Welcome! Log In Create A New Profile

Re: Proposed patch to enforce STARTTLS before MAIL FROM

Forum List Message List New Topic Print View

Maxim Dounin

March 05, 2019 01:24PM

Hello!

On Mon, Mar 04, 2019 at 01:06:58PM -0600, Community Proposed via nginx-devel wrote:

> Hello, in nginx 1.14.2 using a configuration directive of 'starttls only;' and
> 'smtp_auth none;' I noticed this was only applied to the AUTH section of the
> SMTP transaction. I have written the below to be applied to the MAIL FROM
> section which should be enforced over STARTTLS. MAIL FROM should occur before
> RCPT TO and DATA to avoid out of sequence errors. Scenarios where the patch
> changes would be seen in the real world would be for NGINX in front of an MTA
> which is the final destination. Without enforcing STARTTLS before the MAIL
> FROM the full conversation inclusive of the DATA command can occur in clear
> text during testing.

Not sure it is a good change.

The main goal of "starttls only;" used to be to ensure that
authenticated clients are using encryption and client credentials
are not transferred in clear text. While "smtp_auth none;" is to
be used on public SMTP servers, and RFC 3207 clearly says that:

A publicly-referenced SMTP server MUST NOT require use of the
STARTTLS extension in order to deliver mail locally. This rule
prevents the STARTTLS extension from damaging the interoperability of
the Internet's SMTP infrastructure.

For example, with

starttls only;
smtp_auth none plain;

current behaviour is to require SSL/TLS for authentication, but
allow non-encrypted connections without authentication for mail
delivery. This matches RFC 3207 requirements out of the box.

With the suggested change such a configuration would violate the
above "MUST NOT" clause of RFC 3207. Moreover, it would be
impossible to configure nginx with a single listening socket to
accept only encrypted connections from clients, while accepting
mail delivery without encryption as required by RFC 3207.

If you want unathenticated clients to use SSL/TLS encryption, a
better solution might be to enforce this requirement with
auth_http script.

[...]

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
Proposed patch to enforce STARTTLS before MAIL FROM	Community Proposed via nginx-devel	329	March 04, 2019 02:08PM
Re: Proposed patch to enforce STARTTLS before MAIL FROM	Maxim Dounin	233	March 05, 2019 01:24PM
Re: Proposed patch to enforce STARTTLS before MAIL FROM	lists--- via nginx-devel	135	March 05, 2019 02:48PM
Re: Proposed patch to enforce STARTTLS before MAIL FROM	Maxim Dounin	151	March 07, 2019 12:40PM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 165

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018