nginx.git/src/mail, branch release-1.23.1 nginx Mail: connections with wrong ALPN protocols are now rejected. 2021-10-20T06:45:34+00:00 Vladimir Homutov vl@nginx.com 2021-10-20T06:45:34+00:00 1fecec0cbf1554c0473d5cca0fb55f8dc006e4ba This is a recommended behavior by RFC 7301 and is useful for mitigation of protocol confusion attacks [1]. For POP3 and IMAP protocols IANA-assigned ALPN IDs are used [2]. For the SMTP protocol "smtp" is used. [1] https://alpaca-attack.com/ [2] https://www.iana.org/assignments/tls-extensiontype-values/ 
This is a recommended behavior by RFC 7301 and is useful
for mitigation of protocol confusion attacks [1].

For POP3 and IMAP protocols IANA-assigned ALPN IDs are used [2].
For the SMTP protocol "smtp" is used.

[1] https://alpaca-attack.com/
[2] https://www.iana.org/assignments/tls-extensiontype-values/
Mail: Auth-SSL-Protocol and Auth-SSL-Cipher headers (ticket #2134). 2021-08-13T07:57:47+00:00 Rob Mueller robm@fastmail.fm 2021-08-13T07:57:47+00:00 d4dad02e5ecd523f896a87a08a6582853d83a14d This adds new Auth-SSL-Protocol and Auth-SSL-Cipher headers to the mail proxy auth protocol when SSL is enabled. This can be useful for detecting users using older clients that negotiate old ciphers when you want to upgrade to newer TLS versions of remove suppport for old and insecure ciphers. You can use your auth backend to notify these users before the upgrade that they either need to upgrade their client software or contact your support team to work out an upgrade path. 
This adds new Auth-SSL-Protocol and Auth-SSL-Cipher headers to
the mail proxy auth protocol when SSL is enabled.

This can be useful for detecting users using older clients that
negotiate old ciphers when you want to upgrade to newer
TLS versions of remove suppport for old and insecure ciphers.
You can use your auth backend to notify these users before the
upgrade that they either need to upgrade their client software
or contact your support team to work out an upgrade path.
SSL: ciphers now set before loading certificates (ticket #2035). 2021-08-16T19:40:31+00:00 Maxim Dounin mdounin@mdounin.ru 2021-08-16T19:40:31+00:00 ce5996cdd1b2e150f645efbc337e5a681dbe241c To load old/weak server or client certificates it might be needed to adjust the security level, as introduced in OpenSSL 1.1.0. This change ensures that ciphers are set before loading the certificates, so security level changes via the cipher string apply to certificate loading. 
To load old/weak server or client certificates it might be needed to adjust
the security level, as introduced in OpenSSL 1.1.0.  This change ensures that
ciphers are set before loading the certificates, so security level changes
via the cipher string apply to certificate loading.
Mail: max_errors directive. 2021-05-19T00:13:31+00:00 Maxim Dounin mdounin@mdounin.ru 2021-05-19T00:13:31+00:00 173f16f736c10eae46cd15dd861b04b82d91a37a Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands in Exim, specifies the number of errors after which the connection is closed. 
Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands
in Exim, specifies the number of errors after which the connection is closed.
Mail: IMAP pipelining support. 2021-05-19T00:13:28+00:00 Maxim Dounin mdounin@mdounin.ru 2021-05-19T00:13:28+00:00 5015209054f68141cd4f5f61e874d4497d4ef49c The change is mostly the same as the SMTP one (04e43d03e153 and 3f5d0af4e40a), and ensures that nginx is able to properly handle or reject multiple IMAP commands. The s->cmd field is not really used and set for consistency. Non-synchronizing literals handling in invalid/unknown commands is limited, so when a non-synchronizing literal is detected at the end of a discarded line, the connection is closed. 
The change is mostly the same as the SMTP one (04e43d03e153 and 3f5d0af4e40a),
and ensures that nginx is able to properly handle or reject multiple IMAP
commands.  The s->cmd field is not really used and set for consistency.

Non-synchronizing literals handling in invalid/unknown commands is limited,
so when a non-synchronizing literal is detected at the end of a discarded
line, the connection is closed.
Mail: stricter checking of IMAP tags. 2021-05-19T00:13:26+00:00 Maxim Dounin mdounin@mdounin.ru 2021-05-19T00:13:26+00:00 4617dd64b863df111e33b1b395709f4c2f427350 Only "A-Za-z0-9-._" characters now allowed (which is stricter than what RFC 3501 requires, but expected to be enough for all known clients), and tags shouldn't be longer than 32 characters. 
Only "A-Za-z0-9-._" characters now allowed (which is stricter than what
RFC 3501 requires, but expected to be enough for all known clients),
and tags shouldn't be longer than 32 characters.
Mail: fixed backslash handling in IMAP literals. 2021-05-19T00:13:23+00:00 Maxim Dounin mdounin@mdounin.ru 2021-05-19T00:13:23+00:00 82840d165144584d1b288521266051a6b5a462eb Previously, s->backslash was set if any of the arguments was a quoted string with a backslash character. After successful command parsing this resulted in all arguments being filtered to remove backslashes. This is, however, incorrect, as backslashes should not be removed from IMAP literals. For example: S: * OK IMAP4 ready C: a01 login {9} S: + OK C: user\name "pass\"word" S: * BAD internal server error resulted in "Auth-User: username" instead of "Auth-User: user\name" as it should. Fix is to apply backslash filtering on per-argument basis during parsing. 
Previously, s->backslash was set if any of the arguments was a quoted
string with a backslash character.  After successful command parsing
this resulted in all arguments being filtered to remove backslashes.
This is, however, incorrect, as backslashes should not be removed from
IMAP literals.  For example:

   S: * OK IMAP4 ready
   C: a01 login {9}
   S: + OK
   C: user\name "pass\"word"
   S: * BAD internal server error

resulted in "Auth-User: username" instead of "Auth-User: user\name"
as it should.

Fix is to apply backslash filtering on per-argument basis during parsing.
Mail: removed dead s->arg_start handling. 2021-05-19T00:13:22+00:00 Maxim Dounin mdounin@mdounin.ru 2021-05-19T00:13:22+00:00 fabe28259f4e191fee660a240ba347a0a8d2f1dc As discussed in the previous change, s->arg_start handling in the "done" labels of ngx_mail_pop3_parse_command(), ngx_mail_imap_parse_command(), and ngx_mail_smtp_parse_command() is wrong: s->arg_start cannot be set there, as it is handled and cleared on all code paths where the "done" labels are reached. The relevant code is dead and now removed. 
As discussed in the previous change, s->arg_start handling in the "done"
labels of ngx_mail_pop3_parse_command(), ngx_mail_imap_parse_command(),
and ngx_mail_smtp_parse_command() is wrong: s->arg_start cannot be
set there, as it is handled and cleared on all code paths where the
"done" labels are reached.  The relevant code is dead and now removed.
Mail: fixed s->arg_start clearing on invalid IMAP commands. 2021-05-19T00:13:20+00:00 Maxim Dounin mdounin@mdounin.ru 2021-05-19T00:13:20+00:00 3c660ef59b545bf76f2fb2b6a37ca02bcae4b2fb Previously, s->arg_start was left intact after invalid IMAP commands, and this might result in an argument incorrectly added to the following command. Similarly, s->backslash was left intact as well, leading to unneeded backslash removal. For example (LFs from the client are explicitly shown as "<LF>"): S: * OK IMAP4 ready C: a01 login "\<LF> S: a01 BAD invalid command C: a0000000000\2 authenticate <LF> S: a00000000002 aBAD invalid command The backslash followed by LF generates invalid command with s->arg_start and s->backslash set, the following command incorrectly treats anything from the old s->arg_start to the space after the command as an argument, and removes the backslash from the tag. If there is no space, s->arg_end will be NULL. Both things seem to be harmless though. In particular: - This can be used to provide an incorrect argument to a command without arguments. The only command which seems to look at the single argument is AUTHENTICATE, and it checks the argument length before trying to access it. - Backslash removal uses the "end" pointer, and stops due to "src < end" condition instead of scanning all the process memory if s->arg_end is NULL (and arg[0].len is huge). - There should be no backslashes in unquoted strings. An obvious fix is to clear s->arg_start and s->backslash on invalid commands, similarly to how it is done in POP3 parsing (added in 810:e3aa8f305d21) and SMTP parsing. This, however, makes it clear that s->arg_start handling in the "done" label is wrong: s->arg_start cannot be legitimately set there, as it is expected to be cleared in all possible cases when the "done" label is reached. The relevant code is dead and will be removed by the following change. 
Previously, s->arg_start was left intact after invalid IMAP commands,
and this might result in an argument incorrectly added to the following
command.  Similarly, s->backslash was left intact as well, leading
to unneeded backslash removal.

For example (LFs from the client are explicitly shown as "<LF>"):

  S: * OK IMAP4 ready
  C: a01 login "\<LF>
  S: a01 BAD invalid command
  C: a0000000000\2 authenticate <LF>
  S: a00000000002 aBAD invalid command

The backslash followed by LF generates invalid command with s->arg_start
and s->backslash set, the following command incorrectly treats anything
from the old s->arg_start to the space after the command as an argument,
and removes the backslash from the tag.  If there is no space, s->arg_end
will be NULL.

Both things seem to be harmless though.  In particular:

- This can be used to provide an incorrect argument to a command without
  arguments.  The only command which seems to look at the single argument
  is AUTHENTICATE, and it checks the argument length before trying to
  access it.

- Backslash removal uses the "end" pointer, and stops due to "src < end"
  condition instead of scanning all the process memory if s->arg_end is
  NULL (and arg[0].len is huge).

- There should be no backslashes in unquoted strings.

An obvious fix is to clear s->arg_start and s->backslash on invalid commands,
similarly to how it is done in POP3 parsing (added in 810:e3aa8f305d21) and
SMTP parsing.

This, however, makes it clear that s->arg_start handling in the "done"
label is wrong: s->arg_start cannot be legitimately set there, as it
is expected to be cleared in all possible cases when the "done" label is
reached.  The relevant code is dead and will be removed by the following
change.
Mail: POP3 pipelining support. 2021-05-19T00:13:18+00:00 Maxim Dounin mdounin@mdounin.ru 2021-05-19T00:13:18+00:00 d96d60d2e0a41a4e01163f7e5d1835e028f94b72 The change is mostly the same as the SMTP one (04e43d03e153 and 3f5d0af4e40a), and ensures that nginx is able to properly handle or reject multiple POP3 commands, as required by the PIPELINING capability (RFC 2449). The s->cmd field is not really used and set for consistency. 
The change is mostly the same as the SMTP one (04e43d03e153 and 3f5d0af4e40a),
and ensures that nginx is able to properly handle or reject multiple POP3
commands, as required by the PIPELINING capability (RFC 2449).  The s->cmd
field is not really used and set for consistency.