search

blueimp / aws-smtp-relay

SMTP server to relay emails via Amazon SES or Amazon Pinpoint using IAM roles.
MIT License
76 stars 34 forks source link

Authentication appears to be broken #5

Closed andrewmiskell closed 5 years ago

andrewmiskell commented 5 years ago

I'm trying to use authentication with the relay but trying to enable username/password based authentication just results in the relay returning back the following output.

root@ns03:/var/log# telnet localhost 1026 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 ns03 AWS SMTP Relay ESMTP Service ready EHLO ns03 250-ns03 greets ns03 250-SIZE 0 250 ENHANCEDSTATUSCODES AUTH LOGIN 504 5.5.4 Unrecognized authentication type

I also just tried using IP-based filtering without specifying any username/password, (for purely IP based filtering) and the relay returns back that authentication is required and won't allow me to relay.

blueimp commented 5 years ago

Thanks for the report @andrewmiskell.

I've just released a new version that adds support for CRAM-MD5 and improves the authentication documentation:

The supported user-based SMTP authentication mechanisms and their required configuration settings (see also RFC 4954):

Mechanism TLS User Hash Pass
LOGIN Yes Yes Yes No
PLAIN Yes Yes Yes No
CRAM-MD5 No Yes No Yes

Authentication can be enabled for LOGIN and PLAIN mechanisms by configuring TLS and a username and providing the bcrypt encrypted password as BCRYPT_HASH environment variable:

export BCRYPT_HASH=$(htpasswd -bnBC 10 '' password | tr -d ':\n')
export TLS_KEY_PASS="$PASSPHRASE"

aws-smtp-relay -c tls/default.crt -k tls/default.key -u username

If the password is provided as plain text PASSWORD environment variable, it will also enable the CRAM-MD5 authentication mechanism:

export PASSWORD=password
export TLS_KEY_PASS="$PASSPHRASE"

aws-smtp-relay -c tls/default.crt -k tls/default.key -u username

Without TLS configuration, only CRAM-MD5 will be enabled:

export PASSWORD=password

aws-smtp-relay -u username

Please note:

It is not recommended to provide the password as plain text environment variable, nor to configure the SMTP server without TLS support.

IP

To limit the allowed IP addresses, supply a comma-separated list via -i ips option:

aws-smtp-relay -i 127.0.0.1,::1

Please note:

To authorize their IP, clients must use a supported SMTP authentication mechanism, e.g. LOGIN or PLAIN via TLS or CRAM-MD5 on unencrypted connections.
This is required even if no user authentication is configured on the server, although in this case the credentials can be chosen freely by the client.

gdamjan commented 3 years ago

Sorry for necro-commenting :)

but, is there an option for anonymous SMTP? I'll ever use this on a single EC2 instance that already has SES privileges, but the legacy application only supports SMTP

andrewmiskell commented 3 years ago

Do you mean without requiring SSL or Username and Password? If so, yes.. If you don't specify any authentication or SSL options it'll work as a open SMTP relay (be VERY careful with this and make sure you have proper firewall rules in place).

gdamjan commented 3 years ago

Do you mean without requiring SSL or Username and Password? If so, yes..

yes.

If you don't specify any authentication or SSL options it'll work as a open SMTP relay

ok, for some reason it's not working for me. I have master built, and I'm running

sudo AWS_REGION=us-east-1 ./aws-smtp-relay -i 127.0.0.1,::1 -a 127.0.0.1:25
$ echo "some test text" | ./mail.sh -f no-reply@example.com -t my-address-here@my-domain.com 
220 ip-172-31-64-149 AWS SMTP Relay ESMTP Service ready
250 ip-172-31-64-149 greets localhost
530 5.7.0 Authentication required
530 5.7.0 Authentication required
530 5.7.0 Authentication required
500 5.5.2 Syntax error, command unrecognized
500 5.5.2 Syntax error, command unrecognized
500 5.5.2 Syntax error, command unrecognized
500 5.5.2 Syntax error, command unrecognized
500 5.5.2 Syntax error, command unrecognized
500 5.5.2 Syntax error, command unrecognized
500 5.5.2 Syntax error, command unrecognized
500 5.5.2 Syntax error, command unrecognized
500 5.5.2 Syntax error, command unrecognized
221 2.0.0 ip-172-31-64-149 AWS SMTP Relay ESMTP Service closing transmission channel

./aws-smtp-relay didn't log anything

gdamjan commented 3 years ago

ps. using ncat:

$ ncat localhost 25
220 ip-172-31-64-149 AWS SMTP Relay ESMTP Service ready
HELO localhost
250 ip-172-31-64-149 greets localhost
MAIL FROM: no-reply@example.com
530 5.7.0 Authentication required
gdamjan commented 3 years ago

ohh, I see https://github.com/blueimp/aws-smtp-relay/blob/master/main.go#L51 AuthRequired: ipMap != nil || *user != "",

so if I use the -i flag, authentication is required, that's a bit weird, is it intentional?

andrewmiskell commented 3 years ago

Yes, I believe it's intentional. That's why I stated you had to make sure you had proper firewall rules in place.

gdamjan commented 3 years ago

ok, I have expected the opposite