solution since it continues the session.
Maybe it's better to add some more methods to Session interface to allow developers to handle connection or data in different smtp state, for example:
- right after connection is established. This is the best state in smtp session to perform IP address or reverse hostname based whitelisting and blacklisting.
- right after EHLO. Again, HELO hostname based white/blacklisting.
- right after STARTTLS (it 's called no matter it's secure or insecure connection). Good state to check and enforce secure connection.
Your opinion?
from go-smtp.
@emersion Any update?
from go-smtp.
Insecure suggestion, leaks credentials, do not implement
Right, thanks for explaining, that makes sense. I'd suggest:
- Set
AllowInsecureAuth = true
- In the Backend's
NewSession
function, check whether the connection is TLS or not, store that info somewhere in the returned Session, and return an error inAuthPlain
.
from go-smtp.
- In the Backend's
NewSession
function, check whether the connection is TLS or not, store that info somewhere in the returned Session, and return an error inAuthPlain
.
Hi @emersion,
Thanks for the reply, but this suggestion won't work.
I tested this before created this issue, and double tested moment ago: it doesn't work with STARTTLS.
I used testing code like below:
func (b *Backend) NewSession(conn *smtp.Conn) (session smtp.Session, err error) {
ip, _, _ := utils.GetIPPortFromNetAddr(conn.Conn().RemoteAddr())
state, _ := conn.TLSConnectionState()
fmt.Printf("DEBUG Version: [%s] %d", ip, state.Version)
// ... omit other testing code here...
- When client establishes connection, the
state.Version
is 0 (which means insecure connection) - Then client issues
STARTTLS
smtp directive in same smtp session,NewSession
is called again(?) andstate.Version
is now772
(TLSv1.3, cipher suite is TLS_AES_128_GCM_SHA256).
Since NewSession
is called before STARTTLS
directive, we cannot judge whether it's secure in this stage, and smtp.Session
doesn't have a public method for starttls directive. So we still have to check this in AuthPlain()
which may already leak the account credential sent by AUTH
directive.
Can we add more public methods to smtp.Session
to handle more smtp stages? e.g. before AUTH
.
from go-smtp.
What you're asking for protocol-wise is not possible. Clients may send either STARTTLS
or AUTH
directly, and there is no way to know in advance. If the client decides to send AUTH
without STARTTLS
, the credentials are leaked.
The AUTH
command contains an optional initial response argument, which in the case of PLAIN contains the username/password.
from go-smtp.
ok, i will live with it. Thanks very much for helping. :)
from go-smtp.
Related Issues (20)
- client: batching commands HOT 1
- Feature Request: give ability to drop connection before greeting HOT 3
- Invalid server example provided in README HOT 1
- v1.16.0 breaks backwards compatibility HOT 3
- Why need to make sure all the data has been consumed ? HOT 1
- Using SMTP server email are not going to external accounts HOT 1
- Valid Reverse-path getting rejected with 500 5.5.4 Unknown MAIL FROM argument HOT 1
- Auth should be mandatory for `MAIL`, `RCPT` & `DATA` commands when `server.AuthDisabled` is `false` HOT 2
- google smtp fails to send message with error `Relay access denied` HOT 1
- Server: unauthenticated access HOT 1
- Handle zero-byte TCP healthcheck connections HOT 4
- Unable to set headers when using SendMail with go templating. HOT 2
- Does the server support multi-threading when receiving emails? HOT 1
- Request an example code for smtp relay HOT 2
- [Security] Implement strict CRLF mode HOT 1
- client: allow sending a second EHLO after STARTTLS HOT 7
- Critical bug in v0.20.1: i/o timeout in `DATA` stage HOT 3
- Extension support status
- Support AUTH LOGIN HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from go-smtp.