go-smtp icon indicating copy to clipboard operation
go-smtp copied to clipboard

Published 20 hours ago • verified publisher icon emersion

Auth is ignored in the master branch

Open kayrus opened this issue 4 years ago • 3 comments

@foxcpp the #146 PR introduced a breaking change. While adapting my code to meet the recent package requirements I noticed that AUTH can be ignored.

A simple server code example avoids auth:

server side output:

$ go run main.go
2021/11/26 19:45:31 Starting server at :1025
2021/11/26 19:45:39 Mail from: foo@bar
2021/11/26 19:45:44 Rcpt to: foo@bar
2021/11/26 19:45:53 Data: Hello, world

client side output:

$ telnet localhost 1025
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 localhost ESMTP Service Ready
EHLO test
250-Hello test
250-PIPELINING
250-8BITMIME
250-ENHANCEDSTATUSCODES
250-CHUNKING
250-AUTH PLAIN
250 SIZE 1048576
MAIL FROM: foo@bar
250 2.0.0 Roger, accepting mail from <foo@bar>
RCPT TO: foo@bar
250 2.0.0 I'll make sure <foo@bar> gets this
DATA
354 2.0.0 Go ahead. End your data with <CR><LF>.<CR><LF>
Hello, world
.
250 2.0.0 OK: queued
221 2.4.2 Idle timeout, bye bye
Connection closed by foreign host.

Another case to cause an unexpected behavior: nil the session keeping the c.helo value:

  • upgrade the connection to starttls https://github.com/emersion/go-smtp/blob/30169acc42e795e5d35ce901c8387950b103dfd9/conn.go#L613-L616

  • send MAIL FROM

helo check is passed:

https://github.com/emersion/go-smtp/blob/30169acc42e795e5d35ce901c8387950b103dfd9/conn.go#L297

session is nil, but it's method is called without a check for nil value:

https://github.com/emersion/go-smtp/blob/30169acc42e795e5d35ce901c8387950b103dfd9/conn.go#L400

causing panic, e.g. it's reproducible in maddy.

Proposal:

  • the code must have more unit and/or fuzz tests
  • introduce session == nil checks before calling the methods (see my #153 PR)

kayrus avatar Nov 29 '21 12:11 kayrus

Some findings in regards to the STARTTLS command from RFC: https://datatracker.ietf.org/doc/html/rfc3207#section-4.2

The server MUST discard any knowledge obtained from the client, such as the argument to the EHLO command, which was not obtained from the TLS negotiation itself. The client MUST discard any knowledge obtained from the server, such as the list of SMTP service extensions, which was not obtained from the TLS negotiation itself. The client SHOULD send an EHLO command as the first command after a successful TLS negotiation.

c.helo must be nulled as well after the STARTTLS succeed.

kayrus avatar Nov 30 '21 00:11 kayrus

After #146 changes, there is no way for the backend to signal AUTH being mandatory so its backend responsibility to verify whether AuthPlain was called.

foxcpp avatar Jan 19 '22 13:01 foxcpp

Since we do not have #147 merged yet, I pushed an intermediate fix for the panic bug.

foxcpp avatar Jan 19 '22 14:01 foxcpp