haraka / Haraka

A fast, highly extensible, and event driven SMTP server
https://haraka.github.io
MIT License
5.08k stars 661 forks source link

AUTH being ignored #810

Closed gziskind closed 9 years ago

gziskind commented 9 years ago

I am setting up Haraka using the auth/flat_file plugin, and messages are being allowed to be sent to the mail server even with out authenticating.

The EHLO command returns AUTH LOGIN as an option, but instead of denying new commands without authentication, it allows the client to issues MAIL FROM, RCPT TO, and DATA commands without authenticating. It seems like auth is being requested but no action is being taken based on that auth.

Here is a sample of my telnet commands that I am issuing to debug:

220 haraka.test ESMTP Haraka 2.5.0 ready
EHLO localhost
250-haraka.test Hello localhost [127.0.0.1], Haraka is at your service.
250-PIPELINING
250-8BITMIME
250-SIZE 500000
250 AUTH LOGIN
MAIL FROM: test@test.com
250 sender <test@test.com> OK
RCPT TO: receiver@test.com
250 recipient <receiver@test.com> OK
DATA
354 go ahead, make my day
Subject: Test

Body
.
250 2.0.0 Ok: queued as 244E56160F (C3E12E8C-696E-4248-AF8F-71CCEF6A5729.1)
QUIT
221 haraka.test closing connection. Have a jolly good day.

Am I missing any options for this to work properly?

baudehlo commented 9 years ago

If you don't issue AUTH the mail is treated as inbound, and queue'd appropriately (I don't know what you have setup as a queue plugin), assuming Haraka can receive mails for test.com.

On Fri, Jan 9, 2015 at 4:35 PM, gziskind notifications@github.com wrote:

I am setting up Haraka using the auth/flat_file plugin, and messages are being allowed to be sent to the mail server even with out authenticating.

The EHLO command returns AUTH LOGIN as an option, but instead of denying new commands without authentication, it allows the client to issues MAIL FROM, RCPT TO, and DATA commands without authenticating. It seems like auth is being requested but no action is being taken based on that auth.

Here is a sample of my telnet commands that I am issuing to debug:

220 haraka.test ESMTP Haraka 2.5.0 ready EHLO localhost 250-haraka.test Hello localhost [127.0.0.1], Haraka is at your service. 250-PIPELINING 250-8BITMIME 250-SIZE 500000 250 AUTH LOGIN MAIL FROM: test@test.com 250 sender test@test.com OK RCPT TO: receiver@test.com 250 recipient receiver@test.com OK DATA 354 go ahead, make my day Subject: Test

Body . 250 2.0.0 Ok: queued as 244E56160F (C3E12E8C-696E-4248-AF8F-71CCEF6A5729.1) QUIT 221 haraka.test closing connection. Have a jolly good day.

Am I missing any options for this to work properly?

— Reply to this email directly or view it on GitHub https://github.com/baudehlo/Haraka/issues/810.

smfreegard commented 9 years ago

It's working as it should as far as I can see. If @test.com is in your rcpt_to.in_host_list configuration, then it's effectively inbound mail and therefore no authentication required. If you tried to send to @hotmail.com though; it would reject it as 'relaying denied' as the client hasn't authenticated and it's being sent to a non-local domain.

gziskind commented 9 years ago

Well I guess my question is, why is authentication not required for inbound mail?

baudehlo commented 9 years ago

How would that work?

Everyone sending you mail would need your username/password.

On Fri, Jan 9, 2015 at 4:59 PM, gziskind notifications@github.com wrote:

Well I guess my question is, why is authentication not required for inbound mail?

— Reply to this email directly or view it on GitHub https://github.com/baudehlo/Haraka/issues/810#issuecomment-69406281.

smfreegard commented 9 years ago

The only time AUTH is required is for mail on port 587.

gziskind commented 9 years ago

Ahhh im starting to see what I'm missing here.

I'm using the mail server as a relay to forward it to another mail server, and not as a endpoint for incoming mail. I'd say its an outbound mail server.

Am i missing a set of plugins or a configuration to make this work?

smfreegard commented 9 years ago

That should work out of the box. You're testing this on localhost (e.g. you connected to 127.0.0.1) which is automatically allowed to relayed without authentication. Try it from another host and you'll see that everything will be rejected with 'Relaying Denied' unless you authenticate.

smfreegard commented 9 years ago

Oh - and BTW; don't just offer AUTH LOGIN. You'll need to offer PLAIN too if you want maximum compatibility as there are likely quite a few MUAs that don't support LOGIN. There's no downside to offering both; they're effectively the same thing anyway.

gziskind commented 9 years ago

alright ill keep that in mind when deploying the real system. That was just a simple test i setup to see if it was working.

gziskind commented 9 years ago

It seems like it still behaves the same from a remote server though.

ehlo localhost
250-haraka.test Hello [172.16.212.165], Haraka is at your service.
250-PIPELINING
250-8BITMIME
250-SIZE 500000
250 AUTH PLAIN
mail from: someone@blah.com
250 sender <someone@blah.com> OK
rcpt to: <redacted-email>
250 recipient <redacted-email> OK
data
354 go ahead, make my day
Subject: test

Body
.
250 2.0.0 Ok: queued as B920E219CC (C4088898-6B86-44FE-ABFB-29BECFDF4F2B.1)
quit

Also note I sent it to a valid gmail address.

smfreegard commented 9 years ago

Then you have a plugin that is incorrectly setting connection.relaying = true; somewhere.

gziskind commented 9 years ago

The plugins I have configured are

auth/flat_file dnsbl helo.checked max_unrecognized_commands queue/smtp_forward

I cant find a connection.relaying = true in those ones.

smfreegard commented 9 years ago

Run:

echo LOGDEBUG > /path/to/haraka/config/loglevel

Then run a message through and paste the entire log here.

gziskind commented 9 years ago

Ok I figured out what the issue was. I had the destination email domain listed under config/host_list, and it allows emails to come through without authentication if its listed there. After removing it, emails only come through with proper authentication.

Thanks for you help.