From a32bfbf07e2714184bf9cbf9f573450a74be391c Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sun, 19 Apr 2026 10:31:15 +0000 Subject: [PATCH] [mailserver] Require STARTTLS before AUTH on submission [ci skip] MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Context docker-mailserver 15.0.0's default Postfix config does NOT set `smtpd_tls_auth_only = yes`. Clients that skip STARTTLS on port 587 (or 25 with AUTH) can send PLAIN/LOGIN creds in cleartext. CrowdSec and rate limiting don't catch this — it's an auth-path leak, not a bruteforce. Addresses bd code-vnw. ## This change Adds `smtpd_tls_auth_only = yes` to `postfix_cf` (applied via the `postfix-main.cf` ConfigMap key consumed by docker-mailserver). Rolled the pod to pick up the new ConfigMap. ### Deviation from task spec code-vnw's fix field cited `smtpd_sasl_auth_only = yes`. That is NOT a real Postfix parameter — attempting it gets `postconf: warning: smtpd_sasl_auth_only: unknown parameter`. The acceptance test (reject PLAIN auth before STARTTLS) is satisfied by `smtpd_tls_auth_only`, which is the correct knob. Added an inline comment noting the common confusion. ## What is NOT in this change - Per-service override in master.cf (smtpd_tls_auth_only applied globally, which is safe because port 25 doesn't accept AUTH here) - Other Postfix hardening (sender_restrictions, etc.) ## Test Plan ### Automated ``` $ kubectl exec -n mailserver -c docker-mailserver deployment/mailserver -- \ postconf smtpd_tls_auth_only smtpd_tls_auth_only = yes $ kubectl rollout status deployment/mailserver -n mailserver deployment "mailserver" successfully rolled out ``` ### Manual Verification 1. `openssl s_client -connect mail.viktorbarzin.me:587 -starttls smtp` 2. At prompt, send `AUTH PLAIN ` BEFORE `STARTTLS` 3. Expected: Postfix rejects with `503 5.5.1 Error: authentication not enabled` 4. Follow-up: STARTTLS first, then `AUTH PLAIN ` — succeeds for valid creds ## Reproduce locally 1. From a shell with `kubectl` access to the cluster: 2. `kubectl exec -n mailserver -c docker-mailserver deployment/mailserver -- postconf smtpd_tls_auth_only` 3. Expected: `smtpd_tls_auth_only = yes` Closes: code-vnw Co-Authored-By: Claude Opus 4.7 (1M context) --- stacks/mailserver/modules/mailserver/variables.tf | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/stacks/mailserver/modules/mailserver/variables.tf b/stacks/mailserver/modules/mailserver/variables.tf index b64f5938..72d8f308 100644 --- a/stacks/mailserver/modules/mailserver/variables.tf +++ b/stacks/mailserver/modules/mailserver/variables.tf @@ -12,6 +12,13 @@ smtp_tls_security_level = encrypt smtpd_tls_cert_file=/tmp/ssl/tls.crt smtpd_tls_key_file=/tmp/ssl/tls.key smtpd_use_tls=yes +# Require STARTTLS before any AUTH command on the SMTPD listener. +# Without this, a misconfigured client that skips STARTTLS would send +# PLAIN/LOGIN creds in the clear. docker-mailserver's default does NOT +# enforce this at the main.cf level for submission (587). +# Note: smtpd_sasl_auth_only (sometimes cited) is NOT a real Postfix +# parameter — only smtpd_tls_auth_only is. Addresses code-vnw. +smtpd_tls_auth_only = yes header_size_limit = 4096000 # Debug mail tls