Mailu/core/admin/mailu/internal/nginx.py

from mailu import models, utils
from flask import current_app as app
from socrate import system

import urllib
import ipaddress
import sqlalchemy.exc

SUPPORTED_AUTH_METHODS = ["none", "plain"]


STATUSES = {
    "authentication": ("Authentication credentials invalid", {
        "imap": "AUTHENTICATIONFAILED",
        "smtp": "535 5.7.8",
        "pop3": "-ERR Authentication failed",
        "sieve": "AuthFailed"
    }),
    "encryption": ("Must issue a STARTTLS command first", {
        "smtp": "530 5.7.0"
    }),
    "ratelimit": ("Temporary authentication failure (rate-limit)", {
        "imap": "LIMIT",
        "smtp": "451 4.3.2",
        "pop3": "-ERR [LOGIN-DELAY] Retry later"
    }),
}

WEBMAIL_PORTS = ['14190', '10143', '10025']

def check_credentials(user, password, ip, protocol=None, auth_port=None, source_port=None):
    if not user or not user.enabled or (protocol == "imap" and not user.enable_imap and not auth_port in WEBMAIL_PORTS) or (protocol == "pop3" and not user.enable_pop):
        app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: failed: account disabled')
        return False
    # webmails
    if auth_port in WEBMAIL_PORTS and password.startswith('token-'):
        if utils.verify_temp_token(user.get_id(), password):
            app.logger.debug(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: success: webmail-token')
            return True
    if utils.is_app_token(password):
        for token in user.tokens:
            if (token.check_password(password) and
                (not token.ip or token.ip == ip)):
                    app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: success: token-{token.id}: {token.comment or ""!r}')
                    return True
    if user.check_password(password):
        app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: success: password')
        return True
    app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: failed: badauth: {utils.truncated_pw_hash(password)}')
    return False

def handle_authentication(headers):
    """ Handle an HTTP nginx authentication request
    See: http://nginx.org/en/docs/mail/ngx_mail_auth_http_module.html#protocol
    """
    method = headers["Auth-Method"].lower()
    protocol = headers["Auth-Protocol"].lower()
    # Incoming mail, no authentication
    if method == "none" and protocol == "smtp":
        server, port = get_server(protocol, False)
        if app.config["INBOUND_TLS_ENFORCE"]:
            if "Auth-SSL" in headers and headers["Auth-SSL"] == "on":
                return {
                    "Auth-Status": "OK",
                    "Auth-Server": server,
                    "Auth-Port": port
                }
            else:
                status, code = get_status(protocol, "encryption")
                return {
                    "Auth-Status": status,
                    "Auth-Error-Code" : code,
                    "Auth-Wait": 0
                }
        else:
            return {
                "Auth-Status": "OK",
                "Auth-Server": server,
                "Auth-Port": port
            }
    # Authenticated user
    elif method == "plain":
        is_valid_user = False
        # According to RFC2616 section 3.7.1 and PEP 3333, HTTP headers should
        # be ASCII and are generally considered ISO8859-1. However when passing
        # the password, nginx does not transcode the input UTF string, thus
        # we need to manually decode.
        raw_user_email = urllib.parse.unquote(headers["Auth-User"])
        raw_password = urllib.parse.unquote(headers["Auth-Pass"])
        user_email = 'invalid'
        password = 'invalid'
        try:
            user_email = raw_user_email.encode("iso8859-1").decode("utf8")
            password = raw_password.encode("iso8859-1").decode("utf8")
            ip = urllib.parse.unquote(headers["Client-Ip"])
        except:
            app.logger.warn(f'Received undecodable user/password from nginx: {raw_user_email!r}/{raw_password!r}')
        else:
            try:
                user = models.User.query.get(user_email) if '@' in user_email else None
            except sqlalchemy.exc.StatementError as exc:
                exc = str(exc).split('\n', 1)[0]
                app.logger.warn(f'Invalid user {user_email!r}: {exc}')
            else:
                is_valid_user = user is not None
                ip = urllib.parse.unquote(headers["Client-Ip"])
                if check_credentials(user, password, ip, protocol, headers["Auth-Port"], headers['Client-Port']):
                    server, port = get_server(headers["Auth-Protocol"], True)
                    return {
                        "Auth-Status": "OK",
                        "Auth-Server": server,
                        "Auth-User": user_email,
                        "Auth-User-Exists": is_valid_user,
                        "Auth-Port": port
                    }
        status, code = get_status(protocol, "authentication")
        return {
            "Auth-Status": status,
            "Auth-Error-Code": code,
            "Auth-User": user_email,
            "Auth-User-Exists": is_valid_user,
            "Auth-Wait": 0
        }
    # Unexpected
    raise Exception("SHOULD NOT HAPPEN")


def get_status(protocol, status):
    """ Return the proper error code depending on the protocol
    """
    status, codes = STATUSES[status]
    return status, codes[protocol]

def get_server(protocol, authenticated=False):
    if protocol == "imap":
        hostname, port = app.config['IMAP_ADDRESS'], 143
    elif protocol == "pop3":
        hostname, port = app.config['IMAP_ADDRESS'], 110
    elif protocol == "smtp":
        if authenticated:
            hostname, port = app.config['SMTP_ADDRESS'], 10025
        else:
            hostname, port = app.config['SMTP_ADDRESS'], 25
    elif protocol == "sieve":
        hostname, port = app.config['IMAP_ADDRESS'], 4190
    try:
        # test if hostname is already resolved to an ip address
        ipaddress.ip_address(hostname)
    except:
        # hostname is not an ip address - so we need to resolve it
        hostname = system.resolve_hostname(hostname)
    return hostname, port
Fix 2080 Ensure that webmail tokens are in sync with sessions 2021-12-20 00:24:44 +02:00			`from mailu import models, utils`
First batch of refactoring, using the app factory pattern 2018-10-18 15:57:43 +02:00			`from flask import current_app as app`
Resolve using socrate function 2022-11-01 00:57:51 +02:00			`from socrate import system`
Handle nginx authentication requests in the admin container 2017-09-24 15:43:23 +02:00
Unescape passwords before cecking 2017-10-22 10:49:31 +02:00			`import urllib`
Resolve HOST_* to _ADDRESS only if _ADDRESS is not already set 2019-08-23 08:43:59 +02:00			`import ipaddress`
Prevent traceback when using non-email in login There's a traceback when the username used to log via SMTPAUTH in is not an email address: === before === ``` [...] ERROR in app: Exception on /internal/auth/email [GET] Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/base.py", line 1179, in _execute_context context = constructor(dialect, self, conn, *args) File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/default.py", line 719, in _init_compiled param.append(processors[key](compiled_params[key])) File "/usr/lib/python3.9/site-packages/sqlalchemy/sql/type_api.py", line 1201, in process return process_param(value, dialect) File "/app/mailu/models.py", line 60, in process_bind_param localpart, domain_name = value.lower().rsplit('@', 1) ValueError: not enough values to unpack (expected 2, got 1) [...] [parameters: [{'%(140657157923216 param)s': 'foobar'}]] ``` === after === ``` [...] WARNING in nginx: Invalid user 'foobar': (builtins.ValueError) invalid email address (no "@") ``` 2021-09-28 10:38:37 +02:00			`import sqlalchemy.exc`
Return the server address dynamically 2017-10-21 15:22:40 +02:00
Handle nginx authentication requests in the admin container 2017-09-24 15:43:23 +02:00			`SUPPORTED_AUTH_METHODS = ["none", "plain"]`

Rename the authentication endpoint 2017-10-22 16:43:06 +02:00
Handle nginx authentication requests in the admin container 2017-09-24 15:43:23 +02:00			`STATUSES = {`
			`"authentication": ("Authentication credentials invalid", {`
			`"imap": "AUTHENTICATIONFAILED",`
			`"smtp": "535 5.7.8",`
Implement managesieve support 2023-04-20 15:36:17 +02:00			`"pop3": "-ERR Authentication failed",`
			`"sieve": "AuthFailed"`
Handle nginx authentication requests in the admin container 2017-09-24 15:43:23 +02:00			`}),`
add option to enforce inbound starttls 2020-09-01 21:48:09 +02:00			`"encryption": ("Must issue a STARTTLS command first", {`
			`"smtp": "530 5.7.0"`
			`}),`
Implement rate-limits 2021-09-23 18:40:49 +02:00			`"ratelimit": ("Temporary authentication failure (rate-limit)", {`
			`"imap": "LIMIT",`
			`"smtp": "451 4.3.2",`
			`"pop3": "-ERR [LOGIN-DELAY] Retry later"`
			`}),`
Handle nginx authentication requests in the admin container 2017-09-24 15:43:23 +02:00			`}`

Need this too 2023-05-09 12:17:16 +02:00			`WEBMAIL_PORTS = ['14190', '10143', '10025']`
close #2451: prevent an auth-loop on webmails 2022-11-29 14:25:50 +02:00
Improve auth-related logging 2023-05-04 00:14:44 +02:00			`def check_credentials(user, password, ip, protocol=None, auth_port=None, source_port=None):`
close #2451: prevent an auth-loop on webmails 2022-11-29 14:25:50 +02:00			`if not user or not user.enabled or (protocol == "imap" and not user.enable_imap and not auth_port in WEBMAIL_PORTS) or (protocol == "pop3" and not user.enable_pop):`
Update nginx.py Fix typo 2023-05-12 21:14:39 +02:00			`app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: failed: account disabled')`
Refactor auth under nginx.check_credentials() 2021-02-09 10:20:02 +02:00			`return False`
Merge remote-tracking branch 'upstream/master' into webmail-sso 2021-03-10 15:41:12 +02:00			`# webmails`
Need this too 2023-05-09 12:17:16 +02:00			`if auth_port in WEBMAIL_PORTS and password.startswith('token-'):`
Fix 2080 Ensure that webmail tokens are in sync with sessions 2021-12-20 00:24:44 +02:00			`if utils.verify_temp_token(user.get_id(), password):`
Improve auth-related logging 2023-05-04 00:14:44 +02:00			`app.logger.debug(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: success: webmail-token')`
			`return True`
			`if utils.is_app_token(password):`
Refactor auth under nginx.check_credentials() 2021-02-09 10:20:02 +02:00			`for token in user.tokens:`
			`if (token.check_password(password) and`
			`(not token.ip or token.ip == ip)):`
Merge remote-tracking branch 'origin/improve-logs' into improve-logs 2023-05-13 11:59:22 +02:00			`app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: success: token-{token.id}: {token.comment or ""!r}')`
Improve auth-related logging 2023-05-04 00:14:44 +02:00			`return True`
			`if user.check_password(password):`
			`app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: success: password')`
			`return True`
			`app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: failed: badauth: {utils.truncated_pw_hash(password)}')`
			`return False`
Handle nginx authentication requests in the admin container 2017-09-24 15:43:23 +02:00
			`def handle_authentication(headers):`
			`""" Handle an HTTP nginx authentication request`
			`See: http://nginx.org/en/docs/mail/ngx_mail_auth_http_module.html#protocol`
			`"""`
Implement managesieve support 2023-04-20 15:36:17 +02:00			`method = headers["Auth-Method"].lower()`
			`protocol = headers["Auth-Protocol"].lower()`
Handle nginx authentication requests in the admin container 2017-09-24 15:43:23 +02:00			`# Incoming mail, no authentication`
			`if method == "none" and protocol == "smtp":`
add option to enforce inbound starttls 2020-09-01 21:48:09 +02:00			`server, port = get_server(protocol, False)`
			`if app.config["INBOUND_TLS_ENFORCE"]:`
fix small typo in Auth-SSL 2020-09-02 15:16:10 +02:00			`if "Auth-SSL" in headers and headers["Auth-SSL"] == "on":`
add option to enforce inbound starttls 2020-09-01 21:48:09 +02:00			`return {`
			`"Auth-Status": "OK",`
			`"Auth-Server": server,`
			`"Auth-Port": port`
			`}`
			`else:`
			`status, code = get_status(protocol, "encryption")`
			`return {`
			`"Auth-Status": status,`
			`"Auth-Error-Code" : code,`
			`"Auth-Wait": 0`
			`}`
			`else:`
			`return {`
			`"Auth-Status": "OK",`
			`"Auth-Server": server,`
			`"Auth-Port": port`
			`}`
Handle nginx authentication requests in the admin container 2017-09-24 15:43:23 +02:00			`# Authenticated user`
			`elif method == "plain":`
Implement rate-limits 2021-09-23 18:40:49 +02:00			`is_valid_user = False`
optimize handle_authentication - catch decoding of nginx headers (utf-8 exception) - re-ordered function 2021-09-05 19:47:10 +02:00			`# According to RFC2616 section 3.7.1 and PEP 3333, HTTP headers should`
			`# be ASCII and are generally considered ISO8859-1. However when passing`
			`# the password, nginx does not transcode the input UTF string, thus`
			`# we need to manually decode.`
			`raw_user_email = urllib.parse.unquote(headers["Auth-User"])`
			`raw_password = urllib.parse.unquote(headers["Auth-Pass"])`
Initialize user_email in all cases 2021-10-16 09:29:17 +02:00			`user_email = 'invalid'`
Only account for distinct attempts in rate limits 2023-04-01 11:33:02 +02:00			`password = 'invalid'`
optimize handle_authentication - catch decoding of nginx headers (utf-8 exception) - re-ordered function 2021-09-05 19:47:10 +02:00			`try:`
			`user_email = raw_user_email.encode("iso8859-1").decode("utf8")`
			`password = raw_password.encode("iso8859-1").decode("utf8")`
Merge branch 'master' into ratelimits 2021-10-12 14:47:00 +02:00			`ip = urllib.parse.unquote(headers["Client-Ip"])`
optimize handle_authentication - catch decoding of nginx headers (utf-8 exception) - re-ordered function 2021-09-05 19:47:10 +02:00			`except:`
			`app.logger.warn(f'Received undecodable user/password from nginx: {raw_user_email!r}/{raw_password!r}')`
Honor feature limitations for imap and pop3 2017-11-21 21:46:18 +02:00			`else:`
Prevent traceback when using non-email in login There's a traceback when the username used to log via SMTPAUTH in is not an email address: === before === ``` [...] ERROR in app: Exception on /internal/auth/email [GET] Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/base.py", line 1179, in _execute_context context = constructor(dialect, self, conn, *args) File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/default.py", line 719, in _init_compiled param.append(processors[key](compiled_params[key])) File "/usr/lib/python3.9/site-packages/sqlalchemy/sql/type_api.py", line 1201, in process return process_param(value, dialect) File "/app/mailu/models.py", line 60, in process_bind_param localpart, domain_name = value.lower().rsplit('@', 1) ValueError: not enough values to unpack (expected 2, got 1) [...] [parameters: [{'%(140657157923216 param)s': 'foobar'}]] ``` === after === ``` [...] WARNING in nginx: Invalid user 'foobar': (builtins.ValueError) invalid email address (no "@") ``` 2021-09-28 10:38:37 +02:00			`try:`
improve 2022-03-05 19:41:06 +02:00			`user = models.User.query.get(user_email) if '@' in user_email else None`
Prevent traceback when using non-email in login There's a traceback when the username used to log via SMTPAUTH in is not an email address: === before === ``` [...] ERROR in app: Exception on /internal/auth/email [GET] Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/base.py", line 1179, in _execute_context context = constructor(dialect, self, conn, *args) File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/default.py", line 719, in _init_compiled param.append(processors[key](compiled_params[key])) File "/usr/lib/python3.9/site-packages/sqlalchemy/sql/type_api.py", line 1201, in process return process_param(value, dialect) File "/app/mailu/models.py", line 60, in process_bind_param localpart, domain_name = value.lower().rsplit('@', 1) ValueError: not enough values to unpack (expected 2, got 1) [...] [parameters: [{'%(140657157923216 param)s': 'foobar'}]] ``` === after === ``` [...] WARNING in nginx: Invalid user 'foobar': (builtins.ValueError) invalid email address (no "@") ``` 2021-09-28 10:38:37 +02:00			`except sqlalchemy.exc.StatementError as exc:`
			`exc = str(exc).split('\n', 1)[0]`
			`app.logger.warn(f'Invalid user {user_email!r}: {exc}')`
			`else:`
Move 'is_valid_user = user is not None' into else 2022-03-18 21:08:16 +02:00			`is_valid_user = user is not None`
Merge remote-tracking branch 'upstream/master' into ratelimits 2021-10-16 09:52:20 +02:00			`ip = urllib.parse.unquote(headers["Client-Ip"])`
Improve auth-related logging 2023-05-04 00:14:44 +02:00			`if check_credentials(user, password, ip, protocol, headers["Auth-Port"], headers['Client-Port']):`
Prevent traceback when using non-email in login There's a traceback when the username used to log via SMTPAUTH in is not an email address: === before === ``` [...] ERROR in app: Exception on /internal/auth/email [GET] Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/base.py", line 1179, in _execute_context context = constructor(dialect, self, conn, *args) File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/default.py", line 719, in _init_compiled param.append(processors[key](compiled_params[key])) File "/usr/lib/python3.9/site-packages/sqlalchemy/sql/type_api.py", line 1201, in process return process_param(value, dialect) File "/app/mailu/models.py", line 60, in process_bind_param localpart, domain_name = value.lower().rsplit('@', 1) ValueError: not enough values to unpack (expected 2, got 1) [...] [parameters: [{'%(140657157923216 param)s': 'foobar'}]] ``` === after === ``` [...] WARNING in nginx: Invalid user 'foobar': (builtins.ValueError) invalid email address (no "@") ``` 2021-09-28 10:38:37 +02:00			`server, port = get_server(headers["Auth-Protocol"], True)`
			`return {`
			`"Auth-Status": "OK",`
			`"Auth-Server": server,`
Merge remote-tracking branch 'upstream/master' into ratelimits 2021-10-16 09:52:20 +02:00			`"Auth-User": user_email,`
			`"Auth-User-Exists": is_valid_user,`
Prevent traceback when using non-email in login There's a traceback when the username used to log via SMTPAUTH in is not an email address: === before === ``` [...] ERROR in app: Exception on /internal/auth/email [GET] Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/base.py", line 1179, in _execute_context context = constructor(dialect, self, conn, *args) File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/default.py", line 719, in _init_compiled param.append(processors[key](compiled_params[key])) File "/usr/lib/python3.9/site-packages/sqlalchemy/sql/type_api.py", line 1201, in process return process_param(value, dialect) File "/app/mailu/models.py", line 60, in process_bind_param localpart, domain_name = value.lower().rsplit('@', 1) ValueError: not enough values to unpack (expected 2, got 1) [...] [parameters: [{'%(140657157923216 param)s': 'foobar'}]] ``` === after === ``` [...] WARNING in nginx: Invalid user 'foobar': (builtins.ValueError) invalid email address (no "@") ``` 2021-09-28 10:38:37 +02:00			`"Auth-Port": port`
			`}`
optimize handle_authentication - catch decoding of nginx headers (utf-8 exception) - re-ordered function 2021-09-05 19:47:10 +02:00			`status, code = get_status(protocol, "authentication")`
			`return {`
			`"Auth-Status": status,`
			`"Auth-Error-Code": code,`
Implement rate-limits 2021-09-23 18:40:49 +02:00			`"Auth-User": user_email,`
			`"Auth-User-Exists": is_valid_user,`
optimize handle_authentication - catch decoding of nginx headers (utf-8 exception) - re-ordered function 2021-09-05 19:47:10 +02:00			`"Auth-Wait": 0`
			`}`
Handle nginx authentication requests in the admin container 2017-09-24 15:43:23 +02:00			`# Unexpected`
Implement managesieve support 2023-04-20 15:36:17 +02:00			`raise Exception("SHOULD NOT HAPPEN")`
Handle nginx authentication requests in the admin container 2017-09-24 15:43:23 +02:00

			`def get_status(protocol, status):`
			`""" Return the proper error code depending on the protocol`
			`"""`
			`status, codes = STATUSES[status]`
			`return status, codes[protocol]`

Switch behavior if the user is not authenticated 2017-10-22 15:44:44 +02:00			`def get_server(protocol, authenticated=False):`
			`if protocol == "imap":`
Enable dynamic resolution of hostnames 2022-12-08 13:46:31 +02:00			`hostname, port = app.config['IMAP_ADDRESS'], 143`
Switch behavior if the user is not authenticated 2017-10-22 15:44:44 +02:00			`elif protocol == "pop3":`
Enable dynamic resolution of hostnames 2022-12-08 13:46:31 +02:00			`hostname, port = app.config['IMAP_ADDRESS'], 110`
Switch behavior if the user is not authenticated 2017-10-22 15:44:44 +02:00			`elif protocol == "smtp":`
Parametrize hosts Allows to use mailu without docker-compose when hostnames are not set up by docker itself but provided via a separate resolver. Use case: use mailu using nomad scheduler and consul resolver instead of docker-compose. Other servers are provided by the DNS resolver that resolves names like admin.service.consul or webmail.service.consul. These names needs to be configurable. 2018-01-24 01:55:43 +02:00			`if authenticated:`
Enable dynamic resolution of hostnames 2022-12-08 13:46:31 +02:00			`hostname, port = app.config['SMTP_ADDRESS'], 10025`
Parametrize hosts Allows to use mailu without docker-compose when hostnames are not set up by docker itself but provided via a separate resolver. Use case: use mailu using nomad scheduler and consul resolver instead of docker-compose. Other servers are provided by the DNS resolver that resolves names like admin.service.consul or webmail.service.consul. These names needs to be configurable. 2018-01-24 01:55:43 +02:00			`else:`
Enable dynamic resolution of hostnames 2022-12-08 13:46:31 +02:00			`hostname, port = app.config['SMTP_ADDRESS'], 25`
Implement managesieve support 2023-04-20 15:36:17 +02:00			`elif protocol == "sieve":`
			`hostname, port = app.config['IMAP_ADDRESS'], 4190`
Resolve HOST_* to _ADDRESS only if _ADDRESS is not already set 2019-08-23 08:43:59 +02:00			`try:`
Fix a bunch of typos 2022-10-19 19:36:13 +02:00			`# test if hostname is already resolved to an ip address`
Resolve HOST_* to _ADDRESS only if _ADDRESS is not already set 2019-08-23 08:43:59 +02:00			`ipaddress.ip_address(hostname)`
			`except:`
			`# hostname is not an ip address - so we need to resolve it`
Resolve using socrate function 2022-11-01 00:57:51 +02:00			`hostname = system.resolve_hostname(hostname)`
Resolve hosts in admin 2019-01-25 13:28:24 +02:00			`return hostname, port`