starred/smtprelay
1
0
Fork 0
mirror of https://github.com/decke/smtprelay.git synced 2026-04-25 12:55:54 +03:00
Code Issues 7 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #26] Issue warning if configured to require authentication but not TLS #9

New issue
Closed
opened 2026-02-26 18:32:56 +03:00 by kerem · 1 comment
kerem commented 2026-02-26 18:32:56 +03:00
Owner
Copy link

Originally created by @JonathonReinhart on GitHub (Mar 31, 2021).
Original GitHub issue: https://github.com/decke/smtprelay/issues/26

smtpd only allows authentication if the session is operating with TLS:

	if session.server.Authenticator != nil && session.tls {
		extensions = append(extensions, "AUTH PLAIN LOGIN")
	}

This is probably a safe requirement.

However, the following configuration will never work:

$ ./smtprelay -listen ':2525' -allowed_users userlist.txt

If authentication is required (-allowed_users), then a -listen w/o tls:// or starttls:// should be forbidden.

Originally created by @JonathonReinhart on GitHub (Mar 31, 2021). Original GitHub issue: https://github.com/decke/smtprelay/issues/26 `smtpd` [only allows authentication if the session is operating with TLS](https://github.com/chrj/smtpd/blob/v0.3.0/smtpd.go#L415-L417): ```go if session.server.Authenticator != nil && session.tls { extensions = append(extensions, "AUTH PLAIN LOGIN") } ``` This is probably a safe requirement. However, the following configuration will never work: ``` $ ./smtprelay -listen ':2525' -allowed_users userlist.txt ``` If authentication is required (`-allowed_users`), then a `-listen` w/o `tls://` or `starttls://` should be forbidden.
kerem closed this issue 2026-02-26 18:32:56 +03:00
kerem commented 2026-02-26 18:32:56 +03:00
Author
Owner
Copy link

@decke commented on GitHub (Mar 31, 2021):

Yeah that is true and it is to avoid sending authentication credentials over an unencrypted channel. So this combination does not make sense and we should make a small note in the config text that allowedUsers requires encrypted channel and error out early if this combination is used.

<!-- gh-comment-id:811437812 --> @decke commented on GitHub (Mar 31, 2021): Yeah that is true and it is to avoid sending authentication credentials over an unencrypted channel. So this combination does not make sense and we should make a small note in the config text that allowedUsers requires encrypted channel and error out early if this combination is used.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
dependabot/go_modules/github.com/rs/zerolog-1.35.1
dependabot/go_modules/github.com/DeRuina/timberjack-1.4.2
dependabot/go_modules/github.com/chrj/smtpd-1.0.0
dependabot/github_actions/step-security/harden-runner-2.19.0
dependabot/github_actions/github/codeql-action-4.35.2
add-service
v1.13.2
v1.13.1
v1.13.0
v1.12.0
v1.11.2
v1.11.1
v1.11.0
v1.10.0
v1.9.0
v1.8.0
v1.7.0
v1.6.0
v1.5.0
v1.4.0
v1.3.0
v1.2.0
v1.1.0
v1.0.1
v1.0.0
Labels
Clear labels   
bug

   
pull-request

Mirrored from GitHub Pull Request

No labels
bug
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/smtprelay#9
No description provided.