From 50f8a5cb65557f89cd8eb3898780ac15f91e8ea7 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Fri, 2 Jun 2023 11:39:42 +0200 Subject: [PATCH 1/2] Ensure we log which account is invalid --- core/admin/mailu/internal/nginx.py | 6 +++--- core/admin/mailu/internal/views/auth.py | 2 +- towncrier/newsfragments/2841.misc | 1 + 3 files changed, 5 insertions(+), 4 deletions(-) create mode 100644 towncrier/newsfragments/2841.misc diff --git a/core/admin/mailu/internal/nginx.py b/core/admin/mailu/internal/nginx.py index 63dec50a..b5fda17d 100644 --- a/core/admin/mailu/internal/nginx.py +++ b/core/admin/mailu/internal/nginx.py @@ -28,9 +28,9 @@ STATUSES = { WEBMAIL_PORTS = ['14190', '10143', '10025'] -def check_credentials(user, password, ip, protocol=None, auth_port=None, source_port=None): +def check_credentials(user, password, ip, protocol=None, auth_port=None, source_port=None, raw_user=None): if not user or not user.enabled or (protocol == "imap" and not user.enable_imap and not auth_port in WEBMAIL_PORTS) or (protocol == "pop3" and not user.enable_pop): - app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: failed: account disabled') + app.logger.info(f'Login attempt for: {user or raw_user!r}/{protocol}/{auth_port} from: {ip}/{source_port}: failed: account disabled') return False # webmails if auth_port in WEBMAIL_PORTS and password.startswith('token-'): @@ -104,7 +104,7 @@ def handle_authentication(headers): else: is_valid_user = user is not None ip = urllib.parse.unquote(headers["Client-Ip"]) - if check_credentials(user, password, ip, protocol, headers["Auth-Port"], headers['Client-Port']): + if check_credentials(user, password, ip, protocol, headers["Auth-Port"], headers['Client-Port'], user_email): server, port = get_server(headers["Auth-Protocol"], True) return { "Auth-Status": "OK", diff --git a/core/admin/mailu/internal/views/auth.py b/core/admin/mailu/internal/views/auth.py index 51ffda9f..c51bf103 100644 --- a/core/admin/mailu/internal/views/auth.py +++ b/core/admin/mailu/internal/views/auth.py @@ -116,7 +116,7 @@ def basic_authentication(): exc = str(exc).split('\n', 1)[0] app.logger.warn(f'Invalid user {user_email!r}: {exc}') else: - if user is not None and nginx.check_credentials(user, password.decode('utf-8'), client_ip, "web", flask.request.headers.get('X-Real-Port', None)): + if user is not None and nginx.check_credentials(user, password.decode('utf-8'), client_ip, "web", flask.request.headers.get('X-Real-Port', None), user_email): response = flask.Response() response.headers["X-User"] = models.IdnaEmail.process_bind_param(flask_login, user.email, "") utils.limiter.exempt_ip_from_ratelimits(client_ip) diff --git a/towncrier/newsfragments/2841.misc b/towncrier/newsfragments/2841.misc new file mode 100644 index 00000000..57a96f3b --- /dev/null +++ b/towncrier/newsfragments/2841.misc @@ -0,0 +1 @@ +Ensure we log which account was not found/invalid From 15569c62df2336faf3c3ffabb7190a3caff2983a Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Fri, 2 Jun 2023 14:53:25 +0200 Subject: [PATCH 2/2] Fix the bug @ghost has reported --- core/admin/mailu/internal/views/postfix.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/core/admin/mailu/internal/views/postfix.py b/core/admin/mailu/internal/views/postfix.py index 62b400d3..cc8a0950 100644 --- a/core/admin/mailu/internal/views/postfix.py +++ b/core/admin/mailu/internal/views/postfix.py @@ -125,6 +125,8 @@ def postfix_sender_map(sender): This is for bounces to come back the reverse path properly. """ + if sender.count('@') > 1 or sender.startswith('"'): + return flask.abort(404) srs = srslib.SRS(flask.current_app.srs_key) domain = flask.current_app.config["DOMAIN"] try: