This is an automated email from the ASF dual-hosted git repository. rcordier pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/james-project.git
commit 8d3d4f1341f4da23866650565ccbf04464057cd7 Author: Benoit Tellier <[email protected]> AuthorDate: Tue Dec 7 11:22:01 2021 +0700 JAMES-3680 SMTP authentication requireSSL setting --- .../src/test/resources/smtpserver.xml | 21 ++++--- .../cassandra/src/test/resources/smtpserver.xml | 21 ++++--- .../james/protocols/lmtp/LMTPConfiguration.java | 2 +- .../james/protocols/smtp/SMTPConfiguration.java | 2 +- .../protocols/smtp/SMTPConfigurationImpl.java | 2 +- .../james/protocols/smtp/SMTPSessionImpl.java | 2 +- .../sample-configuration/smtpserver.xml | 3 + .../src/test/resources/smtpserver.xml | 3 + .../src/test/resources/smtpserver.xml | 21 ++++--- server/apps/demo/smtpserver.xml | 15 ++++- .../docs/modules/ROOT/pages/configure/smtp.adoc | 4 ++ .../sample-configuration/smtpserver.xml | 3 + .../src/test/resources/smtpserver.xml | 3 + .../sample-configuration/smtpserver.xml | 3 + .../src/test/resources/smtpserver.xml | 3 + .../jpa-app/sample-configuration/smtpserver.xml | 3 + .../apps/jpa-app/src/test/resources/smtpserver.xml | 3 + .../sample-configuration/smtpserver.xml | 3 + .../jpa-smtp-app/src/test/resources/smtpserver.xml | 3 + .../memory-app/sample-configuration/smtpserver.xml | 3 + .../memory-app/src/test/resources/smtpserver.xml | 3 + .../spring-app/src/test/resources/smtpserver.xml | 1 + .../webadmin-cli/src/test/resources/smtpserver.xml | 21 ++++--- .../src/main/resources/smtpserver.xml | 3 + .../src/test/resources/smtpserver.xml | 1 + .../src/test/resources/smtpserver.xml | 3 + .../src/test/resources/smtpserver.xml | 1 + .../src/test/resources/smtpserver.xml | 1 + .../apache/james/smtpserver/netty/SMTPServer.java | 65 +++++++++++++++++----- .../james/smtpserver/SMTPTestConfiguration.java | 1 + .../src/test/resources/smtpserver-dsn.xml | 1 + .../src/test/resources/smtpserver.xml | 1 + .../src/test/resources/smtpserver.xml | 3 + src/site/xdoc/server/config-smtp-lmtp.xml | 3 + 34 files changed, 175 insertions(+), 56 deletions(-) diff --git a/mpt/impl/smtp/cassandra-rabbitmq-object-storage/src/test/resources/smtpserver.xml b/mpt/impl/smtp/cassandra-rabbitmq-object-storage/src/test/resources/smtpserver.xml index 31b5d84..d05a93f 100644 --- a/mpt/impl/smtp/cassandra-rabbitmq-object-storage/src/test/resources/smtpserver.xml +++ b/mpt/impl/smtp/cassandra-rabbitmq-object-storage/src/test/resources/smtpserver.xml @@ -34,7 +34,10 @@ <connectiontimeout>360</connectiontimeout> <connectionLimit>0</connectionLimit> <connectionLimitPerIP>0</connectionLimitPerIP> - <authRequired>false</authRequired> + <auth> + <announce>never</announce> + <requireSSL>false</requireSSL> + </auth> <verifyIdentity>false</verifyIdentity> <maxmessagesize>0</maxmessagesize> <addressBracketsEnforcement>true</addressBracketsEnforcement> @@ -57,10 +60,10 @@ <connectiontimeout>360</connectiontimeout> <connectionLimit>0</connectionLimit> <connectionLimitPerIP>0</connectionLimitPerIP> - <!-- - Authorize only local users - --> - <authRequired>true</authRequired> + <auth> + <announce>forUnauthorizedAddresses</announce> + <requireSSL>false</requireSSL> + </auth> <!-- Trust authenticated users --> <verifyIdentity>false</verifyIdentity> <maxmessagesize>0</maxmessagesize> @@ -84,10 +87,10 @@ <connectiontimeout>360</connectiontimeout> <connectionLimit>0</connectionLimit> <connectionLimitPerIP>0</connectionLimitPerIP> - <!-- - Authorize only local users - --> - <authRequired>true</authRequired> + <auth> + <announce>forUnauthorizedAddresses</announce> + <requireSSL>false</requireSSL> + </auth> <!-- Trust authenticated users --> <verifyIdentity>false</verifyIdentity> <maxmessagesize>0</maxmessagesize> diff --git a/mpt/impl/smtp/cassandra/src/test/resources/smtpserver.xml b/mpt/impl/smtp/cassandra/src/test/resources/smtpserver.xml index 31b5d84..d05a93f 100644 --- a/mpt/impl/smtp/cassandra/src/test/resources/smtpserver.xml +++ b/mpt/impl/smtp/cassandra/src/test/resources/smtpserver.xml @@ -34,7 +34,10 @@ <connectiontimeout>360</connectiontimeout> <connectionLimit>0</connectionLimit> <connectionLimitPerIP>0</connectionLimitPerIP> - <authRequired>false</authRequired> + <auth> + <announce>never</announce> + <requireSSL>false</requireSSL> + </auth> <verifyIdentity>false</verifyIdentity> <maxmessagesize>0</maxmessagesize> <addressBracketsEnforcement>true</addressBracketsEnforcement> @@ -57,10 +60,10 @@ <connectiontimeout>360</connectiontimeout> <connectionLimit>0</connectionLimit> <connectionLimitPerIP>0</connectionLimitPerIP> - <!-- - Authorize only local users - --> - <authRequired>true</authRequired> + <auth> + <announce>forUnauthorizedAddresses</announce> + <requireSSL>false</requireSSL> + </auth> <!-- Trust authenticated users --> <verifyIdentity>false</verifyIdentity> <maxmessagesize>0</maxmessagesize> @@ -84,10 +87,10 @@ <connectiontimeout>360</connectiontimeout> <connectionLimit>0</connectionLimit> <connectionLimitPerIP>0</connectionLimitPerIP> - <!-- - Authorize only local users - --> - <authRequired>true</authRequired> + <auth> + <announce>forUnauthorizedAddresses</announce> + <requireSSL>false</requireSSL> + </auth> <!-- Trust authenticated users --> <verifyIdentity>false</verifyIdentity> <maxmessagesize>0</maxmessagesize> diff --git a/protocols/lmtp/src/main/java/org/apache/james/protocols/lmtp/LMTPConfiguration.java b/protocols/lmtp/src/main/java/org/apache/james/protocols/lmtp/LMTPConfiguration.java index 29e94cb..a0e6695 100644 --- a/protocols/lmtp/src/main/java/org/apache/james/protocols/lmtp/LMTPConfiguration.java +++ b/protocols/lmtp/src/main/java/org/apache/james/protocols/lmtp/LMTPConfiguration.java @@ -37,7 +37,7 @@ public abstract class LMTPConfiguration extends ProtocolConfigurationImpl implem } @Override - public boolean isAuthAnnounced(String remoteIP) { + public boolean isAuthAnnounced(String remoteIP, boolean tlsStarted) { return false; } diff --git a/protocols/smtp/src/main/java/org/apache/james/protocols/smtp/SMTPConfiguration.java b/protocols/smtp/src/main/java/org/apache/james/protocols/smtp/SMTPConfiguration.java index 71cf7c3..f979801 100644 --- a/protocols/smtp/src/main/java/org/apache/james/protocols/smtp/SMTPConfiguration.java +++ b/protocols/smtp/src/main/java/org/apache/james/protocols/smtp/SMTPConfiguration.java @@ -53,7 +53,7 @@ public interface SMTPConfiguration extends ProtocolConfiguration { * @param remoteIP the remote IP address in String form * @return whether SMTP authentication is on */ - boolean isAuthAnnounced(String remoteIP); + boolean isAuthAnnounced(String remoteIP, boolean tlsStarted); /** * Returns whether the remote server needs to send a HELO/EHLO diff --git a/protocols/smtp/src/main/java/org/apache/james/protocols/smtp/SMTPConfigurationImpl.java b/protocols/smtp/src/main/java/org/apache/james/protocols/smtp/SMTPConfigurationImpl.java index 14fa4f2..37ce4d9 100644 --- a/protocols/smtp/src/main/java/org/apache/james/protocols/smtp/SMTPConfigurationImpl.java +++ b/protocols/smtp/src/main/java/org/apache/james/protocols/smtp/SMTPConfigurationImpl.java @@ -54,7 +54,7 @@ public class SMTPConfigurationImpl extends ProtocolConfigurationImpl implements * Return <code>false</code> */ @Override - public boolean isAuthAnnounced(String remoteIP) { + public boolean isAuthAnnounced(String remoteIP, boolean tlsStarted) { return false; } diff --git a/protocols/smtp/src/main/java/org/apache/james/protocols/smtp/SMTPSessionImpl.java b/protocols/smtp/src/main/java/org/apache/james/protocols/smtp/SMTPSessionImpl.java index 3535d34..c583cf6 100644 --- a/protocols/smtp/src/main/java/org/apache/james/protocols/smtp/SMTPSessionImpl.java +++ b/protocols/smtp/src/main/java/org/apache/james/protocols/smtp/SMTPSessionImpl.java @@ -66,7 +66,7 @@ public class SMTPSessionImpl extends ProtocolSessionImpl implements SMTPSession @Override public boolean isAuthAnnounced() { - return getConfiguration().isAuthAnnounced(getRemoteAddress().getAddress().getHostAddress()); + return getConfiguration().isAuthAnnounced(getRemoteAddress().getAddress().getHostAddress(), isTLSStarted()); } @Override diff --git a/server/apps/cassandra-app/sample-configuration/smtpserver.xml b/server/apps/cassandra-app/sample-configuration/smtpserver.xml index d02ddd5..4acb2ad 100644 --- a/server/apps/cassandra-app/sample-configuration/smtpserver.xml +++ b/server/apps/cassandra-app/sample-configuration/smtpserver.xml @@ -47,6 +47,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>never</announce> + <requireSSL>true</requireSSL> </auth> <authorizedAddresses>127.0.0.0/8</authorizedAddresses> <verifyIdentity>false</verifyIdentity> @@ -86,6 +87,7 @@ --> <auth> <announce>forUnauthorizedAddresses</announce> + <requireSSL>true</requireSSL> </auth> <authorizedAddresses>127.0.0.0/8</authorizedAddresses> <!-- Trust authenticated users --> @@ -126,6 +128,7 @@ --> <auth> <announce>forUnauthorizedAddresses</announce> + <requireSSL>true</requireSSL> </auth> <authorizedAddresses>127.0.0.0/8</authorizedAddresses> <!-- Trust authenticated users --> diff --git a/server/apps/cassandra-app/src/test/resources/smtpserver.xml b/server/apps/cassandra-app/src/test/resources/smtpserver.xml index 66c56eb..ca0fa2c 100644 --- a/server/apps/cassandra-app/src/test/resources/smtpserver.xml +++ b/server/apps/cassandra-app/src/test/resources/smtpserver.xml @@ -35,6 +35,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>never</announce> + <requireSSL>false</requireSSL> </auth> <verifyIdentity>false</verifyIdentity> <maxmessagesize>0</maxmessagesize> @@ -63,6 +64,7 @@ --> <auth> <announce>forUnauthorizedAddresses</announce> + <requireSSL>false</requireSSL> </auth> <!-- Trust authenticated users --> <verifyIdentity>false</verifyIdentity> @@ -92,6 +94,7 @@ --> <auth> <announce>forUnauthorizedAddresses</announce> + <requireSSL>false</requireSSL> </auth> <!-- Trust authenticated users --> <verifyIdentity>false</verifyIdentity> diff --git a/server/apps/cli-integration-tests/src/test/resources/smtpserver.xml b/server/apps/cli-integration-tests/src/test/resources/smtpserver.xml index 61429fe..1193b94 100644 --- a/server/apps/cli-integration-tests/src/test/resources/smtpserver.xml +++ b/server/apps/cli-integration-tests/src/test/resources/smtpserver.xml @@ -33,7 +33,10 @@ <connectiontimeout>360</connectiontimeout> <connectionLimit>0</connectionLimit> <connectionLimitPerIP>0</connectionLimitPerIP> - <authRequired>false</authRequired> + <auth> + <announce>never</announce> + <requireSSL>false</requireSSL> + </auth> <authorizedAddresses>0.0.0.0/0</authorizedAddresses> <verifyIdentity>false</verifyIdentity> <maxmessagesize>0</maxmessagesize> @@ -57,10 +60,10 @@ <connectiontimeout>360</connectiontimeout> <connectionLimit>0</connectionLimit> <connectionLimitPerIP>0</connectionLimitPerIP> - <!-- - Authorize only local users - --> - <authRequired>true</authRequired> + <auth> + <announce>true</announce> + <requireSSL>false</requireSSL> + </auth> <authorizedAddresses>0.0.0.0/0</authorizedAddresses> <!-- Trust authenticated users --> <verifyIdentity>false</verifyIdentity> @@ -85,10 +88,10 @@ <connectiontimeout>360</connectiontimeout> <connectionLimit>0</connectionLimit> <connectionLimitPerIP>0</connectionLimitPerIP> - <!-- - Authorize only local users - --> - <authRequired>true</authRequired> + <auth> + <announce>true</announce> + <requireSSL>false</requireSSL> + </auth> <authorizedAddresses>0.0.0.0/0</authorizedAddresses> <!-- Trust authenticated users --> <verifyIdentity>false</verifyIdentity> diff --git a/server/apps/demo/smtpserver.xml b/server/apps/demo/smtpserver.xml index 6e04fda..fea5111 100644 --- a/server/apps/demo/smtpserver.xml +++ b/server/apps/demo/smtpserver.xml @@ -33,7 +33,10 @@ <connectiontimeout>360</connectiontimeout> <connectionLimit>0</connectionLimit> <connectionLimitPerIP>0</connectionLimitPerIP> - <authRequired>false</authRequired> + <auth> + <announce>never</announce> + <requireSSL>false</requireSSL> + </auth> <authorizedAddresses>127.0.0.0/8</authorizedAddresses> <verifyIdentity>false</verifyIdentity> <maxmessagesize>0</maxmessagesize> @@ -58,7 +61,10 @@ <!-- Authorize only local users --> - <authRequired>true</authRequired> + <auth> + <announce>forUnauthorizedAddresses</announce> + <requireSSL>false</requireSSL> + </auth> <authorizedAddresses>127.0.0.0/8</authorizedAddresses> <!-- Trust authenticated users --> <verifyIdentity>false</verifyIdentity> @@ -84,7 +90,10 @@ <!-- Authorize only local users --> - <authRequired>true</authRequired> + <auth> + <announce>forUnauthorizedAddresses</announce> + <requireSSL>false</requireSSL> + </auth> <authorizedAddresses>127.0.0.0/8</authorizedAddresses> <!-- Trust authenticated users --> <verifyIdentity>false</verifyIdentity> diff --git a/server/apps/distributed-app/docs/modules/ROOT/pages/configure/smtp.adoc b/server/apps/distributed-app/docs/modules/ROOT/pages/configure/smtp.adoc index 8222b85..17ea4b3 100644 --- a/server/apps/distributed-app/docs/modules/ROOT/pages/configure/smtp.adoc +++ b/server/apps/distributed-app/docs/modules/ROOT/pages/configure/smtp.adoc @@ -83,6 +83,10 @@ regardless of this option. Please note that emails are only relayed if, and only if, the user did authenticate, or is in an authorized network, regardless of this option. +| auth.requireSSL +| This is an optional tag, defaults to true. If true, authentication is not advertised via capabilities on unencrypted +channels. + | authorizedAddresses | Authorize specific addresses/networks. diff --git a/server/apps/distributed-app/sample-configuration/smtpserver.xml b/server/apps/distributed-app/sample-configuration/smtpserver.xml index d02ddd5..4acb2ad 100644 --- a/server/apps/distributed-app/sample-configuration/smtpserver.xml +++ b/server/apps/distributed-app/sample-configuration/smtpserver.xml @@ -47,6 +47,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>never</announce> + <requireSSL>true</requireSSL> </auth> <authorizedAddresses>127.0.0.0/8</authorizedAddresses> <verifyIdentity>false</verifyIdentity> @@ -86,6 +87,7 @@ --> <auth> <announce>forUnauthorizedAddresses</announce> + <requireSSL>true</requireSSL> </auth> <authorizedAddresses>127.0.0.0/8</authorizedAddresses> <!-- Trust authenticated users --> @@ -126,6 +128,7 @@ --> <auth> <announce>forUnauthorizedAddresses</announce> + <requireSSL>true</requireSSL> </auth> <authorizedAddresses>127.0.0.0/8</authorizedAddresses> <!-- Trust authenticated users --> diff --git a/server/apps/distributed-app/src/test/resources/smtpserver.xml b/server/apps/distributed-app/src/test/resources/smtpserver.xml index aa98c05..1e68aa1 100644 --- a/server/apps/distributed-app/src/test/resources/smtpserver.xml +++ b/server/apps/distributed-app/src/test/resources/smtpserver.xml @@ -35,6 +35,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>never</announce> + <requireSSL>false</requireSSL> </auth> <authorizedAddresses>0.0.0.0/0.0.0.0</authorizedAddresses> <verifyIdentity>false</verifyIdentity> @@ -61,6 +62,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>forUnauthorizedAddresses</announce> + <requireSSL>false</requireSSL> </auth> <!-- Trust authenticated users --> <verifyIdentity>false</verifyIdentity> @@ -87,6 +89,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>forUnauthorizedAddresses</announce> + <requireSSL>false</requireSSL> </auth> <!-- Trust authenticated users --> <verifyIdentity>false</verifyIdentity> diff --git a/server/apps/distributed-pop3-app/sample-configuration/smtpserver.xml b/server/apps/distributed-pop3-app/sample-configuration/smtpserver.xml index 514a403..a2e9720 100644 --- a/server/apps/distributed-pop3-app/sample-configuration/smtpserver.xml +++ b/server/apps/distributed-pop3-app/sample-configuration/smtpserver.xml @@ -37,6 +37,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>never</announce> + <requireSSL>true</requireSSL> </auth> <authorizedAddresses>127.0.0.0/8</authorizedAddresses> <verifyIdentity>false</verifyIdentity> @@ -66,6 +67,7 @@ --> <auth> <announce>forUnauthorizedAddresses</announce> + <requireSSL>true</requireSSL> </auth> <authorizedAddresses>127.0.0.0/8</authorizedAddresses> <!-- Trust authenticated users --> @@ -96,6 +98,7 @@ --> <auth> <announce>forUnauthorizedAddresses</announce> + <requireSSL>true</requireSSL> </auth> <authorizedAddresses>127.0.0.0/8</authorizedAddresses> <!-- Trust authenticated users --> diff --git a/server/apps/distributed-pop3-app/src/test/resources/smtpserver.xml b/server/apps/distributed-pop3-app/src/test/resources/smtpserver.xml index a4e1bcf..8064b4b 100644 --- a/server/apps/distributed-pop3-app/src/test/resources/smtpserver.xml +++ b/server/apps/distributed-pop3-app/src/test/resources/smtpserver.xml @@ -35,6 +35,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>never</announce> + <requireSSL>false</requireSSL> </auth> <verifyIdentity>false</verifyIdentity> <maxmessagesize>0</maxmessagesize> @@ -60,6 +61,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>forUnauthorizedAddresses</announce> + <requireSSL>false</requireSSL> </auth> <!-- Trust authenticated users --> <verifyIdentity>false</verifyIdentity> @@ -86,6 +88,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>forUnauthorizedAddresses</announce> + <requireSSL>false</requireSSL> </auth> <!-- Trust authenticated users --> <verifyIdentity>false</verifyIdentity> diff --git a/server/apps/jpa-app/sample-configuration/smtpserver.xml b/server/apps/jpa-app/sample-configuration/smtpserver.xml index d02ddd5..4acb2ad 100644 --- a/server/apps/jpa-app/sample-configuration/smtpserver.xml +++ b/server/apps/jpa-app/sample-configuration/smtpserver.xml @@ -47,6 +47,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>never</announce> + <requireSSL>true</requireSSL> </auth> <authorizedAddresses>127.0.0.0/8</authorizedAddresses> <verifyIdentity>false</verifyIdentity> @@ -86,6 +87,7 @@ --> <auth> <announce>forUnauthorizedAddresses</announce> + <requireSSL>true</requireSSL> </auth> <authorizedAddresses>127.0.0.0/8</authorizedAddresses> <!-- Trust authenticated users --> @@ -126,6 +128,7 @@ --> <auth> <announce>forUnauthorizedAddresses</announce> + <requireSSL>true</requireSSL> </auth> <authorizedAddresses>127.0.0.0/8</authorizedAddresses> <!-- Trust authenticated users --> diff --git a/server/apps/jpa-app/src/test/resources/smtpserver.xml b/server/apps/jpa-app/src/test/resources/smtpserver.xml index a4e1bcf..8064b4b 100644 --- a/server/apps/jpa-app/src/test/resources/smtpserver.xml +++ b/server/apps/jpa-app/src/test/resources/smtpserver.xml @@ -35,6 +35,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>never</announce> + <requireSSL>false</requireSSL> </auth> <verifyIdentity>false</verifyIdentity> <maxmessagesize>0</maxmessagesize> @@ -60,6 +61,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>forUnauthorizedAddresses</announce> + <requireSSL>false</requireSSL> </auth> <!-- Trust authenticated users --> <verifyIdentity>false</verifyIdentity> @@ -86,6 +88,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>forUnauthorizedAddresses</announce> + <requireSSL>false</requireSSL> </auth> <!-- Trust authenticated users --> <verifyIdentity>false</verifyIdentity> diff --git a/server/apps/jpa-smtp-app/sample-configuration/smtpserver.xml b/server/apps/jpa-smtp-app/sample-configuration/smtpserver.xml index d02ddd5..4acb2ad 100644 --- a/server/apps/jpa-smtp-app/sample-configuration/smtpserver.xml +++ b/server/apps/jpa-smtp-app/sample-configuration/smtpserver.xml @@ -47,6 +47,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>never</announce> + <requireSSL>true</requireSSL> </auth> <authorizedAddresses>127.0.0.0/8</authorizedAddresses> <verifyIdentity>false</verifyIdentity> @@ -86,6 +87,7 @@ --> <auth> <announce>forUnauthorizedAddresses</announce> + <requireSSL>true</requireSSL> </auth> <authorizedAddresses>127.0.0.0/8</authorizedAddresses> <!-- Trust authenticated users --> @@ -126,6 +128,7 @@ --> <auth> <announce>forUnauthorizedAddresses</announce> + <requireSSL>true</requireSSL> </auth> <authorizedAddresses>127.0.0.0/8</authorizedAddresses> <!-- Trust authenticated users --> diff --git a/server/apps/jpa-smtp-app/src/test/resources/smtpserver.xml b/server/apps/jpa-smtp-app/src/test/resources/smtpserver.xml index a4e1bcf..8064b4b 100644 --- a/server/apps/jpa-smtp-app/src/test/resources/smtpserver.xml +++ b/server/apps/jpa-smtp-app/src/test/resources/smtpserver.xml @@ -35,6 +35,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>never</announce> + <requireSSL>false</requireSSL> </auth> <verifyIdentity>false</verifyIdentity> <maxmessagesize>0</maxmessagesize> @@ -60,6 +61,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>forUnauthorizedAddresses</announce> + <requireSSL>false</requireSSL> </auth> <!-- Trust authenticated users --> <verifyIdentity>false</verifyIdentity> @@ -86,6 +88,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>forUnauthorizedAddresses</announce> + <requireSSL>false</requireSSL> </auth> <!-- Trust authenticated users --> <verifyIdentity>false</verifyIdentity> diff --git a/server/apps/memory-app/sample-configuration/smtpserver.xml b/server/apps/memory-app/sample-configuration/smtpserver.xml index d02ddd5..4acb2ad 100644 --- a/server/apps/memory-app/sample-configuration/smtpserver.xml +++ b/server/apps/memory-app/sample-configuration/smtpserver.xml @@ -47,6 +47,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>never</announce> + <requireSSL>true</requireSSL> </auth> <authorizedAddresses>127.0.0.0/8</authorizedAddresses> <verifyIdentity>false</verifyIdentity> @@ -86,6 +87,7 @@ --> <auth> <announce>forUnauthorizedAddresses</announce> + <requireSSL>true</requireSSL> </auth> <authorizedAddresses>127.0.0.0/8</authorizedAddresses> <!-- Trust authenticated users --> @@ -126,6 +128,7 @@ --> <auth> <announce>forUnauthorizedAddresses</announce> + <requireSSL>true</requireSSL> </auth> <authorizedAddresses>127.0.0.0/8</authorizedAddresses> <!-- Trust authenticated users --> diff --git a/server/apps/memory-app/src/test/resources/smtpserver.xml b/server/apps/memory-app/src/test/resources/smtpserver.xml index a4e1bcf..8064b4b 100644 --- a/server/apps/memory-app/src/test/resources/smtpserver.xml +++ b/server/apps/memory-app/src/test/resources/smtpserver.xml @@ -35,6 +35,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>never</announce> + <requireSSL>false</requireSSL> </auth> <verifyIdentity>false</verifyIdentity> <maxmessagesize>0</maxmessagesize> @@ -60,6 +61,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>forUnauthorizedAddresses</announce> + <requireSSL>false</requireSSL> </auth> <!-- Trust authenticated users --> <verifyIdentity>false</verifyIdentity> @@ -86,6 +88,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>forUnauthorizedAddresses</announce> + <requireSSL>false</requireSSL> </auth> <!-- Trust authenticated users --> <verifyIdentity>false</verifyIdentity> diff --git a/server/apps/spring-app/src/test/resources/smtpserver.xml b/server/apps/spring-app/src/test/resources/smtpserver.xml index abc6145..dd71a86 100644 --- a/server/apps/spring-app/src/test/resources/smtpserver.xml +++ b/server/apps/spring-app/src/test/resources/smtpserver.xml @@ -38,6 +38,7 @@ <authorizedAddresses>127.0.0.0/8</authorizedAddresses> <auth> <announce>forUnauthorizedAddresses</announce> + <requireSSL>false</requireSSL> </auth> <verifyIdentity>true</verifyIdentity> <maxmessagesize>0</maxmessagesize> diff --git a/server/apps/webadmin-cli/src/test/resources/smtpserver.xml b/server/apps/webadmin-cli/src/test/resources/smtpserver.xml index 61429fe..f7571b8 100644 --- a/server/apps/webadmin-cli/src/test/resources/smtpserver.xml +++ b/server/apps/webadmin-cli/src/test/resources/smtpserver.xml @@ -33,7 +33,10 @@ <connectiontimeout>360</connectiontimeout> <connectionLimit>0</connectionLimit> <connectionLimitPerIP>0</connectionLimitPerIP> - <authRequired>false</authRequired> + <auth> + <announce>never</announce> + <requireSSL>false</requireSSL> + </auth> <authorizedAddresses>0.0.0.0/0</authorizedAddresses> <verifyIdentity>false</verifyIdentity> <maxmessagesize>0</maxmessagesize> @@ -57,10 +60,10 @@ <connectiontimeout>360</connectiontimeout> <connectionLimit>0</connectionLimit> <connectionLimitPerIP>0</connectionLimitPerIP> - <!-- - Authorize only local users - --> - <authRequired>true</authRequired> + <auth> + <announce>forUnauthorizedAddresses</announce> + <requireSSL>false</requireSSL> + </auth> <authorizedAddresses>0.0.0.0/0</authorizedAddresses> <!-- Trust authenticated users --> <verifyIdentity>false</verifyIdentity> @@ -85,10 +88,10 @@ <connectiontimeout>360</connectiontimeout> <connectionLimit>0</connectionLimit> <connectionLimitPerIP>0</connectionLimitPerIP> - <!-- - Authorize only local users - --> - <authRequired>true</authRequired> + <auth> + <announce>forUnauthorizedAddresses</announce> + <requireSSL>false</requireSSL> + </auth> <authorizedAddresses>0.0.0.0/0</authorizedAddresses> <!-- Trust authenticated users --> <verifyIdentity>false</verifyIdentity> diff --git a/server/mailet/integration-testing/src/main/resources/smtpserver.xml b/server/mailet/integration-testing/src/main/resources/smtpserver.xml index 50a96c5..6399266 100644 --- a/server/mailet/integration-testing/src/main/resources/smtpserver.xml +++ b/server/mailet/integration-testing/src/main/resources/smtpserver.xml @@ -37,6 +37,9 @@ {{#hasAuthorizedAddresses}} <authorizedAddresses>{{authorizedAddresses}}</authorizedAddresses> {{/hasAuthorizedAddresses}} + <auth> + <requireSSL>false</requireSSL> + </auth> <verifyIdentity>{{verifyIdentity}}</verifyIdentity> <maxmessagesize>{{maxmessagesize}}</maxmessagesize> <addressBracketsEnforcement>{{bracketEnforcement}}</addressBracketsEnforcement> diff --git a/server/protocols/jmap-draft-integration-testing/memory-jmap-draft-integration-testing/src/test/resources/smtpserver.xml b/server/protocols/jmap-draft-integration-testing/memory-jmap-draft-integration-testing/src/test/resources/smtpserver.xml index 3a0a35f..b6d0516 100644 --- a/server/protocols/jmap-draft-integration-testing/memory-jmap-draft-integration-testing/src/test/resources/smtpserver.xml +++ b/server/protocols/jmap-draft-integration-testing/memory-jmap-draft-integration-testing/src/test/resources/smtpserver.xml @@ -35,6 +35,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>never</announce> + <requireSSL>false</requireSSL> </auth> <verifyIdentity>false</verifyIdentity> <maxmessagesize>0</maxmessagesize> diff --git a/server/protocols/jmap-draft-integration-testing/rabbitmq-jmap-draft-integration-testing/src/test/resources/smtpserver.xml b/server/protocols/jmap-draft-integration-testing/rabbitmq-jmap-draft-integration-testing/src/test/resources/smtpserver.xml index a4e1bcf..8064b4b 100644 --- a/server/protocols/jmap-draft-integration-testing/rabbitmq-jmap-draft-integration-testing/src/test/resources/smtpserver.xml +++ b/server/protocols/jmap-draft-integration-testing/rabbitmq-jmap-draft-integration-testing/src/test/resources/smtpserver.xml @@ -35,6 +35,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>never</announce> + <requireSSL>false</requireSSL> </auth> <verifyIdentity>false</verifyIdentity> <maxmessagesize>0</maxmessagesize> @@ -60,6 +61,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>forUnauthorizedAddresses</announce> + <requireSSL>false</requireSSL> </auth> <!-- Trust authenticated users --> <verifyIdentity>false</verifyIdentity> @@ -86,6 +88,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>forUnauthorizedAddresses</announce> + <requireSSL>false</requireSSL> </auth> <!-- Trust authenticated users --> <verifyIdentity>false</verifyIdentity> diff --git a/server/protocols/jmap-rfc-8621-integration-tests/distributed-jmap-rfc-8621-integration-tests/src/test/resources/smtpserver.xml b/server/protocols/jmap-rfc-8621-integration-tests/distributed-jmap-rfc-8621-integration-tests/src/test/resources/smtpserver.xml index 3a0a35f..b6d0516 100644 --- a/server/protocols/jmap-rfc-8621-integration-tests/distributed-jmap-rfc-8621-integration-tests/src/test/resources/smtpserver.xml +++ b/server/protocols/jmap-rfc-8621-integration-tests/distributed-jmap-rfc-8621-integration-tests/src/test/resources/smtpserver.xml @@ -35,6 +35,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>never</announce> + <requireSSL>false</requireSSL> </auth> <verifyIdentity>false</verifyIdentity> <maxmessagesize>0</maxmessagesize> diff --git a/server/protocols/jmap-rfc-8621-integration-tests/memory-jmap-rfc-8621-integration-tests/src/test/resources/smtpserver.xml b/server/protocols/jmap-rfc-8621-integration-tests/memory-jmap-rfc-8621-integration-tests/src/test/resources/smtpserver.xml index c030905..75203c0 100644 --- a/server/protocols/jmap-rfc-8621-integration-tests/memory-jmap-rfc-8621-integration-tests/src/test/resources/smtpserver.xml +++ b/server/protocols/jmap-rfc-8621-integration-tests/memory-jmap-rfc-8621-integration-tests/src/test/resources/smtpserver.xml @@ -36,6 +36,7 @@ <authRequired>false</authRequired> <auth> <announce>never</announce> + <requireSSL>false</requireSSL> </auth> <maxmessagesize>0</maxmessagesize> <addressBracketsEnforcement>true</addressBracketsEnforcement> diff --git a/server/protocols/protocols-smtp/src/main/java/org/apache/james/smtpserver/netty/SMTPServer.java b/server/protocols/protocols-smtp/src/main/java/org/apache/james/smtpserver/netty/SMTPServer.java index 440c30a..bc9c8ef 100644 --- a/server/protocols/protocols-smtp/src/main/java/org/apache/james/smtpserver/netty/SMTPServer.java +++ b/server/protocols/protocols-smtp/src/main/java/org/apache/james/smtpserver/netty/SMTPServer.java @@ -73,11 +73,11 @@ public class SMTPServer extends AbstractProtocolAsyncServer implements SMTPServe public static AuthenticationAnnounceMode parse(String authRequiredString) { String sanitized = authRequiredString.trim().toLowerCase(Locale.US); switch (sanitized) { - case "forUnauthorizedAddresses": + case "forunauthorizedaddresses": return FOR_UNAUTHORIZED_ADDRESSES; case "always": return ALWAYS; - case "neven": + case "never": return NEVER; default: throw new RuntimeException("Unknown value for 'auth.announce': " + authRequiredString + ". Should be one of always, never, forUnauthorizedAddresses"); @@ -85,10 +85,47 @@ public class SMTPServer extends AbstractProtocolAsyncServer implements SMTPServe } } + public static class AuthenticationConfiguration { + public static AuthenticationConfiguration parse(HierarchicalConfiguration<ImmutableNode> configuration) { + return Optional.ofNullable(configuration.configurationAt("auth")) + .map(authConfiguration -> parse(configuration, authConfiguration)) + .orElseGet(() -> new AuthenticationConfiguration(fallbackAuthenticationAnnounceMode(configuration), false)); + } + + private static AuthenticationConfiguration parse(HierarchicalConfiguration<ImmutableNode> configuration, HierarchicalConfiguration<ImmutableNode> authConfiguration) { + return new AuthenticationConfiguration( + Optional.ofNullable(authConfiguration.getString("announce", null)) + .map(AuthenticationAnnounceMode::parse) + .orElseGet(() -> fallbackAuthenticationAnnounceMode(configuration)), + Optional.ofNullable(authConfiguration.getBoolean("requireSSL", null)) + .orElse(false)); + } + + private static AuthenticationAnnounceMode fallbackAuthenticationAnnounceMode(HierarchicalConfiguration<ImmutableNode> configuration) { + return AuthenticationAnnounceMode.parseFallback(configuration.getString("authRequired", "false")); + } + + private final AuthenticationAnnounceMode authenticationAnnounceMode; + private final boolean requireSSL; + + public AuthenticationConfiguration(AuthenticationAnnounceMode authenticationAnnounceMode, boolean requireSSL) { + this.authenticationAnnounceMode = authenticationAnnounceMode; + this.requireSSL = requireSSL; + } + + public AuthenticationAnnounceMode getAuthenticationAnnounceMode() { + return authenticationAnnounceMode; + } + + public boolean isRequireSSL() { + return requireSSL; + } + } + /** * Whether authentication is required to use this SMTP server. */ - private AuthenticationAnnounceMode authRequired = NEVER; + private AuthenticationConfiguration authenticationConfiguration; /** * Whether the server needs helo to be send first @@ -164,10 +201,7 @@ public class SMTPServer extends AbstractProtocolAsyncServer implements SMTPServe public void doConfigure(HierarchicalConfiguration<ImmutableNode> configuration) throws ConfigurationException { super.doConfigure(configuration); if (isEnabled()) { - authRequired = Optional.ofNullable(configuration.configurationAt("auth")) - .flatMap(authConfiguration -> Optional.ofNullable(configuration.getString("auth.announce", null))) - .map(AuthenticationAnnounceMode::parse) - .orElseGet(() -> AuthenticationAnnounceMode.parseFallback(configuration.getString("authRequired", "false"))); + authenticationConfiguration = AuthenticationConfiguration.parse(configuration); authorizedAddresses = configuration.getString("authorizedAddresses", null); @@ -190,7 +224,7 @@ public class SMTPServer extends AbstractProtocolAsyncServer implements SMTPServe verifyIdentity = configuration.getBoolean("verifyIdentity", false); - if (authRequired == NEVER && verifyIdentity) { + if (authenticationConfiguration.getAuthenticationAnnounceMode() == NEVER && verifyIdentity) { throw new ConfigurationException( "SMTP configuration: 'verifyIdentity' can't be set to true if 'authRequired' is set to false."); } @@ -245,14 +279,19 @@ public class SMTPServer extends AbstractProtocolAsyncServer implements SMTPServe } @Override - public boolean isAuthAnnounced(String remoteIP) { - if (SMTPServer.this.authRequired == ALWAYS) { + public boolean isAuthAnnounced(String remoteIP, boolean tlsStarted) { + if (authenticationConfiguration.requireSSL && !tlsStarted) { + return false; + } + if (authenticationConfiguration.getAuthenticationAnnounceMode() == ALWAYS) { return true; } - if (SMTPServer.this.authRequired == NEVER) { + if (authenticationConfiguration.getAuthenticationAnnounceMode() == NEVER) { return false; } - return !SMTPServer.this.authorizedNetworks.matchInetNetwork(remoteIP); + return Optional.ofNullable(authorizedNetworks) + .map(nets -> !nets.matchInetNetwork(remoteIP)) + .orElse(true); } /** @@ -336,6 +375,6 @@ public class SMTPServer extends AbstractProtocolAsyncServer implements SMTPServe } public AuthenticationAnnounceMode getAuthRequired() { - return authRequired; + return authenticationConfiguration.getAuthenticationAnnounceMode(); } } diff --git a/server/protocols/protocols-smtp/src/test/java/org/apache/james/smtpserver/SMTPTestConfiguration.java b/server/protocols/protocols-smtp/src/test/java/org/apache/james/smtpserver/SMTPTestConfiguration.java index ba8f589..2718665 100644 --- a/server/protocols/protocols-smtp/src/test/java/org/apache/james/smtpserver/SMTPTestConfiguration.java +++ b/server/protocols/protocols-smtp/src/test/java/org/apache/james/smtpserver/SMTPTestConfiguration.java @@ -135,6 +135,7 @@ public class SMTPTestConfiguration extends BaseHierarchicalConfiguration { addProperty("tls.[@startTLS]", startTLS); addProperty("tls.keystore", "test_keystore"); addProperty("tls.secret", "jamestest"); + addProperty("auth.requireSSL", false); addProperty("verifyIdentity", verifyIdentity); // add the rbl handler diff --git a/server/protocols/protocols-smtp/src/test/resources/smtpserver-dsn.xml b/server/protocols/protocols-smtp/src/test/resources/smtpserver-dsn.xml index 25f7929..742922d 100644 --- a/server/protocols/protocols-smtp/src/test/resources/smtpserver-dsn.xml +++ b/server/protocols/protocols-smtp/src/test/resources/smtpserver-dsn.xml @@ -35,6 +35,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>forUnauthorizedAddresses</announce> + <requireSSL>false</requireSSL> </auth> <verifyIdentity>true</verifyIdentity> <maxmessagesize>0</maxmessagesize> diff --git a/server/protocols/webadmin-integration-test/distributed-webadmin-integration-test/src/test/resources/smtpserver.xml b/server/protocols/webadmin-integration-test/distributed-webadmin-integration-test/src/test/resources/smtpserver.xml index 2ffd9aa..d0d8f01 100644 --- a/server/protocols/webadmin-integration-test/distributed-webadmin-integration-test/src/test/resources/smtpserver.xml +++ b/server/protocols/webadmin-integration-test/distributed-webadmin-integration-test/src/test/resources/smtpserver.xml @@ -35,6 +35,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>never</announce> + <requireSSL>false</requireSSL> </auth> <authorizedAddresses>0.0.0.0/0</authorizedAddresses> <verifyIdentity>false</verifyIdentity> diff --git a/server/protocols/webadmin-integration-test/memory-webadmin-integration-test/src/test/resources/smtpserver.xml b/server/protocols/webadmin-integration-test/memory-webadmin-integration-test/src/test/resources/smtpserver.xml index 965bb6b..f7571b8 100644 --- a/server/protocols/webadmin-integration-test/memory-webadmin-integration-test/src/test/resources/smtpserver.xml +++ b/server/protocols/webadmin-integration-test/memory-webadmin-integration-test/src/test/resources/smtpserver.xml @@ -35,6 +35,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>never</announce> + <requireSSL>false</requireSSL> </auth> <authorizedAddresses>0.0.0.0/0</authorizedAddresses> <verifyIdentity>false</verifyIdentity> @@ -61,6 +62,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>forUnauthorizedAddresses</announce> + <requireSSL>false</requireSSL> </auth> <authorizedAddresses>0.0.0.0/0</authorizedAddresses> <!-- Trust authenticated users --> @@ -88,6 +90,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>forUnauthorizedAddresses</announce> + <requireSSL>false</requireSSL> </auth> <authorizedAddresses>0.0.0.0/0</authorizedAddresses> <!-- Trust authenticated users --> diff --git a/src/site/xdoc/server/config-smtp-lmtp.xml b/src/site/xdoc/server/config-smtp-lmtp.xml index dc52e36..688ebbb 100644 --- a/src/site/xdoc/server/config-smtp-lmtp.xml +++ b/src/site/xdoc/server/config-smtp-lmtp.xml @@ -99,6 +99,9 @@ Please note that emails are only relayed if, and only if, the user did authenticate, or is in an authorized network, regardless of this option.</dd> + <dt><strong>auth.requireSSL</strong></dt> + <dd>This is an optional tag, defaults to true. If true, authentication is not advertised via capabilities on unencrypted + channels.</dd> <dt><strong>handler.authorizedAddresses</strong></dt> <dd>Authorize specific addresses/networks. If you use SMTP AUTH, addresses that match those specified here will --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
