This is an automated email from the ASF dual-hosted git repository. chibenwa pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/james-project.git
commit 36d0fad9a93f95975e9e52c0c3e0eac98cc48579 Author: Quan Tran <[email protected]> AuthorDate: Mon Jun 29 13:42:51 2026 +0700 JAMES-4210 Preserve legacy SMTP behavior: PLAIN authentication should still be available on clear text channel upon `requireSSL=true` Fix following failing tests: org.apache.james.mailets.crypto.SMIMECheckSignatureWithKeyStoreFileIntegrationTest.checkSMIMESignatureShouldAddGoodSMIMEStatusWhenSignatureIsGood org.apache.james.mailets.crypto.SMIMECheckSignatureWithKeyStoreFileIntegrationTest.checkSMIMESignatureShouldAddBadSMIMEStatusWhenSignatureIsBad org.apache.james.mailets.crypto.SMIMECheckSignatureWithKeyStoreFileIntegrationTest.checkSMIMESignatureShouldAddGoodSMIMEStatusWhenSignatureIsGoodAndContentTypeIsXPkcs7Mime org.apache.james.mailets.crypto.SMIMECheckSignatureWithKeyStoreFileIntegrationTest.checkSMIMESignatureShouldDoNothingWhenItIsNonSMIMEMail org.apache.james.mailets.crypto.SMIMECheckSignatureWithKeyStoreFileIntegrationTest.checkSMIMESignatureShouldAddGoodSMIMEStatusWhenSignatureIsGoodAndMailContainsMultiCerts org.apache.james.mailets.crypto.SMIMECheckSignatureWithKeyStoreFileIntegrationTest.checkSMIMESignatureShouldAddNotSignedStatusWhenNoSignature org.apache.james.mailets.crypto.SMIMECheckSignatureWithPemFileIntegrationTest.checkSMIMESignatureShouldAddGoodSMIMEStatusWhenSignatureIsGood org.apache.james.mailets.crypto.SMIMECheckSignatureWithPemFileIntegrationTest.checkSMIMESignatureShouldAddBadSMIMEStatusWhenSignatureIsBad org.apache.james.mailets.crypto.SMIMECheckSignatureWithPemFileIntegrationTest.checkSMIMESignatureShouldAddGoodSMIMEStatusWhenSignatureIsGoodAndContentTypeIsXPkcs7Mime org.apache.james.mailets.crypto.SMIMECheckSignatureWithPemFileIntegrationTest.checkSMIMESignatureShouldDoNothingWhenItIsNonSMIMEMail org.apache.james.mailets.crypto.SMIMECheckSignatureWithPemFileIntegrationTest.checkSMIMESignatureShouldAddGoodSMIMEStatusWhenSignatureIsGoodAndMailContainsMultiCerts org.apache.james.mailets.crypto.SMIMECheckSignatureWithPemFileIntegrationTest.checkSMIMESignatureShouldAddNotSignedStatusWhenNoSignature org.apache.james.mailets.crypto.SMIMEDecryptIntegrationTest.cryptedMessageShouldNotBeDecryptedWhenCertificateDoesntMatch org.apache.james.mailets.crypto.SMIMEDecryptIntegrationTest.cryptedMessageShouldBeDecryptedWhenCertificateMatches org.apache.james.mailets.crypto.SMIMEDecryptIntegrationTest.cryptedMessageWithAttachmentShouldBeDecryptedWhenCertificateMatches org.apache.james.mailets.crypto.SMIMESignIntegrationTest.authenticatedMessagesShouldBeSigned org.apache.james.transport.mailets.DlpIntegrationTest.dlpShouldBeAbleToReadMailContentWithAttachments(File) --- .../james/protocols/sasl/PlainSaslMechanismFactory.java | 10 ++++++++++ .../james/modules/protocols/SMTPServerModule.java | 5 ++++- .../james/smtpserver/netty/SMTPServerFactory.java | 17 ++++++++++------- 3 files changed, 24 insertions(+), 8 deletions(-) diff --git a/protocols/sasl/src/main/java/org/apache/james/protocols/sasl/PlainSaslMechanismFactory.java b/protocols/sasl/src/main/java/org/apache/james/protocols/sasl/PlainSaslMechanismFactory.java index 7964454d43..4543c3c30d 100644 --- a/protocols/sasl/src/main/java/org/apache/james/protocols/sasl/PlainSaslMechanismFactory.java +++ b/protocols/sasl/src/main/java/org/apache/james/protocols/sasl/PlainSaslMechanismFactory.java @@ -26,17 +26,24 @@ import org.apache.james.protocols.api.sasl.SaslMechanismFactory; import org.apache.james.protocols.sasl.plain.PlainSaslMechanism; public class PlainSaslMechanismFactory implements SaslMechanismFactory { + public static final boolean IGNORE_REQUIRE_SSL_CONFIGURATION = false; private static final boolean PLAIN_AUTH_DISALLOWED_DEFAULT = true; private static final boolean PLAIN_AUTH_ENABLED_DEFAULT = true; private final boolean requireSslDefault; + private final boolean honorRequireSslConfiguration; public PlainSaslMechanismFactory() { this(PLAIN_AUTH_DISALLOWED_DEFAULT); } public PlainSaslMechanismFactory(boolean requireSslDefault) { + this(requireSslDefault, true); + } + + public PlainSaslMechanismFactory(boolean requireSslDefault, boolean honorRequireSslConfiguration) { this.requireSslDefault = requireSslDefault; + this.honorRequireSslConfiguration = honorRequireSslConfiguration; } @Override @@ -49,6 +56,9 @@ public class PlainSaslMechanismFactory implements SaslMechanismFactory { } protected boolean requiresSsl(HierarchicalConfiguration<ImmutableNode> serverConfiguration) { + if (!honorRequireSslConfiguration) { + return requireSslDefault; + } return serverConfiguration.getBoolean("auth.requireSSL", serverConfiguration.getBoolean("plainAuthDisallowed", requireSslDefault)); } diff --git a/server/container/guice/protocols/smtp/src/main/java/org/apache/james/modules/protocols/SMTPServerModule.java b/server/container/guice/protocols/smtp/src/main/java/org/apache/james/modules/protocols/SMTPServerModule.java index d74147d30b..242ba93e33 100644 --- a/server/container/guice/protocols/smtp/src/main/java/org/apache/james/modules/protocols/SMTPServerModule.java +++ b/server/container/guice/protocols/smtp/src/main/java/org/apache/james/modules/protocols/SMTPServerModule.java @@ -95,7 +95,10 @@ public class SMTPServerModule extends AbstractModule { @SmtpDefaultSaslMechanismFactories ImmutableList<SaslMechanismFactory> provideDefaultSmtpSaslMechanismFactories(OauthBearerSaslMechanismFactory oauthBearer, XOauth2SaslMechanismFactory xoauth2) { - return ImmutableList.of(new PlainSaslMechanismFactory(AuthAnnouncementConfiguration.REQUIRE_SSL_DEFAULT), oauthBearer, xoauth2); + // SMTP historically used auth.requireSSL for capability announcement only: PLAIN/LOGIN remain accepted + // when sent explicitly by clients, even over clear-text test/configuration ports. + return ImmutableList.of(new PlainSaslMechanismFactory(AuthAnnouncementConfiguration.REQUIRE_SSL_DEFAULT, + PlainSaslMechanismFactory.IGNORE_REQUIRE_SSL_CONFIGURATION), oauthBearer, xoauth2); } @Provides diff --git a/server/protocols/protocols-smtp/src/main/java/org/apache/james/smtpserver/netty/SMTPServerFactory.java b/server/protocols/protocols-smtp/src/main/java/org/apache/james/smtpserver/netty/SMTPServerFactory.java index c04861508e..863da425b8 100644 --- a/server/protocols/protocols-smtp/src/main/java/org/apache/james/smtpserver/netty/SMTPServerFactory.java +++ b/server/protocols/protocols-smtp/src/main/java/org/apache/james/smtpserver/netty/SMTPServerFactory.java @@ -56,13 +56,16 @@ import com.google.common.collect.ImmutableList; public class SMTPServerFactory extends AbstractServerFactory implements Disconnector, ConnectionDescriptionSupplier { @FunctionalInterface public interface SmtpSaslMechanismLoader { - static SmtpSaslMechanismLoader defaultLoader() { - ImmutableList<SaslMechanismFactory> defaultFactories = ImmutableList.of( - new PlainSaslMechanismFactory(AuthAnnouncementConfiguration.REQUIRE_SSL_DEFAULT), - new OauthBearerSaslMechanismFactory(), - new XOauth2SaslMechanismFactory()); - return configuration -> loadBuiltInMechanisms(defaultFactories, configuration); - } + static SmtpSaslMechanismLoader defaultLoader() { + ImmutableList<SaslMechanismFactory> defaultFactories = ImmutableList.of( + // SMTP historically used auth.requireSSL for capability announcement only: PLAIN/LOGIN remain accepted + // when sent explicitly by clients, even over clear-text test/configuration ports. + new PlainSaslMechanismFactory(AuthAnnouncementConfiguration.REQUIRE_SSL_DEFAULT, + PlainSaslMechanismFactory.IGNORE_REQUIRE_SSL_CONFIGURATION), + new OauthBearerSaslMechanismFactory(), + new XOauth2SaslMechanismFactory()); + return configuration -> loadBuiltInMechanisms(defaultFactories, configuration); + } ImmutableList<SaslMechanism> load(HierarchicalConfiguration<ImmutableNode> configuration) throws ConfigurationException; } --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
