search

haraka / Haraka

A fast, highly extensible, and event driven SMTP server
https://haraka.github.io
MIT License
5.09k stars 662 forks source link

AUTH BUG OR ERROR? #805

Closed willin closed 9 years ago

willin commented 9 years ago 
[NOTICE] [0352218B-595C-4B97-B998-1C1C0DDC6803] [core] connect ip=222.95.123.61 port=54753 local_ip=222.190.121.158 local_port=1025
[DEBUG] [0352218B-595C-4B97-B998-1C1C0DDC6803] [core] running lookup_rdns hooks
[DEBUG] [0352218B-595C-4B97-B998-1C1C0DDC6803] [core] running connect hooks
[PROTOCOL] [0352218B-595C-4B97-B998-1C1C0DDC6803] [core] S: 220 opensips105 ESMTP Haraka 2.5.0 ready
[PROTOCOL] [0352218B-595C-4B97-B998-1C1C0DDC6803] [core] C: EHLO Willin-Pro.local state=1
[DEBUG] [0352218B-595C-4B97-B998-1C1C0DDC6803] [core] running ehlo hooks
[DEBUG] [0352218B-595C-4B97-B998-1C1C0DDC6803] [core] running capabilities hooks
[DEBUG] [0352218B-595C-4B97-B998-1C1C0DDC6803] [core] running capabilities hook in auth/flat_file plugin
[DEBUG] [0352218B-595C-4B97-B998-1C1C0DDC6803] [core] hook=capabilities plugin=auth/flat_file function=hook_capabilities params="" retval=CONT msg=""
[PROTOCOL] [0352218B-595C-4B97-B998-1C1C0DDC6803] [core] S: 250-opensips105 Hello [222.95.123.61], Haraka is at your service.
[PROTOCOL] [0352218B-595C-4B97-B998-1C1C0DDC6803] [core] S: 250-PIPELINING
[PROTOCOL] [0352218B-595C-4B97-B998-1C1C0DDC6803] [core] S: 250-8BITMIME
[PROTOCOL] [0352218B-595C-4B97-B998-1C1C0DDC6803] [core] S: 250 SIZE 500000
[PROTOCOL] [0352218B-595C-4B97-B998-1C1C0DDC6803] [core] C: AUTH PLAIN AG5vcmVwbHlAbWFpbC53dWxpYW5ncm91cC5jbgAwTjJZNE9USXhZeg== state=1
[DEBUG] [0352218B-595C-4B97-B998-1C1C0DDC6803] [core] running unrecognized_command hooks
[DEBUG] [0352218B-595C-4B97-B998-1C1C0DDC6803] [core] running unrecognized_command hook in auth/flat_file plugin
[DEBUG] [0352218B-595C-4B97-B998-1C1C0DDC6803] [core] hook=unrecognized_command plugin=auth/flat_file function=hook_unrecognized_command params="AUTH" retval=CONT msg=""
[PROTOCOL] [0352218B-595C-4B97-B998-1C1C0DDC6803] [core] S: 500 Unrecognized command
[WARN] [0352218B-595C-4B97-B998-1C1C0DDC6803] [core] client DNSERROR [222.95.123.61] half closed connection
[DEBUG] [0352218B-595C-4B97-B998-1C1C0DDC6803] [core] running disconnect hooks
[NOTICE] [0352218B-595C-4B97-B998-1C1C0DDC6803] [core] disconnect ip=222.95.123.61 rdns="DNSERROR" helo="Willin-Pro.local" relay=N early=N esmtp=Y tls=N pipe=N txns=0 rcpts=0/0/0 msgs=0/0/0 bytes=0 lr="500 Unrecognized command" time=0.095
[NOTICE] [3C2F8333-1B5C-49BA-82D1-31AE02AE0F45] [core] connect ip=222.95.123.61 port=44321 local_ip=222.190.121.158 local_port=1025
[DEBUG] [3C2F8333-1B5C-49BA-82D1-31AE02AE0F45] [core] running lookup_rdns hooks
[DEBUG] [3C2F8333-1B5C-49BA-82D1-31AE02AE0F45] [core] running connect hooks
[PROTOCOL] [3C2F8333-1B5C-49BA-82D1-31AE02AE0F45] [core] S: 220 opensips105 ESMTP Haraka 2.5.0 ready
[PROTOCOL] [3C2F8333-1B5C-49BA-82D1-31AE02AE0F45] [core] C: ehlo Willin-Pro.local state=1
[DEBUG] [3C2F8333-1B5C-49BA-82D1-31AE02AE0F45] [core] running ehlo hooks
[DEBUG] [3C2F8333-1B5C-49BA-82D1-31AE02AE0F45] [core] running capabilities hooks
[DEBUG] [3C2F8333-1B5C-49BA-82D1-31AE02AE0F45] [core] running capabilities hook in auth/flat_file plugin
[DEBUG] [3C2F8333-1B5C-49BA-82D1-31AE02AE0F45] [core] hook=capabilities plugin=auth/flat_file function=hook_capabilities params="" retval=CONT msg=""
[PROTOCOL] [3C2F8333-1B5C-49BA-82D1-31AE02AE0F45] [core] S: 250-opensips105 Hello [222.95.123.61], Haraka is at your service.
[PROTOCOL] [3C2F8333-1B5C-49BA-82D1-31AE02AE0F45] [core] S: 250-PIPELINING
[PROTOCOL] [3C2F8333-1B5C-49BA-82D1-31AE02AE0F45] [core] S: 250-8BITMIME
[PROTOCOL] [3C2F8333-1B5C-49BA-82D1-31AE02AE0F45] [core] S: 250 SIZE 500000
[WARN] [3C2F8333-1B5C-49BA-82D1-31AE02AE0F45] [core] client DNSERROR [222.95.123.61] half closed connection
[DEBUG] [3C2F8333-1B5C-49BA-82D1-31AE02AE0F45] [core] running disconnect hooks
[NOTICE] [3C2F8333-1B5C-49BA-82D1-31AE02AE0F45] [core] disconnect ip=222.95.123.61 rdns="DNSERROR" helo="Willin-Pro.local" relay=N early=N esmtp=Y tls=N pipe=N txns=0 rcpts=0/0/0 msgs=0/0/0 bytes=0 lr="" time=0.027
willin commented 9 years ago

Every request:

[PROTOCOL] [0352218B-595C-4B97-B998-1C1C0DDC6803] [core] S: 250 SIZE 500000
[PROTOCOL] [0352218B-595C-4B97-B998-1C1C0DDC6803] [core] C: AUTH PLAIN AG5vcmVwbHlAbWFpbC53dWxpYW5ncm91cC5jbgAwTjJZNE9USXhZeg== state=1

but in fact it should be: (test in local is ok)

[PROTOCOL] [7BD19679-D04F-4ABB-8EB8-9EF379DF9064] [core] S: 250-PIPELINING
[PROTOCOL] [7BD19679-D04F-4ABB-8EB8-9EF379DF9064] [core] S: 250-8BITMIME
[PROTOCOL] [7BD19679-D04F-4ABB-8EB8-9EF379DF9064] [core] S: 250-SIZE 500000
[PROTOCOL] [7BD19679-D04F-4ABB-8EB8-9EF379DF9064] [core] S: 250 AUTH LOGIN PLAIN CRAM-MD5
[PROTOCOL] [7BD19679-D04F-4ABB-8EB8-9EF379DF9064] [core] C: AUTH PLAIN AG5vcmVwbHkAME4yWTRPVEl4WXo= state=1
smfreegard commented 9 years ago

This isn't a bug - it's a feature. If you read the plugin docs it states:

IMPORANT NOTE - this plugin requires that STARTTLS be used via the tls plugin before it will advertise AUTH capabilities by the EHLO command. This is to improve security out-of-the-box. Localhost and any IP in RFC1918 ranges are automatically exempt from this rule.

See the TLS plugin for instructions and either generate some self-signed certificates or buy a cheapo PositiveSSL certificate.

This post clearly demonstrates that protecting AUTH by requiring TLS is a good idea as you've posted your username and password into this thread without realizing it:

AUTH PLAIN AG5vcmVwbHkAME4yWTRPVEl4WXo=

smf@i7desktop:~$ perl -MMIME::Base64 -MData::Dumper -e "print Dumper(split('\0',decode_base64('AG5vcmVwbHkAME4yWTRPVEl4WXo=')));"
$VAR1 = '';
$VAR2 = 'noreply';
$VAR3 = '0N2Y4OTIxYz';

AUTH PLAIN and LOGIN send the username and password encoded in Base64 which offers absolutely no security at all which is why we decided the right thing to do was to require TLS before offering it.

You should change your password for the 'noreply' account ASAP.