[FEATURE] SMTPS support (#643)

* [FEATURE] SMTPS Support - Added port_tls option to enable SMTPS, off by default. * Remove configuration variable for SMTPS Instead we enable SMTPS on port 465 only. The reason for this is so we don't require an additional configuration variable. * Add SMTPS warning and updated docs * Adjust SMTPS warning
2020-02-20 12:09:46 +11:00 · 2020-02-20 12:09:46 +11:00 · e1cd524f65
parent 4c09df9868
commit e1cd524f65
2 changed files with 27 additions and 7 deletions
--- a/docs/security.md
+++ b/docs/security.md
@ -26,15 +26,21 @@ post nginx has written on [HSTS].
 By default the SMTP Notifier implementation does not allow connections that are not secure.
 As such all connections require the following:

-1. STARTTLS before authentication or sending emails (unauthenticated connections 
-require it as well)
-2. Valid X509 Certificate presented to the client during the STARTTLS handshake
+1. TLS Connection (STARTTLS or SMTPS) has been negotiated before authentication or sending emails (unauthenticated 
+connections require it as well)
+2. Valid X509 Certificate presented to the client during the TLS handshake

 There is an option to disable both of these security measures however they are
 not recommended. You should only do this in a situation where you control all 
 networks between Authelia and the SMTP server. The following configuration options
 exist to configure the security level:

+### SMTPS vs STARTTLS
+
+By default all connections start as plain text and are upgraded via STARTTLS. SMTPS is supported, however due to the
+fact it was basically considered deprecated before the turn of the century, there is no way to configure it. It happens
+automatically when a SMTP notifier is configured with the SMTPS port of 465.
+
 ### Configuration Option: disable_verify_cert

 This is a YAML boolean type (true/false, y/n, 1/0, etc). This disables the X509 PKI
@ -49,6 +55,7 @@ with authentication disabled (comment the password) and as such is only an
 option for SMTP servers that allow unauthenticated relay (bad practice).

 ### Configuration Option: trusted_cert
+
 This is a YAML string type. This specifies the file location of a pub certificate
 that can be used to validate the authenticity of a server with a self signed
 certificate. This can either be the public cert of the certificate authority
--- a/internal/notification/smtp_notifier.go
+++ b/internal/notification/smtp_notifier.go
@ -199,12 +199,25 @@ func (n *SMTPNotifier) compose(recipient, subject, body string) error {
 // Dial the SMTP server with the SMTPNotifier config.
 func (n *SMTPNotifier) dial() error {
 	log.Debugf("Notifier SMTP client attempting connection to %s", n.address)
-	client, err := smtp.Dial(n.address)
-	if err != nil {
-		return err
+	if n.port == 465 {
+		log.Warnf("Notifier SMTP client configured to connect to a SMTPS server. It's highly recommended you use a non SMTPS port and STARTTLS instead of SMTPS, as the protocol is long deprecated.")
+		conn, err := tls.Dial("tcp", n.address, n.tlsConfig)
+		if err != nil {
+			return err
+		}
+		client, err := smtp.NewClient(conn, n.host)
+		if err != nil {
+			return err
+		}
+		n.client = client
+	} else {
+		client, err := smtp.Dial(n.address)
+		if err != nil {
+			return err
+		}
+		n.client = client
 	}
 	log.Debug("Notifier SMTP client connected successfully")
-	n.client = client
 	return nil
 }