mjl- / mox

modern full-featured open source secure mail server for low-maintenance self-hosted email
https://www.xmox.nl
MIT License
3.69k stars 110 forks source link

How to allow older CRAM-MD5 for auth from localhost for SMTP service? #168

Closed martinjanda closed 6 months ago

martinjanda commented 6 months ago

Hi, how can I allow older CRAM-MD5 for auth for SMTP service from localhost? Or allow PLAIN for localhost?

Greate work on mox project, thank you for sharing this.

mjl- commented 6 months ago

hi @martinjanda, cram-md5 should be enabled for authentication. at least on the submission ports (587 for plain and 465 for tls). same for the imap ports (143 and 993). smtp port 25 doesn't do authentication at all. login with plain text passwords should work on the TLS-protected connections by default. if you want to allow plain text passwords on unencrypted connections, you would have to enable that in mox.conf, in the listeners for "Submission" and/or "IMAP", see https://www.xmox.nl/config/#cfg-mox-conf-Listeners-x-Submission-NoRequireSTARTTLS

if that's not working, it would be good to dive into the logging (possibly enabling trace logging) and see what's going on.

or do you want to certain login methods (plain, cram-md5) only if they are coming from localhost? which authentication schemes are enabled isn't very configurable.

martinjanda commented 6 months ago

Thanks for the quick and comprehensive reply.

I'm trying to run mox and SnappyMail on the same server. I like webmail in mox, but users are used to SnappyMail. IMAP runs without problems. The problem I have is with SMTP. SnappyMail crashes during authentication. Probably a bug in SnappyMail, because SMTP works fine in my user clients (Thunderbird etc).

I'll try reporting it to the SnappyMail project, but I wanted to get around it by reducing security when calling from localhost.

Tracelog looks like this:

May 07 12:22:30 mail mox[218018]: l=info m="new connection" pkg=smtpserver remote=127.0.0.1:60404 local=127.0.0.1:587 submission=true tls=false listener=internal cid=18f52931701 delta="27.16µs"
May 07 12:22:30 mail mox[218018]: l=trace m="LS: 220 mail.smartus.cz ESMTP mox v0.0.11\r\n" pkg=smtpserver cid=18f52931701 delta="43.579µs"
May 07 12:22:30 mail mox[218018]: l=trace m="RC: EHLO _\r\n" pkg=smtpserver cid=18f52931701 delta="120.249µs"
May 07 12:22:30 mail mox[218018]: l=debug m="smtp command result" pkg=smtpserver kind=submission cmd=ehlo code=250 ecode= duration="32.92µs" cid=18f52931701 delta="61.209µs"
May 07 12:22:30 mail mox[218018]: l=trace m="LS: 250-mail.smartus.cz\r\n250-PIPELINING\r\n250-SIZE 104857600\r\n250-REQUIRETLS\r\n250-AUTH SCRAM-SHA-256-PLUS SCRAM-SHA-256 SCRAM-SHA-1-PLUS SCRAM-SHA-1 CRAM-MD5 PLAIN LOGIN\r\n250-FUTURERELEASE 5184000 2024-07-06T10:22:30Z\r\n250-ENHANCEDSTATUSCODES\r\n250-8BITMIME\r\n250-LIMITS RCPTMAX=1000\r\n250 SMTPUTF8\r\n" pkg=smtpserver cid=18f52931701 delta="26.729µs"
May 07 12:22:30 mail mox[218018]: l=trace m="RC: AUTH SCRAM-SHA-256\r\n" pkg=smtpserver cid=18f52931701 delta="175.137µs"
May 07 12:22:30 mail mox[218018]: l=trace m="LS: 334 \r\n" pkg=smtpserver cid=18f52931701 delta="41.249µs"
May 07 12:22:30 mail mox[218018]: l=trace m="RC: %HASH%\r\n" pkg=smtpserver cid=18f52931701 delta="115.448µs"
May 07 12:22:30 mail mox[218018]: l=debug m="scram auth" pkg=smtpserver authentication=janda@aztowerbrno.cz cid=18f52931701 delta="29.87µs"
May 07 12:22:30 mail mox[218018]: l=trace m="LS: 334 %HASH%==\r\n" pkg=smtpserver cid=18f52931701 delta="63.829µs"
May 07 12:22:30 mail mox[218018]: l=trace m="RC: QUIT\r\n" pkg=smtpserver cid=18f52931701 delta="335.804µs"
May 07 12:23:00 mail mox[218018]: l=info m="connection closed" err="read: read tcp 127.0.0.1:587->127.0.0.1:60404: i/o timeout (io error)" pkg=smtpserver cid=18f52931701 delta=30.023363816s
mjl- commented 6 months ago

For a quick fix with mox, you would have to locally modify the allowed authentication mechanisms in the code. The list is currently fixed: https://github.com/mjl-/mox/blob/587beb75b15eab259afc327f24083bfb156c7800/smtpserver/server.go#L902

Is snappymail giving an error message? Possibly relevant is https://github.com/the-djmaze/snappymail/issues/1433, which fixed SCRAM for IMAP, but didn't change anything for SMTP.

martinjanda commented 6 months ago

I create bug here https://github.com/the-djmaze/snappymail/issues/1575. There is also log from snappymail.

Thank you for cooperation.

martinjanda commented 6 months ago

I think you can close this ticket. The problem is on the snappymail side.

So far I deploy RoundCube and users are happy.

Thank you.

Neustradamus commented 6 months ago

@martinjanda, @mjl-: Thanks to have discovered the bug and helped to fix it in SnappyMail :)

But it is important to know that old/unsecure CRAM-MD5/DIGEST-MD5 has been replaced by SCRAM for security...