-
-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
config: disable SMTP authentication on port 25 #3006
Conversation
@georglauterbach did you want this PR to be tackled and reviewed before / after your upcoming one? It looks like there would minimal conflicts so far. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Little bit of feedback with the current state of the PR
test/test-files/auth/ldap-smtp-auth-spoofed-sender-with-filter-exception.txt
Outdated
Show resolved
Hide resolved
I am not sure if there is demand, but we might consider to make this configurable (with default disabled)? The old test could be leave untouched, but new tests should be added. |
As the linked issue notes, authentication on port 25 isn't something popular vendors like GMAIL offer, nor competing dockerized mail-server projects. It's disabled by default in Postfix config upstream as well. Mail submission requiring authentication is intended for the submissions ports. Port 25 for inbound connections should only be responsible for receiving mail, not handling authenticated submissions. It's true that some relay host services like SendGrid do offer authenticated submission on port 25, but they also typically have the standard 587 and 465 submission ports, and additional alternative ports (eg: 2525) that vary for users where outbound port 25 is blocked. That said, I haven't looked at our relay support in a while and I know that needs some work. Tests don't presently cover relaying between DMS instances properly IIRC (at least not to the extent I wanted to see). Some users might be relying on it, but this change in default config would be a breaking change for them regardless. We'd get a better idea for demand making it configurable via ENV after release. I'm not fussed though, as it's a single The There was also a discussion about this in Feb 2018 (user wanted to AUTH on port 25), but maintainer / contributor agree that it should not be supported. |
I'm fine with merging this (when reviewed of course). I don't see the need for an ENV as well. I think this should be a proper default, and for those that need it, there are enough ways of enabling it again. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just some minor things that need a bit of clarification. Otherwise looks good!
EDIT: Gave a review when this PR is still WIP - sorry!
test/test-files/auth/ldap-smtp-auth-spoofed-sender-with-filter-exception.txt
Outdated
Show resolved
Hide resolved
NOTE: I have merged a PR that interferes here; we need to pay special attention when reviewing the resolving of the conflicts. |
At this point due to the activity going on to refactor the test suite, it might be best to hold off resolving any conflicts. The changes are small enough to apply cleanly again after all the churn is out of the way 😅 |
Yep, good idea 👍🏼 |
@mazzz1y I will pick this up and provide the proper integration when we're done finishing the test refactoring (~ 2 weeks). |
@mazzz1y sorry for the delay.. could you re-apply your changes to the current state of |
I'll handle it within the following week hopefully 😅 Of note, this will likely contribute to this concern? #1247
|
You're right.. we could check if |
Yeah, I think so. Just no Dovecot for the SASL with that ENV AFAIK? There's SASLAUTHD instead (used for LDAP, but offers other modes too I think). I would need to properly look over the referenced issue. |
One option would be to just |
Current failure for the LDAP spoof check is related to it failing to verify the cert I think? Probably due to port 465 instead of 587 with StartTLS? (just a guess) I don't have time to look into the failure myself as my backlog is too much already. I do recognize
I don't believe that is used anywhere else. Our testing self-signed certs should be for It doesn't help that the LDAP test hasn't been ported to our new testing conventions + methods, which may affect that, but I guess it could be something else going on related to LDAP specifically 😅 Port 25 will permit plain-text if a secure connection cannot be established, but 587 (and more obviously 465) should not.
I doubt it's related to this PR. Tests relying on Amavis may fail transiently due to startup being ready with Postfix to send / receive mail before Amavis itself is ready (now that we've optimized the startup). Affected tests can delay sending with some sleep after the
For LDAP, since we lack maintainers and no one is stepping up, we can't provide guarantees or official support. If there is no one able to take the time to resolve it, I'd be in favor of adding a |
@polarathene no, please ignore these lines. It is just a warning and can be safely ignored. Please check my full explanation and try to debug this test manually. It shows only first three lines of output:
|
We will add a |
The test seems to have been broken from the beginning. Sadly, no LDAP maintainers can verify. Added a TODO item if ever a LDAP maintainer comes around.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM now 👍🏼
Ah gotcha, thanks for that. |
LGTM, happy to approve but would like to clarify why some Could you please just comment here about when / why that is needed sometimes in our tests? After that I'll approve. |
Because 465/587 listeners rejects plain-text requests there. Where it doesn't work I just replaced it with openssl. root@mail:/# nc 0.0.0.0 465 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed.txt
root@mail:/# nc 0.0.0.0 587 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed.txt
220 mail.my-domain.com ESMTP
250-mail.my-domain.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING
530 5.7.0 Must issue a STARTTLS command first
502 5.5.2 Error: command not recognized
502 5.5.2 Error: command not recognized
530 5.7.0 Must issue a STARTTLS command first
530 5.7.0 Must issue a STARTTLS command first
530 5.7.0 Must issue a STARTTLS command first
221 2.7.0 Error: I can break rules, too. Goodbye.
### expected behavior ###
root@mail:/# openssl s_client -quiet -connect 0.0.0.0:465 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed.txt
Can't use SSL_get_servername
depth=0 CN = docker-mailserver.invalid
verify return:1
220 mail.my-domain.com ESMTP
250-mail.my-domain.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING
334 VXNlcm5hbWU6
334 UGFzc3dvcmQ6
235 2.7.0 Authentication successful
250 2.1.0 Ok
553 5.7.1 <ldap@localhost.localdomain>: Sender address rejected: not owned by user some.user@localhost.localdomain
554 5.5.1 Error: no valid recipients
221 2.7.0 Error: I can break rules, too. Goodbye.
|
Would this generally apply? I.e. when using port 465/587 that we should use |
No, in other tests listener accepts only plain text messages, looks like it is related to test server configuration, but I didn't deep into it ## test/tests/parallel/set3/mta/smtp_delivery.bats
## @test "should successfully authenticate with good password (plain)"
root@mail:/# nc -w 5 0.0.0.0 465 < /tmp/docker-mailserver-test/auth/smtp-auth-plain.txt
220 mail.example.test ESMTP
250-mail.example.test
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING
235 2.7.0 Authentication successful
221 2.0.0 Bye
root@mail:/# openssl s_client -quiet -connect 0.0.0.0:465 < /tmp/docker-mailserver-test/auth/smtp-auth-plain.txt
139985178903872:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
root@mail:/# openssl s_client -starttls smtp -quiet -connect 0.0.0.0:587 < /tmp/docker-mailserver-test/auth/smtp-auth-plain.txt
Didn't find STARTTLS in server response, trying anyway...
140094189851968:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331: |
I see, thanks for the quick reply. I will tend to this in #3105. |
config: disable SMTP authentication on port 25 (#3006) * postfix: remove smtpd_sasl_auth_enable global setting * tests: disable auth on 25 port * tests: revert ldap-smtp-auth-spoofed-sender-with-filter-exception.txt * Skip failing test The test seems to have been broken from the beginning. Sadly, no LDAP maintainers can verify. Added a TODO item if ever a LDAP maintainer comes around. * Apply PR feedback --------- Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com> added plausibility checks for milter insertion corrected grep in tests revert changes to milter insertion
Description
Fixes #2895
smtpd_sasl_auth_enable
parameter from postfix configuration file. It disabled by default: docsType of change
Improvement (non-breaking change that does improve existing functionality)
Checklist:
docs/
)