Hello, in nginx 1.14.2 using a configuration directive of 'starttls only;' and
'smtp_auth none;' I noticed this was only applied to the AUTH section of the
SMTP transaction. I have written the below to be applied to the MAIL FROM
section which should be enforced over STARTTLS. MAIL FROM should occur before
RCPT TO and DATA to avoid out of sequence errors. Scenarios where the patch
changes would be seen in the real world would be for NGINX in front of an MTA
which is the final destination. Without enforcing STARTTLS before the MAIL
FROM the full conversation inclusive of the DATA command can occur in clear
text during testing.

--- /tmp/nginx-1.14.2/src/mail/ngx_mail_smtp_handler.c 2018-12-04
09:52:24.000000000 -0500
+++ /root/src/nginx-1.14.2/src/mail/ngx_mail_smtp_handler.c 2019-03-04
13:27:56.514409692 -0500
@@ -46,7 +46,7 @@
static u_char smtp_invalid_argument[] = "501 5.5.4 Invalid argument" CRLF;
static u_char smtp_auth_required[] = "530 5.7.1 Authentication required" CRLF;
static u_char smtp_bad_sequence[] = "503 5.5.1 Bad sequence of commands" CRLF;
-
+static u_char smtp_tls_required[] = "530 5.7.0 Must issue a STARTTLS command
first" CRLF;

static ngx_str_t smtp_unavailable = ngx_string("[UNAVAILABLE]");
static ngx_str_t smtp_tempunavail = ngx_string("[TEMPUNAVAIL]");
@@ -441,6 +441,13 @@
break;

case NGX_SMTP_MAIL:
+/* Nathan Fowler <nathan@packetmail.net>, 2019-03-04 */
+#if (NGX_MAIL_SSL)
+ if (ngx_mail_starttls_only(s, c)) {
+ ngx_str_set(&s->out, smtp_tls_required);
+ break;
+ }
+#endif
rc = ngx_mail_smtp_mail(s, c);

Cheers,
Nathan


_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel