self-hosted/Mailu
1
0
Fork 0
mirror of https://github.com/Mailu/Mailu.git synced 2025-05-27 22:57:38 +02:00
Code Issues Releases Activity

add option to enforce inbound starttls

Browse Source
This commit is contained in:
lub 2020-09-01 21:48:09 +02:00
parent 550065b043
commit f0f873ffe7
3 changed files with 32 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
core/admin/mailu/configuration.py
View File

@ -31,6 +31,7 @@ DEFAULT_CONFIG = {
'HOSTNAMES': 'mail.mailu.io,alternative.mailu.io,yetanother.mailu.io', 'HOSTNAMES': 'mail.mailu.io,alternative.mailu.io,yetanother.mailu.io',
'POSTMASTER': 'postmaster', 'POSTMASTER': 'postmaster',
'TLS_FLAVOR': 'cert', 'TLS_FLAVOR': 'cert',
'INBOUND_TLS_ENFORCE': False,
'AUTH_RATELIMIT': '10/minute;1000/hour', 'AUTH_RATELIMIT': '10/minute;1000/hour',
'AUTH_RATELIMIT_SUBNET': True, 'AUTH_RATELIMIT_SUBNET': True,
'DISABLE_STATISTICS': False, 'DISABLE_STATISTICS': False,

30
core/admin/mailu/internal/nginx.py
View File

@ -17,6 +17,9 @@ STATUSES = {
"smtp": "535 5.7.8", "smtp": "535 5.7.8",
"pop3": "-ERR Authentication failed" "pop3": "-ERR Authentication failed"
}), }),
"encryption": ("Must issue a STARTTLS command first", {
"smtp": "530 5.7.0"
}),
} }
@ -28,12 +31,27 @@ def handle_authentication(headers):
protocol = headers["Auth-Protocol"] protocol = headers["Auth-Protocol"]
# Incoming mail, no authentication # Incoming mail, no authentication
if method == "none" and protocol == "smtp": if method == "none" and protocol == "smtp":
server, port = get_server(headers["Auth-Protocol"], False) server, port = get_server(protocol, False)
return { if app.config["INBOUND_TLS_ENFORCE"]:
"Auth-Status": "OK", if "Auth-SSl" in headers and headers["Auth-SSL"] == "on":
"Auth-Server": server, return {
"Auth-Port": port "Auth-Status": "OK",
} "Auth-Server": server,
"Auth-Port": port
}
else:
status, code = get_status(protocol, "encryption")
return {
"Auth-Status": status,
"Auth-Error-Code" : code,
"Auth-Wait": 0
}
else:
return {
"Auth-Status": "OK",
"Auth-Server": server,
"Auth-Port": port
}
# Authenticated user # Authenticated user
elif method == "plain": elif method == "plain":
server, port = get_server(headers["Auth-Protocol"], True) server, port = get_server(headers["Auth-Protocol"], True)

7
docs/configuration.rst
View File

@ -73,6 +73,13 @@ By default postfix uses "opportunistic TLS" for outbound mail. This can be chang
by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt``. This setting is highly recommended by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt``. This setting is highly recommended
if you are a relayhost that supports TLS. if you are a relayhost that supports TLS.
Similarily by default nginx uses "opportunistic TLS" for inbound mail. This can be changed
by setting ``INBOUND_TLS_ENFORCE`` to ``True``. Please note that this is forbidden for
internet facing hosts according to e.g. `RFC 3207`_ , because this prevents MTAs without STARTTLS
support or e.g. mismatching TLS versions to deliver emails to Mailu.
.. _`RFC 3207`: https://tools.ietf.org/html/rfc3207
The ``FETCHMAIL_DELAY`` is a delay (in seconds) for the fetchmail service to The ``FETCHMAIL_DELAY`` is a delay (in seconds) for the fetchmail service to
go and fetch new email if available. Do not use too short delays if you do not go and fetch new email if available. Do not use too short delays if you do not
want to be blacklisted by external services, but not too long delays if you want to be blacklisted by external services, but not too long delays if you