Opened 7 months ago

Last modified 6 months ago

#2649 new defect

ngx_mail_ssl_module "starttls only" issue if without smtp authentication — at Version 1

Reported by: zeroleo12345 Owned by:
Priority: major Milestone:
Component: nginx-module Version: 1.25.x
Keywords: email starttls Cc: zeroleo12345
uname -a: Linux ec411e1ad3c3 3.10.0-1160.99.1.el7.x86_64 #1 SMP Wed Sep 13 14:19:20 UTC 2023 x86_64 Linux
nginx -V: nginx version: nginx/1.27.0
built by gcc 13.2.1 20231014 (Alpine 13.2.1_git20231014)
built with OpenSSL 3.1.4 24 Oct 2023 (running with OpenSSL 3.1.5 30 Jan 2024)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --with-perl_modules_path=/usr/lib/perl5/vendor_perl --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-Os -fstack-clash-protection -Wformat -Werror=format-security -fno-plt -g' --with-ld-opt='-Wl,--as-needed,-O1,--sort-common -Wl,-z,pack-relative-relocs'

Description (last modified by zeroleo12345)

Hi,

With setting "starttls only" in mail config block,

I tested that send email to my smtp server(via nginx proxy) from mail.qq.com,
within this process, it doesn't need smtp authentication to login my smtp server,

the issue is that nginx didn't force TLS upgrade for smtp connection.

# nginx.conf

mail {
    server_name     smtp.xxx.com;
    auth_http       http://127.0.0.1:80/mail/auth;
    smtp_auth       none;
    ssl_protocols   TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers     HIGH:!aNULL:!MD5;
    ssl_certificate        /etc/nginx/cert/smtp.xxx.com.pem;
    ssl_certificate_key    /etc/nginx/cert/smtp.xxx.com.key;
  
    server {
        listen 25; 
        protocol smtp;
        starttls only; 
    }   
}

I checked in ngx_mail_ssl_module source code, it force TLS connection only if there is a smtp authentication. Do you think it is a defect? and may we add invoking ngx_mail_starttls_only in ngx_mail_smtp_mail stage as well?

ngx_int_t
ngx_mail_auth_parse(ngx_mail_session_t *s, ngx_connection_t *c)
{
    ngx_str_t                 *arg;

#if (NGX_MAIL_SSL)
    if (ngx_mail_starttls_only(s, c)) {
        return NGX_MAIL_PARSE_INVALID_COMMAND;
    }
#endif

Change History (1)

comment:1 by zeroleo12345, 6 months ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.