add option to enforce inbound starttls

2025-05-27 22:57:38 +02:00 · 2020-09-01 21:48:09 +02:00 · 2020-09-01 21:48:09 +02:00 · f0f873ffe7
commit f0f873ffe7
parent 550065b043
3 changed files with 32 additions and 6 deletions
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@ -31,6 +31,7 @@ DEFAULT_CONFIG = {
    'HOSTNAMES': 'mail.mailu.io,alternative.mailu.io,yetanother.mailu.io',
    'POSTMASTER': 'postmaster',
    'TLS_FLAVOR': 'cert',
+    'INBOUND_TLS_ENFORCE': False,
    'AUTH_RATELIMIT': '10/minute;1000/hour',
    'AUTH_RATELIMIT_SUBNET': True,
    'DISABLE_STATISTICS': False,
--- a/core/admin/mailu/internal/nginx.py
+++ b/core/admin/mailu/internal/nginx.py
@ -17,6 +17,9 @@ STATUSES = {
        "smtp": "535 5.7.8",
        "pop3": "-ERR Authentication failed"
    }),
+    "encryption": ("Must issue a STARTTLS command first", {
+        "smtp": "530 5.7.0"
+    }),
 }


@ -28,12 +31,27 @@ def handle_authentication(headers):
    protocol = headers["Auth-Protocol"]
    # Incoming mail, no authentication
    if method == "none" and protocol == "smtp":
-        server, port = get_server(headers["Auth-Protocol"], False)
-        return {
-            "Auth-Status": "OK",
-            "Auth-Server": server,
-            "Auth-Port": port
-        }
+        server, port = get_server(protocol, False)
+        if app.config["INBOUND_TLS_ENFORCE"]:
+            if "Auth-SSl" in headers and headers["Auth-SSL"] == "on":
+                return {
+                    "Auth-Status": "OK",
+                    "Auth-Server": server,
+                    "Auth-Port": port
+                }
+            else:
+                status, code = get_status(protocol, "encryption")
+                return {
+                    "Auth-Status": status,
+                    "Auth-Error-Code" : code,
+                    "Auth-Wait": 0
+                }
+        else:
+            return {
+                "Auth-Status": "OK",
+                "Auth-Server": server,
+                "Auth-Port": port
+            }
    # Authenticated user
    elif method == "plain":
        server, port = get_server(headers["Auth-Protocol"], True)
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@ -73,6 +73,13 @@ By default postfix uses "opportunistic TLS" for outbound mail. This can be chang
 by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt``. This setting is highly recommended
 if you are a relayhost that supports TLS.

+Similarily by default nginx uses "opportunistic TLS" for inbound mail. This can be changed
+by setting ``INBOUND_TLS_ENFORCE`` to ``True``. Please note that this is forbidden for
+internet facing hosts according to e.g. `RFC 3207`_ , because this prevents MTAs without STARTTLS
+support or e.g. mismatching TLS versions to deliver emails to Mailu.
+
+.. _`RFC 3207`: https://tools.ietf.org/html/rfc3207
+
 The ``FETCHMAIL_DELAY`` is a delay (in seconds) for the fetchmail service to
 go and fetch new email if available. Do not use too short delays if you do not
 want to be blacklisted by external services, but not too long delays if you