Welcome! Log In Create A New Profile

Advanced

Proposed patch to enforce STARTTLS before MAIL FROM

Community Proposed via nginx-devel
March 04, 2019 02:08PM
Hello, in nginx 1.14.2 using a configuration directive of 'starttls only;' and
'smtp_auth none;' I noticed this was only applied to the AUTH section of the
SMTP transaction. I have written the below to be applied to the MAIL FROM
section which should be enforced over STARTTLS. MAIL FROM should occur before
RCPT TO and DATA to avoid out of sequence errors. Scenarios where the patch
changes would be seen in the real world would be for NGINX in front of an MTA
which is the final destination. Without enforcing STARTTLS before the MAIL
FROM the full conversation inclusive of the DATA command can occur in clear
text during testing.

--- /tmp/nginx-1.14.2/src/mail/ngx_mail_smtp_handler.c 2018-12-04
09:52:24.000000000 -0500
+++ /root/src/nginx-1.14.2/src/mail/ngx_mail_smtp_handler.c 2019-03-04
13:27:56.514409692 -0500
@@ -46,7 +46,7 @@
static u_char smtp_invalid_argument[] = "501 5.5.4 Invalid argument" CRLF;
static u_char smtp_auth_required[] = "530 5.7.1 Authentication required" CRLF;
static u_char smtp_bad_sequence[] = "503 5.5.1 Bad sequence of commands" CRLF;
-
+static u_char smtp_tls_required[] = "530 5.7.0 Must issue a STARTTLS command
first" CRLF;

static ngx_str_t smtp_unavailable = ngx_string("[UNAVAILABLE]");
static ngx_str_t smtp_tempunavail = ngx_string("[TEMPUNAVAIL]");
@@ -441,6 +441,13 @@
break;

case NGX_SMTP_MAIL:
+/* Nathan Fowler <nathan@packetmail.net>, 2019-03-04 */
+#if (NGX_MAIL_SSL)
+ if (ngx_mail_starttls_only(s, c)) {
+ ngx_str_set(&s->out, smtp_tls_required);
+ break;
+ }
+#endif
rc = ngx_mail_smtp_mail(s, c);

Cheers,
Nathan


_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

Proposed patch to enforce STARTTLS before MAIL FROM

Community Proposed via nginx-devel 101 March 04, 2019 02:08PM

Re: Proposed patch to enforce STARTTLS before MAIL FROM

Maxim Dounin 31 March 05, 2019 01:24PM

Re: Proposed patch to enforce STARTTLS before MAIL FROM

lists--- via nginx-devel 32 March 05, 2019 02:48PM

Re: Proposed patch to enforce STARTTLS before MAIL FROM

Maxim Dounin 43 March 07, 2019 12:40PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 71
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready