feat(notification): add disable_starttls option (#3855)
This adds a boolean option to SMTP which disables StartTLS for SMTP servers that ignore standards.pull/3789/head^2
parent
6810c91d34
commit
c8fa19e6bd
|
@ -31,6 +31,7 @@ notifier:
|
|||
subject: "[Authelia] {title}"
|
||||
startup_check_address: test@authelia.com
|
||||
disable_require_tls: false
|
||||
disable_starttls: false
|
||||
disable_html_emails: false
|
||||
tls:
|
||||
server_name: smtp.example.com
|
||||
|
@ -132,6 +133,18 @@ to leave this as is, but you can customize it if you have issues or you desire t
|
|||
For security reasons the default settings for Authelia require the SMTP connection is encrypted by TLS. See [security]
|
||||
for more information. This option disables this measure (not recommended).
|
||||
|
||||
### disable_starttls
|
||||
|
||||
{{< confkey type="boolean" default="false" required="no" >}}
|
||||
|
||||
Some SMTP servers ignore SMTP specifications and claim to support STARTTLS when they in fact do not.
|
||||
For security reasons Authelia refuses to send messages to these servers.
|
||||
This option disables this measure and is enabled *__AT YOUR OWN RISK__*. It's *__strongly recommended__*
|
||||
that instead of enabling this option you either fix the issue with the SMTP server's configuration or
|
||||
have the administrators of the server fix it. If the issue can't be fixed by configuration we recommend
|
||||
lodging an issue with the authors of the SMTP server.
|
||||
See [security] for more information.
|
||||
|
||||
### disable_html_emails
|
||||
|
||||
{{< confkey type="boolean" default="false" required="no" >}}
|
||||
|
|
|
@ -166,6 +166,7 @@ var Keys = []string{
|
|||
"notifier.smtp.startup_check_address",
|
||||
"notifier.smtp.disable_require_tls",
|
||||
"notifier.smtp.disable_html_emails",
|
||||
"notifier.smtp.disable_starttls",
|
||||
"notifier.smtp.tls.minimum_version",
|
||||
"notifier.smtp.tls.skip_verify",
|
||||
"notifier.smtp.tls.server_name",
|
||||
|
|
|
@ -23,6 +23,7 @@ type SMTPNotifierConfiguration struct {
|
|||
StartupCheckAddress mail.Address `koanf:"startup_check_address"`
|
||||
DisableRequireTLS bool `koanf:"disable_require_tls"`
|
||||
DisableHTMLEmails bool `koanf:"disable_html_emails"`
|
||||
DisableStartTLS bool `koanf:"disable_starttls"`
|
||||
TLS *TLSConfig `koanf:"tls"`
|
||||
}
|
||||
|
||||
|
|
|
@ -56,6 +56,7 @@ const (
|
|||
errFmtNotifierTemplatePathUnknownError = "notifier: option 'template_path' refers to location '%s' which couldn't be opened: %w"
|
||||
errFmtNotifierFileSystemFileNameNotConfigured = "notifier: filesystem: option 'filename' is required"
|
||||
errFmtNotifierSMTPNotConfigured = "notifier: smtp: option '%s' is required"
|
||||
errFmtNotifierStartTlsDisabled = "Notifier SMTP connection has opportunistic STARTTLS explicitly disabled which means all emails will be sent insecurely over plain text and this setting is only necessary for non-compliant SMTP servers which advertise they support STARTTLS when they actually don't support STARTTLS"
|
||||
)
|
||||
|
||||
// Authentication Backend Error constants.
|
||||
|
|
|
@ -89,4 +89,8 @@ func validateSMTPNotifier(config *schema.SMTPNotifierConfiguration, validator *s
|
|||
if config.TLS.ServerName == "" {
|
||||
config.TLS.ServerName = config.Host
|
||||
}
|
||||
|
||||
if config.DisableStartTLS {
|
||||
validator.PushWarning(fmt.Errorf(errFmtNotifierStartTlsDisabled))
|
||||
}
|
||||
}
|
||||
|
|
|
@ -156,6 +156,12 @@ func (n *SMTPNotifier) dial() (err error) {
|
|||
|
||||
// Do startTLS if available (some servers only provide the auth extension after, and encryption is preferred).
|
||||
func (n *SMTPNotifier) startTLS() error {
|
||||
// Skips STARTTLS if is disabled in configuration.
|
||||
if n.config.DisableStartTLS {
|
||||
n.log.Warn("Notifier SMTP connection has opportunistic STARTTLS explicitly disabled which means all emails will be sent insecurely over plain text and this setting is only necessary for non-compliant SMTP servers which advertise they support STARTTLS when they actually don't support STARTTLS")
|
||||
return nil
|
||||
}
|
||||
|
||||
// Only start if not already encrypted.
|
||||
if _, ok := n.client.TLSConnectionState(); ok {
|
||||
n.log.Debugf("Notifier SMTP connection is already encrypted, skipping STARTTLS")
|
||||
|
|
Loading…
Reference in New Issue