2021-12-20 00:24:44 +02:00
|
|
|
from mailu import models, utils
|
2018-10-18 15:57:43 +02:00
|
|
|
from flask import current_app as app
|
2017-09-24 15:43:23 +02:00
|
|
|
|
2018-01-24 01:55:43 +02:00
|
|
|
import re
|
2017-10-22 10:49:31 +02:00
|
|
|
import urllib
|
2019-08-23 08:43:59 +02:00
|
|
|
import ipaddress
|
|
|
|
import socket
|
Prevent traceback when using non-email in login
There's a traceback when the username used to log via SMTPAUTH
in is not an email address:
=== before ===
```
[...] ERROR in app: Exception on /internal/auth/email [GET]
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/base.py", line 1179, in _execute_context
context = constructor(dialect, self, conn, *args)
File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/default.py", line 719, in _init_compiled
param.append(processors[key](compiled_params[key]))
File "/usr/lib/python3.9/site-packages/sqlalchemy/sql/type_api.py", line 1201, in process
return process_param(value, dialect)
File "/app/mailu/models.py", line 60, in process_bind_param
localpart, domain_name = value.lower().rsplit('@', 1)
ValueError: not enough values to unpack (expected 2, got 1)
[...]
[parameters: [{'%(140657157923216 param)s': 'foobar'}]]
```
=== after ===
```
[...] WARNING in nginx: Invalid user 'foobar': (builtins.ValueError) invalid email address (no "@")
```
2021-09-28 10:38:37 +02:00
|
|
|
import sqlalchemy.exc
|
2019-08-23 08:43:59 +02:00
|
|
|
import tenacity
|
2017-10-21 15:22:40 +02:00
|
|
|
|
2017-09-24 15:43:23 +02:00
|
|
|
SUPPORTED_AUTH_METHODS = ["none", "plain"]
|
|
|
|
|
2017-10-22 16:43:06 +02:00
|
|
|
|
2017-09-24 15:43:23 +02:00
|
|
|
STATUSES = {
|
|
|
|
"authentication": ("Authentication credentials invalid", {
|
|
|
|
"imap": "AUTHENTICATIONFAILED",
|
|
|
|
"smtp": "535 5.7.8",
|
2017-11-10 11:14:49 +02:00
|
|
|
"pop3": "-ERR Authentication failed"
|
2017-09-24 15:43:23 +02:00
|
|
|
}),
|
2020-09-01 21:48:09 +02:00
|
|
|
"encryption": ("Must issue a STARTTLS command first", {
|
|
|
|
"smtp": "530 5.7.0"
|
|
|
|
}),
|
2021-09-23 18:40:49 +02:00
|
|
|
"ratelimit": ("Temporary authentication failure (rate-limit)", {
|
|
|
|
"imap": "LIMIT",
|
|
|
|
"smtp": "451 4.3.2",
|
|
|
|
"pop3": "-ERR [LOGIN-DELAY] Retry later"
|
|
|
|
}),
|
2017-09-24 15:43:23 +02:00
|
|
|
}
|
|
|
|
|
2021-12-14 13:26:33 +02:00
|
|
|
def check_credentials(user, password, ip, protocol=None, auth_port=None):
|
2021-02-09 10:20:02 +02:00
|
|
|
if not user or not user.enabled or (protocol == "imap" and not user.enable_imap) or (protocol == "pop3" and not user.enable_pop):
|
|
|
|
return False
|
|
|
|
is_ok = False
|
2021-03-10 15:41:12 +02:00
|
|
|
# webmails
|
2021-12-20 00:24:44 +02:00
|
|
|
if auth_port in ['10143', '10025'] and password.startswith('token-'):
|
|
|
|
if utils.verify_temp_token(user.get_id(), password):
|
2021-03-10 15:41:12 +02:00
|
|
|
is_ok = True
|
2021-02-09 10:20:02 +02:00
|
|
|
# All tokens are 32 characters hex lowercase
|
2021-03-10 15:41:12 +02:00
|
|
|
if not is_ok and len(password) == 32:
|
2021-02-09 10:20:02 +02:00
|
|
|
for token in user.tokens:
|
|
|
|
if (token.check_password(password) and
|
|
|
|
(not token.ip or token.ip == ip)):
|
|
|
|
is_ok = True
|
|
|
|
break
|
|
|
|
if not is_ok and user.check_password(password):
|
|
|
|
is_ok = True
|
|
|
|
return is_ok
|
2017-09-24 15:43:23 +02:00
|
|
|
|
|
|
|
def handle_authentication(headers):
|
|
|
|
""" Handle an HTTP nginx authentication request
|
|
|
|
See: http://nginx.org/en/docs/mail/ngx_mail_auth_http_module.html#protocol
|
|
|
|
"""
|
|
|
|
method = headers["Auth-Method"]
|
|
|
|
protocol = headers["Auth-Protocol"]
|
|
|
|
# Incoming mail, no authentication
|
|
|
|
if method == "none" and protocol == "smtp":
|
2020-09-01 21:48:09 +02:00
|
|
|
server, port = get_server(protocol, False)
|
|
|
|
if app.config["INBOUND_TLS_ENFORCE"]:
|
2020-09-02 15:16:10 +02:00
|
|
|
if "Auth-SSL" in headers and headers["Auth-SSL"] == "on":
|
2020-09-01 21:48:09 +02:00
|
|
|
return {
|
|
|
|
"Auth-Status": "OK",
|
|
|
|
"Auth-Server": server,
|
|
|
|
"Auth-Port": port
|
|
|
|
}
|
|
|
|
else:
|
|
|
|
status, code = get_status(protocol, "encryption")
|
|
|
|
return {
|
|
|
|
"Auth-Status": status,
|
|
|
|
"Auth-Error-Code" : code,
|
|
|
|
"Auth-Wait": 0
|
|
|
|
}
|
|
|
|
else:
|
|
|
|
return {
|
|
|
|
"Auth-Status": "OK",
|
|
|
|
"Auth-Server": server,
|
|
|
|
"Auth-Port": port
|
|
|
|
}
|
2017-09-24 15:43:23 +02:00
|
|
|
# Authenticated user
|
|
|
|
elif method == "plain":
|
2021-09-23 18:40:49 +02:00
|
|
|
is_valid_user = False
|
2021-09-05 19:47:10 +02:00
|
|
|
# According to RFC2616 section 3.7.1 and PEP 3333, HTTP headers should
|
|
|
|
# be ASCII and are generally considered ISO8859-1. However when passing
|
|
|
|
# the password, nginx does not transcode the input UTF string, thus
|
|
|
|
# we need to manually decode.
|
|
|
|
raw_user_email = urllib.parse.unquote(headers["Auth-User"])
|
|
|
|
raw_password = urllib.parse.unquote(headers["Auth-Pass"])
|
2021-10-16 09:29:17 +02:00
|
|
|
user_email = 'invalid'
|
2021-09-05 19:47:10 +02:00
|
|
|
try:
|
|
|
|
user_email = raw_user_email.encode("iso8859-1").decode("utf8")
|
|
|
|
password = raw_password.encode("iso8859-1").decode("utf8")
|
2021-10-12 14:47:00 +02:00
|
|
|
ip = urllib.parse.unquote(headers["Client-Ip"])
|
2021-09-05 19:47:10 +02:00
|
|
|
except:
|
|
|
|
app.logger.warn(f'Received undecodable user/password from nginx: {raw_user_email!r}/{raw_password!r}')
|
2017-11-21 21:46:18 +02:00
|
|
|
else:
|
Prevent traceback when using non-email in login
There's a traceback when the username used to log via SMTPAUTH
in is not an email address:
=== before ===
```
[...] ERROR in app: Exception on /internal/auth/email [GET]
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/base.py", line 1179, in _execute_context
context = constructor(dialect, self, conn, *args)
File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/default.py", line 719, in _init_compiled
param.append(processors[key](compiled_params[key]))
File "/usr/lib/python3.9/site-packages/sqlalchemy/sql/type_api.py", line 1201, in process
return process_param(value, dialect)
File "/app/mailu/models.py", line 60, in process_bind_param
localpart, domain_name = value.lower().rsplit('@', 1)
ValueError: not enough values to unpack (expected 2, got 1)
[...]
[parameters: [{'%(140657157923216 param)s': 'foobar'}]]
```
=== after ===
```
[...] WARNING in nginx: Invalid user 'foobar': (builtins.ValueError) invalid email address (no "@")
```
2021-09-28 10:38:37 +02:00
|
|
|
try:
|
2022-03-05 19:41:06 +02:00
|
|
|
user = models.User.query.get(user_email) if '@' in user_email else None
|
|
|
|
is_valid_user = bool(user)
|
Prevent traceback when using non-email in login
There's a traceback when the username used to log via SMTPAUTH
in is not an email address:
=== before ===
```
[...] ERROR in app: Exception on /internal/auth/email [GET]
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/base.py", line 1179, in _execute_context
context = constructor(dialect, self, conn, *args)
File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/default.py", line 719, in _init_compiled
param.append(processors[key](compiled_params[key]))
File "/usr/lib/python3.9/site-packages/sqlalchemy/sql/type_api.py", line 1201, in process
return process_param(value, dialect)
File "/app/mailu/models.py", line 60, in process_bind_param
localpart, domain_name = value.lower().rsplit('@', 1)
ValueError: not enough values to unpack (expected 2, got 1)
[...]
[parameters: [{'%(140657157923216 param)s': 'foobar'}]]
```
=== after ===
```
[...] WARNING in nginx: Invalid user 'foobar': (builtins.ValueError) invalid email address (no "@")
```
2021-09-28 10:38:37 +02:00
|
|
|
except sqlalchemy.exc.StatementError as exc:
|
|
|
|
exc = str(exc).split('\n', 1)[0]
|
|
|
|
app.logger.warn(f'Invalid user {user_email!r}: {exc}')
|
|
|
|
else:
|
2021-10-16 09:52:20 +02:00
|
|
|
ip = urllib.parse.unquote(headers["Client-Ip"])
|
2021-12-14 13:26:33 +02:00
|
|
|
if check_credentials(user, password, ip, protocol, headers["Auth-Port"]):
|
Prevent traceback when using non-email in login
There's a traceback when the username used to log via SMTPAUTH
in is not an email address:
=== before ===
```
[...] ERROR in app: Exception on /internal/auth/email [GET]
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/base.py", line 1179, in _execute_context
context = constructor(dialect, self, conn, *args)
File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/default.py", line 719, in _init_compiled
param.append(processors[key](compiled_params[key]))
File "/usr/lib/python3.9/site-packages/sqlalchemy/sql/type_api.py", line 1201, in process
return process_param(value, dialect)
File "/app/mailu/models.py", line 60, in process_bind_param
localpart, domain_name = value.lower().rsplit('@', 1)
ValueError: not enough values to unpack (expected 2, got 1)
[...]
[parameters: [{'%(140657157923216 param)s': 'foobar'}]]
```
=== after ===
```
[...] WARNING in nginx: Invalid user 'foobar': (builtins.ValueError) invalid email address (no "@")
```
2021-09-28 10:38:37 +02:00
|
|
|
server, port = get_server(headers["Auth-Protocol"], True)
|
|
|
|
return {
|
|
|
|
"Auth-Status": "OK",
|
|
|
|
"Auth-Server": server,
|
2021-10-16 09:52:20 +02:00
|
|
|
"Auth-User": user_email,
|
|
|
|
"Auth-User-Exists": is_valid_user,
|
Prevent traceback when using non-email in login
There's a traceback when the username used to log via SMTPAUTH
in is not an email address:
=== before ===
```
[...] ERROR in app: Exception on /internal/auth/email [GET]
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/base.py", line 1179, in _execute_context
context = constructor(dialect, self, conn, *args)
File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/default.py", line 719, in _init_compiled
param.append(processors[key](compiled_params[key]))
File "/usr/lib/python3.9/site-packages/sqlalchemy/sql/type_api.py", line 1201, in process
return process_param(value, dialect)
File "/app/mailu/models.py", line 60, in process_bind_param
localpart, domain_name = value.lower().rsplit('@', 1)
ValueError: not enough values to unpack (expected 2, got 1)
[...]
[parameters: [{'%(140657157923216 param)s': 'foobar'}]]
```
=== after ===
```
[...] WARNING in nginx: Invalid user 'foobar': (builtins.ValueError) invalid email address (no "@")
```
2021-09-28 10:38:37 +02:00
|
|
|
"Auth-Port": port
|
|
|
|
}
|
2021-09-05 19:47:10 +02:00
|
|
|
status, code = get_status(protocol, "authentication")
|
|
|
|
return {
|
|
|
|
"Auth-Status": status,
|
|
|
|
"Auth-Error-Code": code,
|
2021-09-23 18:40:49 +02:00
|
|
|
"Auth-User": user_email,
|
|
|
|
"Auth-User-Exists": is_valid_user,
|
2021-09-05 19:47:10 +02:00
|
|
|
"Auth-Wait": 0
|
|
|
|
}
|
2017-09-24 15:43:23 +02:00
|
|
|
# Unexpected
|
2017-11-10 11:14:49 +02:00
|
|
|
return {}
|
2017-09-24 15:43:23 +02:00
|
|
|
|
|
|
|
|
|
|
|
def get_status(protocol, status):
|
|
|
|
""" Return the proper error code depending on the protocol
|
|
|
|
"""
|
|
|
|
status, codes = STATUSES[status]
|
|
|
|
return status, codes[protocol]
|
|
|
|
|
2018-01-24 01:55:43 +02:00
|
|
|
def extract_host_port(host_and_port, default_port):
|
2020-10-24 01:25:53 +02:00
|
|
|
host, _, port = re.match('^(.*?)(:([0-9]*))?$', host_and_port).groups()
|
2018-01-24 01:55:43 +02:00
|
|
|
return host, int(port) if port else default_port
|
2017-09-24 15:43:23 +02:00
|
|
|
|
2017-10-22 15:44:44 +02:00
|
|
|
def get_server(protocol, authenticated=False):
|
|
|
|
if protocol == "imap":
|
2019-02-18 15:41:22 +02:00
|
|
|
hostname, port = extract_host_port(app.config['IMAP_ADDRESS'], 143)
|
2017-10-22 15:44:44 +02:00
|
|
|
elif protocol == "pop3":
|
2019-02-18 15:41:22 +02:00
|
|
|
hostname, port = extract_host_port(app.config['POP3_ADDRESS'], 110)
|
2017-10-22 15:44:44 +02:00
|
|
|
elif protocol == "smtp":
|
2018-01-24 01:55:43 +02:00
|
|
|
if authenticated:
|
2019-02-18 15:41:22 +02:00
|
|
|
hostname, port = extract_host_port(app.config['AUTHSMTP_ADDRESS'], 10025)
|
2018-01-24 01:55:43 +02:00
|
|
|
else:
|
2019-02-18 15:41:22 +02:00
|
|
|
hostname, port = extract_host_port(app.config['SMTP_ADDRESS'], 25)
|
2019-08-23 08:43:59 +02:00
|
|
|
try:
|
|
|
|
# test if hostname is already resolved to an ip adddress
|
|
|
|
ipaddress.ip_address(hostname)
|
|
|
|
except:
|
|
|
|
# hostname is not an ip address - so we need to resolve it
|
|
|
|
hostname = resolve_hostname(hostname)
|
2019-01-25 13:28:24 +02:00
|
|
|
return hostname, port
|
2019-08-23 08:43:59 +02:00
|
|
|
|
|
|
|
@tenacity.retry(stop=tenacity.stop_after_attempt(100),
|
|
|
|
wait=tenacity.wait_random(min=2, max=5))
|
|
|
|
def resolve_hostname(hostname):
|
|
|
|
""" This function uses system DNS to resolve a hostname.
|
|
|
|
It is capable of retrying in case the host is not immediately available
|
|
|
|
"""
|
|
|
|
return socket.gethostbyname(hostname)
|