heimoshuiyu/postmoogle
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

reject wrong email in SMTP MAIL(), reject impersonation attempts

Browse Source
This commit is contained in:
Aine
2022-11-23 11:51:12 +02:00
parent b4d6d992ac
commit 0701f8c9c3
4 changed files with 55 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
bot/access.go
View File

@@ -125,7 +125,7 @@ func (b *Bot) Ban(addr net.Addr) {
}
// AllowAuth check if SMTP login (email) and password are valid
func (b *Bot) AllowAuth(email, password string) bool {
func (b *Bot) AllowAuth(email, password string) (id.RoomID, bool) {
var suffix bool
for _, domain := range b.domains {
if strings.HasSuffix(email, "@"+domain) {
@@ -134,22 +134,27 @@ func (b *Bot) AllowAuth(email, password string) bool {
}
}
if !suffix {
return false
return "", false
}
roomID, ok := b.getMapping(utils.Mailbox(email))
if !ok {
return false
return "", false
}
cfg, err := b.getRoomSettings(roomID)
if err != nil {
b.log.Error("failed to retrieve settings: %v", err)
return false
return "", false
}
if cfg.NoSend() {
b.log.Warn("trying to send email from %q (%q), but it's receive-only", email, roomID)
return "", false
}
allow, err := argon2pw.CompareHashWithPassword(cfg.Password(), password)
if err != nil {
b.log.Warn("Password for %s is not valid: %v", email, err)
}
return allow
return roomID, allow
}