From 83e6a1b4fa3438b6aec2a20e7039bc86f5e98f2b Mon Sep 17 00:00:00 2001 From: Matthias Keck Date: Mon, 1 Jul 2024 09:26:11 +0200 Subject: [PATCH] Introduces a config option to control smtp server identity check - default value was changed by angus implementation - keep more secure default, but make it configurable if less strict settings are required by mail server Fixes: SIRI-983 --- .../sirius/web/mails/SMTPConfiguration.java | 24 +++++++++++++++++-- .../java/sirius/web/mails/SendMailTask.java | 2 ++ src/main/resources/component-065-web.conf | 4 ++++ src/main/resources/scope-conf/mail.conf | 4 ++++ 4 files changed, 32 insertions(+), 2 deletions(-) diff --git a/src/main/java/sirius/web/mails/SMTPConfiguration.java b/src/main/java/sirius/web/mails/SMTPConfiguration.java index 6abe0c59b..a1058036c 100644 --- a/src/main/java/sirius/web/mails/SMTPConfiguration.java +++ b/src/main/java/sirius/web/mails/SMTPConfiguration.java @@ -29,6 +29,7 @@ public class SMTPConfiguration { private String mailSenderName; private boolean useSenderAndEnvelopeFrom; private String trustedServers; + private boolean checkServerIdentity; @ConfigValue("mail.smtp.host") private static String smtpHost; @@ -54,6 +55,9 @@ public class SMTPConfiguration { @ConfigValue("mail.smtp.trustedServers") private static String smtpTrustedServers; + @ConfigValue("mail.smtp.checkServerIdentity") + private static boolean smtpCheckServerIdentity; + private SMTPConfiguration() { } @@ -113,6 +117,11 @@ public SMTPConfiguration setTrustedServers(String trustedServers) { return this; } + public SMTPConfiguration setCheckServerIdentity(boolean checkServerIdentity) { + this.checkServerIdentity = checkServerIdentity; + return this; + } + /** * Creates a new configuration based on the config files. * @@ -128,7 +137,8 @@ public static SMTPConfiguration fromConfig() { .setMailSender(smtpSender) .setMailSenderName(smtpSenderName) .setUseSenderAndEnvelopeFrom(smtpUseEnvelopeFrom) - .setTrustedServers(smtpTrustedServers); + .setTrustedServers(smtpTrustedServers) + .setCheckServerIdentity(smtpCheckServerIdentity); } /** @@ -156,7 +166,8 @@ public static SMTPConfiguration fromSettings(Settings settings) { .setMailSender(settings.get("mail.sender").getString()) .setMailSenderName(settings.get("mail.senderName").getString()) .setUseSenderAndEnvelopeFrom(settings.get("mail.useEnvelopeFrom").asBoolean()) - .setTrustedServers(settings.get("mail.trustedServers").getString()); + .setTrustedServers(settings.get("mail.trustedServers").getString()) + .setCheckServerIdentity(settings.get("mail.checkServerIdentity").asBoolean()); } /** @@ -195,6 +206,15 @@ public String getTrustedServers() { return trustedServers; } + /** + * Determines if the server identity should be checked. + * + * @return true if the server identity should be checked, false otherwise + */ + public boolean isCheckServerIdentity() { + return checkServerIdentity; + } + /** * Returns the hostname of the mail server to be used. * diff --git a/src/main/java/sirius/web/mails/SendMailTask.java b/src/main/java/sirius/web/mails/SendMailTask.java index 8f937658a..5eb2f2e6f 100644 --- a/src/main/java/sirius/web/mails/SendMailTask.java +++ b/src/main/java/sirius/web/mails/SendMailTask.java @@ -75,6 +75,7 @@ class SendMailTask implements Runnable { private static final String MAIL_FROM = "mail.from"; private static final String MAIL_SMTP_HOST = "mail.smtp.host"; private static final String MAIL_SMTP_STARTTLS_ENABLE = "mail.smtp.starttls.enable"; + private static final String MAIL_SMTP_CHECKSERVERIDENTITY = "mail.smtp.ssl.checkserveridentity"; private static final String MAIL_SMTP_SSL_TRUST = "mail.smtp.ssl.trust"; private static final String MAIL_SMTP_PORT = "mail.smtp.port"; private static final String MAIL_SMTP_CONNECTIONTIMEOUT = "mail.smtp.connectiontimeout"; @@ -382,6 +383,7 @@ private Session getMailSession(SMTPConfiguration config) { props.setProperty(MAIL_TRANSPORT_PROTOCOL, config.getProtocol().getProtocol()); props.setProperty(MAIL_SMTP_STARTTLS_ENABLE, Boolean.toString(config.getProtocol().isStarttls())); + props.setProperty(MAIL_SMTP_CHECKSERVERIDENTITY, Boolean.toString(config.isCheckServerIdentity())); if (Strings.isFilled(config.getTrustedServers())) { props.setProperty(MAIL_SMTP_SSL_TRUST, config.getTrustedServers()); } diff --git a/src/main/resources/component-065-web.conf b/src/main/resources/component-065-web.conf index 9296e362b..470af81c5 100644 --- a/src/main/resources/component-065-web.conf +++ b/src/main/resources/component-065-web.conf @@ -577,6 +577,10 @@ mail { # CA signatures are apparently ignored, and only the listed servers are trusted! Set to "*" to trust any server. trustedServers = "" + # Controls whether the server identity should be checked against the hostname of the server. + # See: mail.smtp.ssl.checkserveridentity https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html + checkServerIdentity = true + # Contains the settings required to enable DKIM dkim { diff --git a/src/main/resources/scope-conf/mail.conf b/src/main/resources/scope-conf/mail.conf index f5f3c29dc..2eec4b2fd 100644 --- a/src/main/resources/scope-conf/mail.conf +++ b/src/main/resources/scope-conf/mail.conf @@ -25,6 +25,10 @@ mail { # CA signatures are apparently ignored, and only the listed servers are trusted! Set to "*" to trust any server. trustedServers = "" + # Controls whether the server identity should be checked against the hostname of the server. + # See: mail.smtp.ssl.checkserveridentity https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html + checkServerIdentity = true + # Whether E-Mail addresses with non-ascii-symbols are considered valid # The mail server needs to support SMTPUTF8 for this to work, see https://datatracker.ietf.org/doc/html/rfc6531 allow-utf-8 = false