Opened 10 days ago

Last modified 4 days ago

#2649 new defect

ngx_mail_ssl_module "starttls only" issue if without smtp authentication

Reported by: zeroleo12345 Owned by:
Priority: major Milestone:
Component: nginx-module Version: 1.25.x
Keywords: email starttls Cc: zeroleo12345
uname -a: Linux ec411e1ad3c3 3.10.0-1160.99.1.el7.x86_64 #1 SMP Wed Sep 13 14:19:20 UTC 2023 x86_64 Linux
nginx -V: nginx version: nginx/1.27.0
built by gcc 13.2.1 20231014 (Alpine 13.2.1_git20231014)
built with OpenSSL 3.1.4 24 Oct 2023 (running with OpenSSL 3.1.5 30 Jan 2024)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/ --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --with-perl_modules_path=/usr/lib/perl5/vendor_perl --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-Os -fstack-clash-protection -Wformat -Werror=format-security -fno-plt -g' --with-ld-opt='-Wl,--as-needed,-O1,--sort-common -Wl,-z,pack-relative-relocs'

Description (last modified by zeroleo12345)


With setting "starttls only" in mail config block,

I tested that send email to my smtp server(via nginx proxy) from,
within this process, it doesn't need smtp authentication to login my smtp server,

the issue is that nginx didn't force TLS upgrade for smtp connection.

# nginx.conf

mail {
    smtp_auth       none;
    ssl_protocols   TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers     HIGH:!aNULL:!MD5;
    ssl_certificate        /etc/nginx/cert/;
    ssl_certificate_key    /etc/nginx/cert/;
    server {
        listen 25; 
        protocol smtp;
        starttls only; 

I checked in ngx_mail_ssl_module source code at here:

it check and force TLS connection only in stage ngx_mail_smtp_auth().
for the case that there is no smtp username/password authentication stage, nginx still allow to connect with non-TLS.
Do you think it is a defect? and may we add one more invoking ngx_mail_starttls_only() in ngx_mail_smtp_mail() or ngx_mail_smtp_rcpt() stage?

ngx_mail_auth_parse(ngx_mail_session_t *s, ngx_connection_t *c)
    ngx_str_t                 *arg;

    if (ngx_mail_starttls_only(s, c)) {

Change History (2)

comment:1 by zeroleo12345, 4 days ago

Description: modified (diff)

comment:2 by zeroleo12345, 4 days ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.