Opened 6 months ago
Last modified 6 months ago
#2649 new defect
ngx_mail_ssl_module "starttls only" issue if without smtp authentication
Reported by: | zeroleo12345 | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | nginx-module | Version: | 1.25.x |
Keywords: | email starttls | Cc: | zeroleo12345 |
uname -a: | Linux ec411e1ad3c3 3.10.0-1160.99.1.el7.x86_64 #1 SMP Wed Sep 13 14:19:20 UTC 2023 x86_64 Linux | ||
nginx -V: |
nginx version: nginx/1.27.0
built by gcc 13.2.1 20231014 (Alpine 13.2.1_git20231014) built with OpenSSL 3.1.4 24 Oct 2023 (running with OpenSSL 3.1.5 30 Jan 2024) TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --with-perl_modules_path=/usr/lib/perl5/vendor_perl --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-Os -fstack-clash-protection -Wformat -Werror=format-security -fno-plt -g' --with-ld-opt='-Wl,--as-needed,-O1,--sort-common -Wl,-z,pack-relative-relocs' |
Description (last modified by )
Hi,
With setting "starttls only" in mail config block,
I tested that send email to my smtp server(via nginx proxy) from mail.qq.com,
within this process, it doesn't need smtp authentication to login my smtp server,
the issue is that nginx didn't force TLS upgrade for smtp connection.
# nginx.conf
mail { server_name smtp.xxx.com; auth_http http://127.0.0.1:80/mail/auth; smtp_auth none; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_certificate /etc/nginx/cert/smtp.xxx.com.pem; ssl_certificate_key /etc/nginx/cert/smtp.xxx.com.key; server { listen 25; protocol smtp; starttls only; } }
I checked in ngx_mail_ssl_module source code at here:
https://github.com/nginx/nginx/blob/master/src/mail/ngx_mail_smtp_handler.c#L664
it check and force TLS connection only in stage ngx_mail_smtp_auth().
for the case that there is no smtp username/password authentication stage, nginx still allow to connect with non-TLS.
Do you think it is a defect? and may we add one more invoking ngx_mail_starttls_only() in ngx_mail_smtp_mail() or ngx_mail_smtp_rcpt() stage?
ngx_int_t ngx_mail_auth_parse(ngx_mail_session_t *s, ngx_connection_t *c) { ngx_str_t *arg; #if (NGX_MAIL_SSL) if (ngx_mail_starttls_only(s, c)) { return NGX_MAIL_PARSE_INVALID_COMMAND; } #endif
Change History (2)
comment:1 by , 6 months ago
Description: | modified (diff) |
---|
comment:2 by , 6 months ago
Description: | modified (diff) |
---|