This is an automated email from the ASF dual-hosted git repository.

chibenwa pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git

commit 36d0fad9a93f95975e9e52c0c3e0eac98cc48579
Author: Quan Tran <[email protected]>
AuthorDate: Mon Jun 29 13:42:51 2026 +0700

    JAMES-4210 Preserve legacy SMTP behavior: PLAIN authentication should still 
be available on clear text channel upon `requireSSL=true`
    
    Fix following failing tests:
    
org.apache.james.mailets.crypto.SMIMECheckSignatureWithKeyStoreFileIntegrationTest.checkSMIMESignatureShouldAddGoodSMIMEStatusWhenSignatureIsGood
    
org.apache.james.mailets.crypto.SMIMECheckSignatureWithKeyStoreFileIntegrationTest.checkSMIMESignatureShouldAddBadSMIMEStatusWhenSignatureIsBad
    
org.apache.james.mailets.crypto.SMIMECheckSignatureWithKeyStoreFileIntegrationTest.checkSMIMESignatureShouldAddGoodSMIMEStatusWhenSignatureIsGoodAndContentTypeIsXPkcs7Mime
    
org.apache.james.mailets.crypto.SMIMECheckSignatureWithKeyStoreFileIntegrationTest.checkSMIMESignatureShouldDoNothingWhenItIsNonSMIMEMail
    
org.apache.james.mailets.crypto.SMIMECheckSignatureWithKeyStoreFileIntegrationTest.checkSMIMESignatureShouldAddGoodSMIMEStatusWhenSignatureIsGoodAndMailContainsMultiCerts
    
org.apache.james.mailets.crypto.SMIMECheckSignatureWithKeyStoreFileIntegrationTest.checkSMIMESignatureShouldAddNotSignedStatusWhenNoSignature
    
org.apache.james.mailets.crypto.SMIMECheckSignatureWithPemFileIntegrationTest.checkSMIMESignatureShouldAddGoodSMIMEStatusWhenSignatureIsGood
    
org.apache.james.mailets.crypto.SMIMECheckSignatureWithPemFileIntegrationTest.checkSMIMESignatureShouldAddBadSMIMEStatusWhenSignatureIsBad
    
org.apache.james.mailets.crypto.SMIMECheckSignatureWithPemFileIntegrationTest.checkSMIMESignatureShouldAddGoodSMIMEStatusWhenSignatureIsGoodAndContentTypeIsXPkcs7Mime
    
org.apache.james.mailets.crypto.SMIMECheckSignatureWithPemFileIntegrationTest.checkSMIMESignatureShouldDoNothingWhenItIsNonSMIMEMail
    
org.apache.james.mailets.crypto.SMIMECheckSignatureWithPemFileIntegrationTest.checkSMIMESignatureShouldAddGoodSMIMEStatusWhenSignatureIsGoodAndMailContainsMultiCerts
    
org.apache.james.mailets.crypto.SMIMECheckSignatureWithPemFileIntegrationTest.checkSMIMESignatureShouldAddNotSignedStatusWhenNoSignature
    
org.apache.james.mailets.crypto.SMIMEDecryptIntegrationTest.cryptedMessageShouldNotBeDecryptedWhenCertificateDoesntMatch
    
org.apache.james.mailets.crypto.SMIMEDecryptIntegrationTest.cryptedMessageShouldBeDecryptedWhenCertificateMatches
    
org.apache.james.mailets.crypto.SMIMEDecryptIntegrationTest.cryptedMessageWithAttachmentShouldBeDecryptedWhenCertificateMatches
    
org.apache.james.mailets.crypto.SMIMESignIntegrationTest.authenticatedMessagesShouldBeSigned
    
org.apache.james.transport.mailets.DlpIntegrationTest.dlpShouldBeAbleToReadMailContentWithAttachments(File)
---
 .../james/protocols/sasl/PlainSaslMechanismFactory.java | 10 ++++++++++
 .../james/modules/protocols/SMTPServerModule.java       |  5 ++++-
 .../james/smtpserver/netty/SMTPServerFactory.java       | 17 ++++++++++-------
 3 files changed, 24 insertions(+), 8 deletions(-)

diff --git 
a/protocols/sasl/src/main/java/org/apache/james/protocols/sasl/PlainSaslMechanismFactory.java
 
b/protocols/sasl/src/main/java/org/apache/james/protocols/sasl/PlainSaslMechanismFactory.java
index 7964454d43..4543c3c30d 100644
--- 
a/protocols/sasl/src/main/java/org/apache/james/protocols/sasl/PlainSaslMechanismFactory.java
+++ 
b/protocols/sasl/src/main/java/org/apache/james/protocols/sasl/PlainSaslMechanismFactory.java
@@ -26,17 +26,24 @@ import 
org.apache.james.protocols.api.sasl.SaslMechanismFactory;
 import org.apache.james.protocols.sasl.plain.PlainSaslMechanism;
 
 public class PlainSaslMechanismFactory implements SaslMechanismFactory {
+    public static final boolean IGNORE_REQUIRE_SSL_CONFIGURATION = false;
     private static final boolean PLAIN_AUTH_DISALLOWED_DEFAULT = true;
     private static final boolean PLAIN_AUTH_ENABLED_DEFAULT = true;
 
     private final boolean requireSslDefault;
+    private final boolean honorRequireSslConfiguration;
 
     public PlainSaslMechanismFactory() {
         this(PLAIN_AUTH_DISALLOWED_DEFAULT);
     }
 
     public PlainSaslMechanismFactory(boolean requireSslDefault) {
+        this(requireSslDefault, true);
+    }
+
+    public PlainSaslMechanismFactory(boolean requireSslDefault, boolean 
honorRequireSslConfiguration) {
         this.requireSslDefault = requireSslDefault;
+        this.honorRequireSslConfiguration = honorRequireSslConfiguration;
     }
 
     @Override
@@ -49,6 +56,9 @@ public class PlainSaslMechanismFactory implements 
SaslMechanismFactory {
     }
 
     protected boolean requiresSsl(HierarchicalConfiguration<ImmutableNode> 
serverConfiguration) {
+        if (!honorRequireSslConfiguration) {
+            return requireSslDefault;
+        }
         return serverConfiguration.getBoolean("auth.requireSSL",
             serverConfiguration.getBoolean("plainAuthDisallowed", 
requireSslDefault));
     }
diff --git 
a/server/container/guice/protocols/smtp/src/main/java/org/apache/james/modules/protocols/SMTPServerModule.java
 
b/server/container/guice/protocols/smtp/src/main/java/org/apache/james/modules/protocols/SMTPServerModule.java
index d74147d30b..242ba93e33 100644
--- 
a/server/container/guice/protocols/smtp/src/main/java/org/apache/james/modules/protocols/SMTPServerModule.java
+++ 
b/server/container/guice/protocols/smtp/src/main/java/org/apache/james/modules/protocols/SMTPServerModule.java
@@ -95,7 +95,10 @@ public class SMTPServerModule extends AbstractModule {
     @SmtpDefaultSaslMechanismFactories
     ImmutableList<SaslMechanismFactory> 
provideDefaultSmtpSaslMechanismFactories(OauthBearerSaslMechanismFactory 
oauthBearer,
                                                                                
  XOauth2SaslMechanismFactory xoauth2) {
-        return ImmutableList.of(new 
PlainSaslMechanismFactory(AuthAnnouncementConfiguration.REQUIRE_SSL_DEFAULT), 
oauthBearer, xoauth2);
+        // SMTP historically used auth.requireSSL for capability announcement 
only: PLAIN/LOGIN remain accepted
+        // when sent explicitly by clients, even over clear-text 
test/configuration ports.
+        return ImmutableList.of(new 
PlainSaslMechanismFactory(AuthAnnouncementConfiguration.REQUIRE_SSL_DEFAULT,
+            PlainSaslMechanismFactory.IGNORE_REQUIRE_SSL_CONFIGURATION), 
oauthBearer, xoauth2);
     }
 
     @Provides
diff --git 
a/server/protocols/protocols-smtp/src/main/java/org/apache/james/smtpserver/netty/SMTPServerFactory.java
 
b/server/protocols/protocols-smtp/src/main/java/org/apache/james/smtpserver/netty/SMTPServerFactory.java
index c04861508e..863da425b8 100644
--- 
a/server/protocols/protocols-smtp/src/main/java/org/apache/james/smtpserver/netty/SMTPServerFactory.java
+++ 
b/server/protocols/protocols-smtp/src/main/java/org/apache/james/smtpserver/netty/SMTPServerFactory.java
@@ -56,13 +56,16 @@ import com.google.common.collect.ImmutableList;
 public class SMTPServerFactory extends AbstractServerFactory implements 
Disconnector, ConnectionDescriptionSupplier {
     @FunctionalInterface
     public interface SmtpSaslMechanismLoader {
-        static SmtpSaslMechanismLoader defaultLoader() {
-            ImmutableList<SaslMechanismFactory> defaultFactories = 
ImmutableList.of(
-                new 
PlainSaslMechanismFactory(AuthAnnouncementConfiguration.REQUIRE_SSL_DEFAULT),
-                new OauthBearerSaslMechanismFactory(),
-                new XOauth2SaslMechanismFactory());
-            return configuration -> loadBuiltInMechanisms(defaultFactories, 
configuration);
-        }
+        static SmtpSaslMechanismLoader defaultLoader() {
+            ImmutableList<SaslMechanismFactory> defaultFactories = 
ImmutableList.of(
+                // SMTP historically used auth.requireSSL for capability 
announcement only: PLAIN/LOGIN remain accepted
+                // when sent explicitly by clients, even over clear-text 
test/configuration ports.
+                new 
PlainSaslMechanismFactory(AuthAnnouncementConfiguration.REQUIRE_SSL_DEFAULT,
+                    
PlainSaslMechanismFactory.IGNORE_REQUIRE_SSL_CONFIGURATION),
+                new OauthBearerSaslMechanismFactory(),
+                new XOauth2SaslMechanismFactory());
+            return configuration -> loadBuiltInMechanisms(defaultFactories, 
configuration);
+        }
 
         ImmutableList<SaslMechanism> 
load(HierarchicalConfiguration<ImmutableNode> configuration) throws 
ConfigurationException;
     }


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to