Add checks to prevent unauthorized relaying and impersonation

This patch adds checks that verify: - The envelope from must match the authenticated user. This prevents impersonation at the envelope level (while still allowing bounces, of course). - If the destination is remote, then the user must have completed authentication. This prevents unauthorized relaying. The patch ends up adjusting quite a few tests, as they were not written considering these restrictions so they have to be changed accordingly.
2026-01-05 17:37:03 +00:00 · 2016-09-12 06:08:53 +01:00
parent 941eb9315c
commit e2fdcb3705
9 changed files with 131 additions and 46 deletions
--- a/test/t-01-simple_local/msmtprc
+++ b/test/t-01-simple_local/msmtprc
@@ -1,7 +1,7 @@
 account default

 host testserver
-port 1025
+port 1587

 tls on
 tls_trust_file config/domains/testserver/cert.pem
@@ -12,6 +12,9 @@ auth on
 user user@testserver
 password secretpassword

+account smtpport : default
+port 1025
+
 account baduser : default
 user unknownuser@testserver
 password secretpassword
--- a/test/t-01-simple_local/run.sh
+++ b/test/t-01-simple_local/run.sh
@@ -7,6 +7,7 @@ init

 generate_certs_for testserver

+mkdir -p .logs
 chasquid -v=2 --log_dir=.logs --config_dir=config &
 wait_until_ready 1025

@@ -16,6 +17,13 @@ wait_for_file .mail/someone@testserver

 mail_diff content .mail/someone@testserver

+# At least for now, we allow AUTH over the SMTP port to avoid unnecessary
+# complexity, so we expect it to work.
+if ! run_msmtp -a smtpport someone@testserver < content 2> /dev/null; then
+	echo "ERROR: failed auth on the SMTP port"
+	exit 1
+fi
+
 if run_msmtp -a baduser someone@testserver < content 2> /dev/null; then
 	echo "ERROR: successfully sent an email with a bad password"
 	exit 1
--- a/test/t-02-exim/config/exim4.in
+++ b/test/t-02-exim/config/exim4.in
@@ -31,6 +31,13 @@ acl_check_data:
  accept


+# Rewrite envelope-from to server@srv-exim.
+# This is so when we redirect, we don't use user@srv-chasquid in the
+# envelope-from (we're not authorized to send mail on behalf of
+# @srv-chasquid).
+begin rewrite
+user@srv-chasquid  server@srv-exim F
+
 # Forward all incoming email to chasquid (running on :1025 in this test).
 begin routers

--- a/test/t-02-exim/msmtprc
+++ b/test/t-02-exim/msmtprc
@@ -1,7 +1,7 @@
 account default

 host srv-chasquid
-port 1025
+port 1587

 tls on
 tls_trust_file config/domains/srv-chasquid/cert.pem
--- a/test/t-02-exim/run.sh
+++ b/test/t-02-exim/run.sh
@@ -37,6 +37,7 @@ generate_certs_for srv-chasquid
 # Launch chasquid at port 1025 (in config).
 # Use outgoing port 2025 which is where exim will be at.
 # Bypass MX lookup, so it can find srv-exim (via our host alias).
+mkdir -p .logs
 chasquid -v=2 --log_dir=.logs --config_dir=config \
 	--testing__outgoing_smtp_port=2025 \
 	--testing__bypass_mx_lookup &
--- a/test/util/mail_diff
+++ b/test/util/mail_diff
@@ -25,10 +25,15 @@ for h, val in expected.items():

 if expected.get_payload() != msg.get_payload():
 	diff = True
-	exp = expected.get_payload().splitlines()
-	got = msg.get_payload().splitlines()
-	print("Payload differs:")
-	for l in difflib.ndiff(exp, got):
-		print(l)
+
+	if expected.is_multipart() != msg.is_multipart():
+		print("Multipart differs, expected %s, got %s" % (
+			expected.is_multipart(), msg.is_multipart()))
+	elif not msg.is_multipart():
+		exp = expected.get_payload().splitlines()
+		got = msg.get_payload().splitlines()
+		print("Payload differs:")
+		for l in difflib.ndiff(exp, got):
+			print(l)

 sys.exit(0 if not diff else 1)