Opened 6 months ago

Last modified 6 months ago

#2649 new defect

ngx_mail_ssl_module "starttls only" issue if without smtp authentication

Reported by: zeroleo12345 Owned by:
Priority: major Milestone:
Component: nginx-module Version: 1.25.x
Keywords: email starttls Cc: zeroleo12345
uname -a: Linux ec411e1ad3c3 3.10.0-1160.99.1.el7.x86_64 #1 SMP Wed Sep 13 14:19:20 UTC 2023 x86_64 Linux
nginx -V: nginx version: nginx/1.27.0
built by gcc 13.2.1 20231014 (Alpine 13.2.1_git20231014)
built with OpenSSL 3.1.4 24 Oct 2023 (running with OpenSSL 3.1.5 30 Jan 2024)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --with-perl_modules_path=/usr/lib/perl5/vendor_perl --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-Os -fstack-clash-protection -Wformat -Werror=format-security -fno-plt -g' --with-ld-opt='-Wl,--as-needed,-O1,--sort-common -Wl,-z,pack-relative-relocs'

Description (last modified by zeroleo12345)

Hi,

With setting "starttls only" in mail config block,

I tested that send email to my smtp server(via nginx proxy) from mail.qq.com,
within this process, it doesn't need smtp authentication to login my smtp server,

the issue is that nginx didn't force TLS upgrade for smtp connection.

# nginx.conf

mail {
    server_name     smtp.xxx.com;
    auth_http       http://127.0.0.1:80/mail/auth;
    smtp_auth       none;
    ssl_protocols   TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers     HIGH:!aNULL:!MD5;
    ssl_certificate        /etc/nginx/cert/smtp.xxx.com.pem;
    ssl_certificate_key    /etc/nginx/cert/smtp.xxx.com.key;
  
    server {
        listen 25; 
        protocol smtp;
        starttls only; 
    }   
}

I checked in ngx_mail_ssl_module source code at here:

https://github.com/nginx/nginx/blob/master/src/mail/ngx_mail_smtp_handler.c#L664

it check and force TLS connection only in stage ngx_mail_smtp_auth().
for the case that there is no smtp username/password authentication stage, nginx still allow to connect with non-TLS.
Do you think it is a defect? and may we add one more invoking ngx_mail_starttls_only() in ngx_mail_smtp_mail() or ngx_mail_smtp_rcpt() stage?

ngx_int_t
ngx_mail_auth_parse(ngx_mail_session_t *s, ngx_connection_t *c)
{
    ngx_str_t                 *arg;

#if (NGX_MAIL_SSL)
    if (ngx_mail_starttls_only(s, c)) {
        return NGX_MAIL_PARSE_INVALID_COMMAND;
    }
#endif

Change History (2)

comment:1 by zeroleo12345, 6 months ago

Description: modified (diff)

comment:2 by zeroleo12345, 6 months ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.