feat(notification): add disable_starttls option (#3855)

This adds a boolean option to SMTP which disables StartTLS for SMTP servers that ignore standards.
pull/3789/head^2
Manuel Nuñez 2022-10-01 23:51:19 -03:00 committed by GitHub
parent 6810c91d34
commit c8fa19e6bd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 27 additions and 1 deletions

View File

@ -31,6 +31,7 @@ notifier:
subject: "[Authelia] {title}" subject: "[Authelia] {title}"
startup_check_address: test@authelia.com startup_check_address: test@authelia.com
disable_require_tls: false disable_require_tls: false
disable_starttls: false
disable_html_emails: false disable_html_emails: false
tls: tls:
server_name: smtp.example.com server_name: smtp.example.com
@ -60,7 +61,7 @@ The port the SMTP service is listening on.
A connection is securely established with TLS after a succesful STARTTLS negotiation. A connection is securely established with TLS after a succesful STARTTLS negotiation.
[Port 465 is an exception][docs-security-smtp-port] when supported by the mail server as a `submissions` service port. [Port 465 is an exception][docs-security-smtp-port] when supported by the mail server as a `submissions` service port.
STARTTLS negotiation is not required for this port, the connection is implicitly established with TLS. STARTTLS negotiation is not required for this port, the connection is implicitly established with TLS.
[docs-security-smtp-port]: ../../overview/security/measures.md#smtp-ports [docs-security-smtp-port]: ../../overview/security/measures.md#smtp-ports
@ -132,6 +133,18 @@ to leave this as is, but you can customize it if you have issues or you desire t
For security reasons the default settings for Authelia require the SMTP connection is encrypted by TLS. See [security] For security reasons the default settings for Authelia require the SMTP connection is encrypted by TLS. See [security]
for more information. This option disables this measure (not recommended). for more information. This option disables this measure (not recommended).
### disable_starttls
{{< confkey type="boolean" default="false" required="no" >}}
Some SMTP servers ignore SMTP specifications and claim to support STARTTLS when they in fact do not.
For security reasons Authelia refuses to send messages to these servers.
This option disables this measure and is enabled *__AT YOUR OWN RISK__*. It's *__strongly recommended__*
that instead of enabling this option you either fix the issue with the SMTP server's configuration or
have the administrators of the server fix it. If the issue can't be fixed by configuration we recommend
lodging an issue with the authors of the SMTP server.
See [security] for more information.
### disable_html_emails ### disable_html_emails
{{< confkey type="boolean" default="false" required="no" >}} {{< confkey type="boolean" default="false" required="no" >}}

View File

@ -166,6 +166,7 @@ var Keys = []string{
"notifier.smtp.startup_check_address", "notifier.smtp.startup_check_address",
"notifier.smtp.disable_require_tls", "notifier.smtp.disable_require_tls",
"notifier.smtp.disable_html_emails", "notifier.smtp.disable_html_emails",
"notifier.smtp.disable_starttls",
"notifier.smtp.tls.minimum_version", "notifier.smtp.tls.minimum_version",
"notifier.smtp.tls.skip_verify", "notifier.smtp.tls.skip_verify",
"notifier.smtp.tls.server_name", "notifier.smtp.tls.server_name",

View File

@ -23,6 +23,7 @@ type SMTPNotifierConfiguration struct {
StartupCheckAddress mail.Address `koanf:"startup_check_address"` StartupCheckAddress mail.Address `koanf:"startup_check_address"`
DisableRequireTLS bool `koanf:"disable_require_tls"` DisableRequireTLS bool `koanf:"disable_require_tls"`
DisableHTMLEmails bool `koanf:"disable_html_emails"` DisableHTMLEmails bool `koanf:"disable_html_emails"`
DisableStartTLS bool `koanf:"disable_starttls"`
TLS *TLSConfig `koanf:"tls"` TLS *TLSConfig `koanf:"tls"`
} }

View File

@ -56,6 +56,7 @@ const (
errFmtNotifierTemplatePathUnknownError = "notifier: option 'template_path' refers to location '%s' which couldn't be opened: %w" errFmtNotifierTemplatePathUnknownError = "notifier: option 'template_path' refers to location '%s' which couldn't be opened: %w"
errFmtNotifierFileSystemFileNameNotConfigured = "notifier: filesystem: option 'filename' is required" errFmtNotifierFileSystemFileNameNotConfigured = "notifier: filesystem: option 'filename' is required"
errFmtNotifierSMTPNotConfigured = "notifier: smtp: option '%s' is required" errFmtNotifierSMTPNotConfigured = "notifier: smtp: option '%s' is required"
errFmtNotifierStartTlsDisabled = "Notifier SMTP connection has opportunistic STARTTLS explicitly disabled which means all emails will be sent insecurely over plain text and this setting is only necessary for non-compliant SMTP servers which advertise they support STARTTLS when they actually don't support STARTTLS"
) )
// Authentication Backend Error constants. // Authentication Backend Error constants.

View File

@ -89,4 +89,8 @@ func validateSMTPNotifier(config *schema.SMTPNotifierConfiguration, validator *s
if config.TLS.ServerName == "" { if config.TLS.ServerName == "" {
config.TLS.ServerName = config.Host config.TLS.ServerName = config.Host
} }
if config.DisableStartTLS {
validator.PushWarning(fmt.Errorf(errFmtNotifierStartTlsDisabled))
}
} }

View File

@ -156,6 +156,12 @@ func (n *SMTPNotifier) dial() (err error) {
// Do startTLS if available (some servers only provide the auth extension after, and encryption is preferred). // Do startTLS if available (some servers only provide the auth extension after, and encryption is preferred).
func (n *SMTPNotifier) startTLS() error { func (n *SMTPNotifier) startTLS() error {
// Skips STARTTLS if is disabled in configuration.
if n.config.DisableStartTLS {
n.log.Warn("Notifier SMTP connection has opportunistic STARTTLS explicitly disabled which means all emails will be sent insecurely over plain text and this setting is only necessary for non-compliant SMTP servers which advertise they support STARTTLS when they actually don't support STARTTLS")
return nil
}
// Only start if not already encrypted. // Only start if not already encrypted.
if _, ok := n.client.TLSConnectionState(); ok { if _, ok := n.client.TLSConnectionState(); ok {
n.log.Debugf("Notifier SMTP connection is already encrypted, skipping STARTTLS") n.log.Debugf("Notifier SMTP connection is already encrypted, skipping STARTTLS")