mirror of
https://github.com/mjl-/mox.git
synced 2025-07-10 07:54:40 +03:00
add config options to disable a domain and to disable logins for an account
to facilitate migrations from/to other mail setups. a domain can be added in "disabled" mode (or can be disabled/enabled later on). you can configure a disabled domain, but incoming/outgoing messages involving the domain are rejected with temporary error codes (as this may occur during a migration, remote servers will try again, hopefully to the correct machine or after this machine has been configured correctly). also, no acme tls certs will be requested for disabled domains (the autoconfig/mta-sts dns records may still point to the current/previous machine). accounts with addresses at disabled domains can still login, unless logins are disabled for their accounts. an account now has an option to disable logins. you can specify an error message to show. this will be shown in smtp, imap and the web interfaces. it could contain a message about migrations, and possibly a URL to a page with information about how to migrate. incoming/outgoing email involving accounts with login disabled are still accepted/delivered as normal (unless the domain involved in the messages is disabled too). account operations by the admin, such as importing/exporting messages still works. in the admin web interface, listings of domains/accounts show if they are disabled. domains & accounts can be enabled/disabled through the config file, cli commands and admin web interface. for issue #175 by RobSlgm
This commit is contained in:
@ -874,9 +874,14 @@ func (c *conn) tlsClientAuthVerifyPeerCertParsed(cert *x509.Certificate) error {
|
||||
return fmt.Errorf("looking up tls public key with fingerprint %s: %v", fp, err)
|
||||
}
|
||||
|
||||
// Verify account exists and still matches address.
|
||||
acc, _, err := store.OpenEmail(c.log, pubKey.LoginAddress)
|
||||
// Verify account exists and still matches address. We don't check for account
|
||||
// login being disabled if preauth is disabled. In that case, sasl external auth
|
||||
// will be done before credentials can be used, and login disabled will be checked
|
||||
// then, where it will result in a more helpful error message.
|
||||
checkLoginDisabled := !pubKey.NoIMAPPreauth
|
||||
acc, _, err := store.OpenEmail(c.log, pubKey.LoginAddress, checkLoginDisabled)
|
||||
if err != nil {
|
||||
// note: we cannot send a more helpful error message to the client.
|
||||
return fmt.Errorf("opening account for address %s for public key %s: %w", pubKey.LoginAddress, fp, err)
|
||||
}
|
||||
defer func() {
|
||||
@ -1801,7 +1806,7 @@ func (c *conn) cmdAuthenticate(tag, cmd string, p *parser) {
|
||||
}
|
||||
|
||||
var err error
|
||||
account, err = store.OpenEmailAuth(c.log, username, password)
|
||||
account, err = store.OpenEmailAuth(c.log, username, password, false)
|
||||
if err != nil {
|
||||
if errors.Is(err, store.ErrUnknownCredentials) {
|
||||
authResult = "badcreds"
|
||||
@ -1829,11 +1834,18 @@ func (c *conn) cmdAuthenticate(tag, cmd string, p *parser) {
|
||||
username = t[0]
|
||||
c.log.Debug("cram-md5 auth", slog.String("address", username))
|
||||
var err error
|
||||
account, _, err = store.OpenEmail(c.log, username)
|
||||
account, _, err = store.OpenEmail(c.log, username, false)
|
||||
if err != nil {
|
||||
if errors.Is(err, store.ErrUnknownCredentials) {
|
||||
authResult = "badcreds"
|
||||
c.log.Info("failed authentication attempt", slog.String("username", username), slog.Any("remote", c.remoteIP))
|
||||
xusercodeErrorf("AUTHENTICATIONFAILED", "bad credentials")
|
||||
} else if errors.Is(err, store.ErrLoginDisabled) {
|
||||
authResult = "logindisabled"
|
||||
c.log.Info("account login disabled", slog.String("username", username))
|
||||
// No error code, we don't want to cause prompt for new password
|
||||
// (AUTHENTICATIONFAILED) and don't want to trigger message suppression with ALERT.
|
||||
xuserErrorf("%s", err)
|
||||
}
|
||||
xserverErrorf("looking up address: %v", err)
|
||||
}
|
||||
@ -1905,7 +1917,8 @@ func (c *conn) cmdAuthenticate(tag, cmd string, p *parser) {
|
||||
}
|
||||
username = ss.Authentication
|
||||
c.log.Debug("scram auth", slog.String("authentication", username))
|
||||
account, _, err = store.OpenEmail(c.log, username)
|
||||
// We check for login being disabled when finishing.
|
||||
account, _, err = store.OpenEmail(c.log, username, false)
|
||||
if err != nil {
|
||||
// todo: we could continue scram with a generated salt, deterministically generated
|
||||
// from the username. that way we don't have to store anything but attackers cannot
|
||||
@ -1960,6 +1973,7 @@ func (c *conn) cmdAuthenticate(tag, cmd string, p *parser) {
|
||||
c.log.Warn("bad channel binding during authentication, potential mitm", slog.String("username", username), slog.Any("remote", c.remoteIP))
|
||||
xusercodeErrorf("AUTHENTICATIONFAILED", "channel bindings do not match, potential mitm")
|
||||
} else if errors.Is(err, scram.ErrInvalidEncoding) {
|
||||
authResult = "badprotocol"
|
||||
c.log.Infox("bad scram protocol message", err, slog.String("username", username), slog.Any("remote", c.remoteIP))
|
||||
xuserErrorf("bad scram protocol message: %s", err)
|
||||
}
|
||||
@ -1988,13 +2002,22 @@ func (c *conn) cmdAuthenticate(tag, cmd string, p *parser) {
|
||||
username = c.username
|
||||
}
|
||||
var err error
|
||||
account, _, err = store.OpenEmail(c.log, username)
|
||||
account, _, err = store.OpenEmail(c.log, username, false)
|
||||
xcheckf(err, "looking up username from tls client authentication")
|
||||
|
||||
default:
|
||||
xuserErrorf("method not supported")
|
||||
}
|
||||
|
||||
if accConf, ok := account.Conf(); !ok {
|
||||
xserverErrorf("cannot get account config")
|
||||
} else if accConf.LoginDisabled != "" {
|
||||
authResult = "logindisabled"
|
||||
c.log.Info("account login disabled", slog.String("username", username))
|
||||
// No AUTHENTICATIONFAILED code, clients could prompt users for different password.
|
||||
xuserErrorf("%w: %s", store.ErrLoginDisabled, accConf.LoginDisabled)
|
||||
}
|
||||
|
||||
// We may already have TLS credentials. They won't have been enabled, or we could
|
||||
// get here due to the state machine that doesn't allow authentication while being
|
||||
// authenticated. But allow another SASL authentication, but it has to be for the
|
||||
@ -2076,13 +2099,21 @@ func (c *conn) cmdLogin(tag, cmd string, p *parser) {
|
||||
}
|
||||
}()
|
||||
|
||||
account, err := store.OpenEmailAuth(c.log, username, password)
|
||||
account, err := store.OpenEmailAuth(c.log, username, password, true)
|
||||
if err != nil {
|
||||
authResult = "badcreds"
|
||||
var code string
|
||||
if errors.Is(err, store.ErrUnknownCredentials) {
|
||||
authResult = "badcreds"
|
||||
code = "AUTHENTICATIONFAILED"
|
||||
c.log.Info("failed authentication attempt", slog.String("username", username), slog.Any("remote", c.remoteIP))
|
||||
} else if errors.Is(err, store.ErrLoginDisabled) {
|
||||
authResult = "logindisabled"
|
||||
c.log.Info("account login disabled", slog.String("username", username))
|
||||
// There is no specific code for "account disabled" in IMAP. AUTHORIZATIONFAILED is
|
||||
// not a good idea, it will prompt users for a password. ALERT seems reasonable,
|
||||
// but may cause email clients to suppress the message since we are not yet
|
||||
// authenticated. So we don't send anything. ../rfc/9051:4940
|
||||
xuserErrorf("%s", err)
|
||||
}
|
||||
xusercodeErrorf(code, "login failed")
|
||||
}
|
||||
|
Reference in New Issue
Block a user