Skip to content
This repository has been archived by the owner on Dec 15, 2020. It is now read-only.

Commit

Permalink
Merge pull request from GHSA-6g7f-8qm4-f7h8
Browse files Browse the repository at this point in the history
When LOGIN authentication was used, Fleet would send SMTP credentials
even if the connection the SMTP server was not secured via TLS.

Copying the pattern used in the standard library PlainAuth
implementation, we now only send credentials when the connection is
secure or the server is localhost.
  • Loading branch information
zwass authored and directionless committed May 30, 2019
1 parent bf36146 commit eb21211
Showing 1 changed file with 17 additions and 4 deletions.
21 changes: 17 additions & 4 deletions server/mail/mail.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,13 +74,26 @@ func (m mailService) SendEmail(e kolide.Email) error {
type loginauth struct {
username string
password string
host string
}

func LoginAuth(username, password string) smtp.Auth {
return &loginauth{username: username, password: password}
func LoginAuth(username, password, host string) smtp.Auth {
return &loginauth{username: username, password: password, host: host}
}

func (l *loginauth) Start(serverInfo *smtp.ServerInfo) (proto string, toServer []byte, err error) {
func isLocalhost(name string) bool {
return name == "localhost" || name == "127.0.0.1" || name == "::1"
}

func (l *loginauth) Start(server *smtp.ServerInfo) (proto string, toServer []byte, err error) {
if !server.TLS && !isLocalhost(server.Name) {
return "", nil, errors.New("unencrypted connection")
}

if server.Name != l.host {
return "", nil, errors.New("wrong host name")
}

return "LOGIN", nil, nil
}

Expand Down Expand Up @@ -111,7 +124,7 @@ func smtpAuth(e kolide.Email) (smtp.Auth, error) {
case kolide.AuthMethodPlain:
auth = smtp.PlainAuth("", e.Config.SMTPUserName, e.Config.SMTPPassword, e.Config.SMTPServer)
case kolide.AuthMethodLogin:
auth = LoginAuth(e.Config.SMTPUserName, e.Config.SMTPPassword)
auth = LoginAuth(e.Config.SMTPUserName, e.Config.SMTPPassword, e.Config.SMTPServer)
default:
return nil, fmt.Errorf("unknown SMTP auth type '%d'", e.Config.SMTPAuthenticationMethod)
}
Expand Down

0 comments on commit eb21211

Please sign in to comment.