From e1cd524f65d9d11b5539f36a53bfdfb975aaed75 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Thu, 20 Feb 2020 12:09:46 +1100 Subject: [PATCH] [FEATURE] SMTPS support (#643) * [FEATURE] SMTPS Support - Added port_tls option to enable SMTPS, off by default. * Remove configuration variable for SMTPS Instead we enable SMTPS on port 465 only. The reason for this is so we don't require an additional configuration variable. * Add SMTPS warning and updated docs * Adjust SMTPS warning --- docs/security.md | 13 ++++++++++--- internal/notification/smtp_notifier.go | 21 +++++++++++++++++---- 2 files changed, 27 insertions(+), 7 deletions(-) diff --git a/docs/security.md b/docs/security.md index 10b7adbe0..e2b483a21 100644 --- a/docs/security.md +++ b/docs/security.md @@ -26,15 +26,21 @@ post nginx has written on [HSTS]. By default the SMTP Notifier implementation does not allow connections that are not secure. As such all connections require the following: -1. STARTTLS before authentication or sending emails (unauthenticated connections -require it as well) -2. Valid X509 Certificate presented to the client during the STARTTLS handshake +1. TLS Connection (STARTTLS or SMTPS) has been negotiated before authentication or sending emails (unauthenticated +connections require it as well) +2. Valid X509 Certificate presented to the client during the TLS handshake There is an option to disable both of these security measures however they are not recommended. You should only do this in a situation where you control all networks between Authelia and the SMTP server. The following configuration options exist to configure the security level: +### SMTPS vs STARTTLS + +By default all connections start as plain text and are upgraded via STARTTLS. SMTPS is supported, however due to the +fact it was basically considered deprecated before the turn of the century, there is no way to configure it. It happens +automatically when a SMTP notifier is configured with the SMTPS port of 465. + ### Configuration Option: disable_verify_cert This is a YAML boolean type (true/false, y/n, 1/0, etc). This disables the X509 PKI @@ -49,6 +55,7 @@ with authentication disabled (comment the password) and as such is only an option for SMTP servers that allow unauthenticated relay (bad practice). ### Configuration Option: trusted_cert + This is a YAML string type. This specifies the file location of a pub certificate that can be used to validate the authenticity of a server with a self signed certificate. This can either be the public cert of the certificate authority diff --git a/internal/notification/smtp_notifier.go b/internal/notification/smtp_notifier.go index f99c548ce..7902ec2c3 100644 --- a/internal/notification/smtp_notifier.go +++ b/internal/notification/smtp_notifier.go @@ -199,12 +199,25 @@ func (n *SMTPNotifier) compose(recipient, subject, body string) error { // Dial the SMTP server with the SMTPNotifier config. func (n *SMTPNotifier) dial() error { log.Debugf("Notifier SMTP client attempting connection to %s", n.address) - client, err := smtp.Dial(n.address) - if err != nil { - return err + if n.port == 465 { + log.Warnf("Notifier SMTP client configured to connect to a SMTPS server. It's highly recommended you use a non SMTPS port and STARTTLS instead of SMTPS, as the protocol is long deprecated.") + conn, err := tls.Dial("tcp", n.address, n.tlsConfig) + if err != nil { + return err + } + client, err := smtp.NewClient(conn, n.host) + if err != nil { + return err + } + n.client = client + } else { + client, err := smtp.Dial(n.address) + if err != nil { + return err + } + n.client = client } log.Debug("Notifier SMTP client connected successfully") - n.client = client return nil }