search

foxcpp / maddy

✉️ Composable all-in-one mail server.
https://maddy.email
GNU General Public License v3.0
4.95k stars 239 forks source link

IMAP LOGIN get "01 NO Authentication disabled" withou any error log on the server side #579

Closed NexZhu closed 7 months ago

NexZhu commented 1 year ago

Describe the bug

I'm test my Maddy deployment with telnet mx1.example.com 143 (host name is replaced for privacy)

telnet mx1.example.com 143
Trying IP... (IP is correct)
Connected to mx1.example.com.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR CHILDREN UNSELECT MOVE IDLE APPENDLIMIT STARTTLS LOGINDISABLED COMPRESS] IMAP4rev1 Service Ready
01 LOGIN john password
01 NO Authentication disabled
01 LOGIN john@example.com password
01 NO Authentication disabled

There's no any log on the server side, so I don't know what's going wrong. I'm using LDAP for auth, and no log on the LDAP server either.

Log files

No server log on connection or login

Configuration file

$(hostname) = mx1.example.com
$(primary_domain) = example.com
$(local_domains) = $(primary_domain)

tls file /data/tls/fullchain.pem /data/tls/privkey.pem

auth.ldap idm_example_com {
    urls ldaps://idm.example.com:3636

    bind off

    dn_template "spn={username}@idm.example.com,dc=example,dc=com"

    starttls off
    debug off
    connect_timeout 1m
}

storage.imapsql local_mailboxes {
    driver sqlite3
    dsn imapsql.db

    source $(local_domains) {
        check {
            authorize_sender {
                prepare_email &local_rewrites
                user_to_email identity
            }
        }

        destination postmaster $(local_domains) {
            deliver_to &local_routing
        }
        default_destination {
            modify {
                dkim $(primary_domain) $(local_domains) default
            }
            deliver_to &remote_queue
        }
    }
    default_source {
        reject 501 5.1.8 "Non-local sender domain"
    }
}

target.remote outbound_delivery {
    limits {
        destination rate 20 1s
        destination concurrency 10
    }
    mx_auth {
        dane
        mtasts {
            cache fs
            fs_dir mtasts_cache/
        }
        local_policy {
            min_tls_level encrypted
            min_mx_level none
        }
    }
}

target.queue remote_queue {
    target &outbound_delivery

    autogenerated_msg_domain $(primary_domain)
    bounce {
        destination postmaster $(local_domains) {
            deliver_to &local_routing
        }
        default_destination {
            reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
        }
    }
}

imap tls://0.0.0.0:993 tcp://0.0.0.0:143 {
    auth &idm_example_com

    storage &local_mailboxes
}

Environment information

Docker

foxcpp commented 1 year ago

Authentication is disabled unless TLS is used. You can put insecure_auth directive into imap block in config to disable that, but this is not recommended for production use for obvious reasons.

NexZhu commented 1 year ago

@foxcpp

Thanks. Tried with TLS also:

Without email domain:

openssl s_client -crlf -connect mx1.example.com:993
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR CHILDREN UNSELECT MOVE IDLE APPENDLIMIT AUTH=PLAIN AUTH=LOGIN COMPRESS] IMAP4rev1 Service Ready
1 login john password
1 NO Invalid credentials

No server log.

With email domain:

1 login john@example.com password
1 NO Invalid credentials

Server log:

imap: authentication failed     {"reason":"no auth. provider accepted creds, last err: unknown credentials","src_ip":"114.254.3.12:35766","username":"john@example.com"}

Looking at the LDAP server log, maddy is using the whole john@example.com instead of john as {username}. Is there a way to use only the john part in LDAP bind request?

LDAP config:

auth.ldap idm_example_com {
    urls ldaps://idm.example.com:3636

    bind off

    dn_template "spn={username}@idm.example.com,dc=example,dc=com"

    starttls off
    debug off
    connect_timeout 1m
}
NexZhu commented 1 year ago

@foxcpp Do you have any advice? Thanks!

foxcpp commented 7 months ago

Looking at the LDAP server log, maddy is using the whole john@example.com instead of john as {username}. Is there a way to use only the john part in LDAP bind request?

Since 0.7 this is possible using auth_map directive as described in https://maddy.email/reference/global-config/