Opened 4 weeks ago
Last modified 3 weeks ago
#2649 new defect
ngx_mail_ssl_module "starttls only" issue if without smtp authentication — at Version 1
| Reported by: | zeroleo12345 | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | nginx-module | Version: | 1.25.x |
| Keywords: | email starttls | Cc: | zeroleo12345 |
| uname -a: | Linux ec411e1ad3c3 3.10.0-1160.99.1.el7.x86_64 #1 SMP Wed Sep 13 14:19:20 UTC 2023 x86_64 Linux | ||
| nginx -V: |
nginx version: nginx/1.27.0
built by gcc 13.2.1 20231014 (Alpine 13.2.1_git20231014) built with OpenSSL 3.1.4 24 Oct 2023 (running with OpenSSL 3.1.5 30 Jan 2024) TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --with-perl_modules_path=/usr/lib/perl5/vendor_perl --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-Os -fstack-clash-protection -Wformat -Werror=format-security -fno-plt -g' --with-ld-opt='-Wl,--as-needed,-O1,--sort-common -Wl,-z,pack-relative-relocs' |
||
Description (last modified by )
Hi,
With setting "starttls only" in mail config block,
I tested that send email to my smtp server(via nginx proxy) from mail.qq.com,
within this process, it doesn't need smtp authentication to login my smtp server,
the issue is that nginx didn't force TLS upgrade for smtp connection.
# nginx.conf
mail {
server_name smtp.xxx.com;
auth_http http://127.0.0.1:80/mail/auth;
smtp_auth none;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_certificate /etc/nginx/cert/smtp.xxx.com.pem;
ssl_certificate_key /etc/nginx/cert/smtp.xxx.com.key;
server {
listen 25;
protocol smtp;
starttls only;
}
}
I checked in ngx_mail_ssl_module source code, it force TLS connection only if there is a smtp authentication. Do you think it is a defect? and may we add invoking ngx_mail_starttls_only in ngx_mail_smtp_mail stage as well?
ngx_int_t
ngx_mail_auth_parse(ngx_mail_session_t *s, ngx_connection_t *c)
{
ngx_str_t *arg;
#if (NGX_MAIL_SSL)
if (ngx_mail_starttls_only(s, c)) {
return NGX_MAIL_PARSE_INVALID_COMMAND;
}
#endif
Note:
See TracTickets
for help on using tickets.
