1
0
mirror of https://github.com/Mailu/Mailu.git synced 2024-12-14 10:53:30 +02:00
Mailu/core/admin/mailu/internal/nginx.py

156 lines
6.5 KiB
Python
Raw Normal View History

from mailu import models, utils
from flask import current_app as app
2022-11-01 00:57:51 +02:00
from socrate import system
2017-10-22 10:49:31 +02:00
import urllib
import ipaddress
import sqlalchemy.exc
2017-10-21 15:22:40 +02:00
SUPPORTED_AUTH_METHODS = ["none", "plain"]
2017-10-22 16:43:06 +02:00
STATUSES = {
"authentication": ("Authentication credentials invalid", {
"imap": "AUTHENTICATIONFAILED",
"smtp": "535 5.7.8",
2023-04-20 15:36:17 +02:00
"pop3": "-ERR Authentication failed",
"sieve": "AuthFailed"
}),
2020-09-01 21:48:09 +02:00
"encryption": ("Must issue a STARTTLS command first", {
"smtp": "530 5.7.0"
}),
2021-09-23 18:40:49 +02:00
"ratelimit": ("Temporary authentication failure (rate-limit)", {
"imap": "LIMIT",
"smtp": "451 4.3.2",
"pop3": "-ERR [LOGIN-DELAY] Retry later"
}),
}
2023-05-09 12:17:16 +02:00
WEBMAIL_PORTS = ['14190', '10143', '10025']
2023-06-02 11:39:42 +02:00
def check_credentials(user, password, ip, protocol=None, auth_port=None, source_port=None, raw_user=None):
if not user or not user.enabled or (protocol == "imap" and not user.enable_imap and not auth_port in WEBMAIL_PORTS) or (protocol == "pop3" and not user.enable_pop):
2023-06-02 11:39:42 +02:00
app.logger.info(f'Login attempt for: {user or raw_user!r}/{protocol}/{auth_port} from: {ip}/{source_port}: failed: account disabled')
return False
# webmails
2023-05-09 12:17:16 +02:00
if auth_port in WEBMAIL_PORTS and password.startswith('token-'):
if utils.verify_temp_token(user.get_id(), password):
2023-05-04 00:14:44 +02:00
app.logger.debug(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: success: webmail-token')
return True
if utils.is_app_token(password):
for token in user.tokens:
if token.check_password(password):
if not token.ip or utils.is_ip_in_subnet(ip, token.ip):
app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: success: token-{token.id}: {token.comment or ""!r}')
2023-05-04 00:14:44 +02:00
return True
else:
app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: failed: badip: token-{token.id}: {token.comment or ""!r}')
return False # we can return directly here since the token is valid
2023-05-04 00:14:44 +02:00
if user.check_password(password):
app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: success: password')
return True
app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: failed: badauth: {utils.truncated_pw_hash(password)}')
return False
def handle_authentication(headers):
""" Handle an HTTP nginx authentication request
See: http://nginx.org/en/docs/mail/ngx_mail_auth_http_module.html#protocol
"""
2023-04-20 15:36:17 +02:00
method = headers["Auth-Method"].lower()
protocol = headers["Auth-Protocol"].lower()
# Incoming mail, no authentication
if method == "none" and protocol == "smtp":
2020-09-01 21:48:09 +02:00
server, port = get_server(protocol, False)
if app.config["INBOUND_TLS_ENFORCE"]:
2020-09-02 15:16:10 +02:00
if "Auth-SSL" in headers and headers["Auth-SSL"] == "on":
2020-09-01 21:48:09 +02:00
return {
"Auth-Status": "OK",
"Auth-Server": server,
"Auth-Port": port
}
else:
status, code = get_status(protocol, "encryption")
return {
"Auth-Status": status,
"Auth-Error-Code" : code,
"Auth-Wait": 0
}
else:
return {
"Auth-Status": "OK",
"Auth-Server": server,
"Auth-Port": port
}
# Authenticated user
elif method == "plain":
2021-09-23 18:40:49 +02:00
is_valid_user = False
# According to RFC2616 section 3.7.1 and PEP 3333, HTTP headers should
# be ASCII and are generally considered ISO8859-1. However when passing
# the password, nginx does not transcode the input UTF string, thus
# we need to manually decode.
raw_user_email = urllib.parse.unquote(headers["Auth-User"])
raw_password = urllib.parse.unquote(headers["Auth-Pass"])
2021-10-16 09:29:17 +02:00
user_email = 'invalid'
password = 'invalid'
try:
user_email = raw_user_email.encode("iso8859-1").decode("utf8")
password = raw_password.encode("iso8859-1").decode("utf8")
2021-10-12 14:47:00 +02:00
ip = urllib.parse.unquote(headers["Client-Ip"])
except:
app.logger.warn(f'Received undecodable user/password from nginx: {raw_user_email!r}/{raw_password!r}')
else:
try:
2022-03-05 19:41:06 +02:00
user = models.User.query.get(user_email) if '@' in user_email else None
except sqlalchemy.exc.StatementError as exc:
exc = str(exc).split('\n', 1)[0]
app.logger.warn(f'Invalid user {user_email!r}: {exc}')
else:
is_valid_user = user is not None
ip = urllib.parse.unquote(headers["Client-Ip"])
2023-06-02 11:39:42 +02:00
if check_credentials(user, password, ip, protocol, headers["Auth-Port"], headers['Client-Port'], user_email):
server, port = get_server(headers["Auth-Protocol"], True)
return {
"Auth-Status": "OK",
"Auth-Server": server,
"Auth-User": user_email,
"Auth-User-Exists": is_valid_user,
"Auth-Port": port
}
status, code = get_status(protocol, "authentication")
return {
"Auth-Status": status,
"Auth-Error-Code": code,
2021-09-23 18:40:49 +02:00
"Auth-User": user_email,
"Auth-User-Exists": is_valid_user,
"Auth-Wait": 0
}
# Unexpected
2023-04-20 15:36:17 +02:00
raise Exception("SHOULD NOT HAPPEN")
def get_status(protocol, status):
""" Return the proper error code depending on the protocol
"""
status, codes = STATUSES[status]
return status, codes[protocol]
def get_server(protocol, authenticated=False):
if protocol == "imap":
2022-12-08 13:46:31 +02:00
hostname, port = app.config['IMAP_ADDRESS'], 143
elif protocol == "pop3":
2022-12-08 13:46:31 +02:00
hostname, port = app.config['IMAP_ADDRESS'], 110
elif protocol == "smtp":
if authenticated:
2022-12-08 13:46:31 +02:00
hostname, port = app.config['SMTP_ADDRESS'], 10025
else:
2022-12-08 13:46:31 +02:00
hostname, port = app.config['SMTP_ADDRESS'], 25
2023-04-20 15:36:17 +02:00
elif protocol == "sieve":
hostname, port = app.config['IMAP_ADDRESS'], 4190
try:
2022-10-19 19:36:13 +02:00
# test if hostname is already resolved to an ip address
ipaddress.ip_address(hostname)
except:
# hostname is not an ip address - so we need to resolve it
2022-11-01 00:57:51 +02:00
hostname = system.resolve_hostname(hostname)
2019-01-25 13:28:24 +02:00
return hostname, port