Skip to content

Commit

Permalink
docs: fix reference info to smtps (authelia#3950)
Browse files Browse the repository at this point in the history
This PR aligns some information missed in a previous update.
  • Loading branch information
polarathene authored Sep 6, 2022
1 parent 9a71501 commit 97faa0b
Show file tree
Hide file tree
Showing 2 changed files with 48 additions and 23 deletions.
11 changes: 8 additions & 3 deletions docs/content/en/configuration/notifications/smtp.md
Original file line number Diff line number Diff line change
Expand Up @@ -56,9 +56,14 @@ host: "[fd00:1111:2222:3333::1]"
{{< confkey type="integer" required="yes" >}}
The port the SMTP service is listening on. Port 465 is treated as a special port where the entire connection is over
TLS. This port was formerly known as the SMTPS port but is now known as the SUBMISSIONS port i.e. SUBMISSION Secure. All
other ports expect to perform a STARTTLS negotiation.
The port the SMTP service is listening on.
A connection is securely established with TLS after a succesful STARTTLS negotiation.
[Port 465 is an exception][docs-security-smtp-port] when supported by the mail server as a `submissions` service port.
STARTTLS negotiation is not required for this port, the connection is implicitly established with TLS.

[docs-security-smtp-port]: ../../overview/security/measures.md#smtp-ports

### timeout

Expand Down
60 changes: 40 additions & 20 deletions docs/content/en/overview/security/measures.md
Original file line number Diff line number Diff line change
Expand Up @@ -147,30 +147,32 @@ If you wish to change your encryption key for any reason you can do so using the

## Notifier security measures (SMTP)

The SMTP Notifier implementation does not allow connections that are not secure without changing default configuration
The SMTP Notifier implementation does not allow connections that are not secure without changing default configuration
values.

As such all SMTP connections require the following:

1. TLS Connection (STARTTLS or SMTPS) has been negotiated before authentication or sending emails (unauthenticated
connections require it as well)
1. A TLS Connection (STARTTLS or implicit) has been negotiated before authentication or sending emails (_unauthenticated
connections require it as well_)
2. Valid X509 Certificate presented to the client during the TLS handshake

There is an option to disable both of these security measures however they are __not recommended__.

The following configuration options exist to configure the security level in order of most preferable to least
The following configuration options exist to configure the security level in order of most preferable to least
preferable:

### Configuration Option: certificates_directory

You can [configure a directory](../../configuration/miscellaneous/introduction.md#certificates_directory) of certificates for Authelia
You can [configure a directory](../../configuration/miscellaneous/introduction.md#certificates_directory) of
certificates for Authelia
to trust. These certificates can either be CA's or individual public certificates that should be trusted. These
are added in addition to the environments PKI trusted certificates if available. This is useful for trusting a
certificate that is self-signed without drastically reducing security. This is the most recommended workaround to not
having a valid PKI trusted certificate as it gives you complete control over which ones are trusted without disabling
critically needed validation of the identity of the target service.

Read more in the [documentation](../../configuration/miscellaneous/introduction.md#certificates_directory) for this option.
Read more in the [documentation](../../configuration/miscellaneous/introduction.md#certificates_directory) for this
option.

### Configuration Option: tls.skip_verify

Expand All @@ -181,23 +183,41 @@ attacks could intercept emails from Authelia compromising a user's security with

### Configuration Option: disable_require_tls

Authelia by default ensures that the SMTP server connection is secured via STARTTLS or SMTPS prior to sending sensitive
information. The [disable_require_tls](../../configuration/notifications/smtp.md#disable_require_tls) disables this requirement
which means the emails are sent in plain text. This is the least secure option as it effectively removes the validation
of SMTP certificates and removes the encryption offered by the STARTTLS/SMTPS connection all together.
Authelia by default ensures that the SMTP server connection is secured via TLS prior to sending sensitive information.

This means not only can the vulnerabilities of the [skip_verify](#configuration-option-tlsskip_verify) option be
exploited, but any router or switch along the route of the email which receives the packets could be used to silently
exploit the plain text nature of the email. This is only usable currently with authentication disabled (comment out the
password) and as such is only an option for SMTP servers that allow unauthenticated relay (bad practice).
The [disable_require_tls](../../configuration/notifications/smtp.md#disable_require_tls) option disables this
requirement which means the emails may be sent in cleartext. This is the least secure option as it effectively removes
the validation of SMTP certificates and makes using an encrypted connection with TLS optional.

### SMTPS vs STARTTLS
This means not only can the vulnerabilities of the [skip_verify](#configuration-option-tlsskip_verify) option be
exploited, but any router or switch along the route of the email which receives the packets could be used to silently
exploit the cleartext nature of the connection to manipulate the email in transit.

All connections start as plain text and are upgraded via STARTTLS. SMTPS is an exception to this rule where the
connection is over TLS. As SMTPS is deprecated, the only way to configure this is to set the SMTP
[port](../../configuration/notifications/smtp.md#port) to the officially recognized SMTPS port of 465 which will cause Authelia
to automatically consider it to be a SMTPS connection. As such your SMTP server, if not offering SMTPS, should not be
listening on port 465 which is bad practice anyway.
This is only usable currently with authentication disabled (_comment out the password_), and as such is only an option
for SMTP servers that allow unauthenticated relaying (bad practice).

### SMTP Ports

All SMTP connections begin as [cleartext], and then negotiate to upgrade to a secure TLS connection via STARTTLS.

The [`submissions` service][service-submissions] (_typically port 465_) is an exception to this rule, where the
connection begins immediately secured with TLS (_similar to HTTPS_). When the configured [port for
SMTP][docs-config-smtp-port] is set to `465`, Authelia will initiate TLS connections without requiring STARTTLS
negotiation.

When the `submissions` service port is available, it [should be preferred][port-465] over any STARTTLS port for
submitting mail.

**NOTE:** Prior to 2018, port 465 was previously assigned for a similar purpose known as [`smtps`][port-465] (_A TLS
only equivalent of the `smtp` port 25_), which it had been deprecated for. Port 465 has since been re-assigned for only
supporting mail submission (_which unlike SMTP transfers via port 25, [requires authentication][smtp-auth]_), similar
to port 587 (_the `submission` port, a common alternative that uses STARTTLS instead_).

[docs-config-smtp-port]: ../../configuration/notifications/smtp.md#port
[cleartext]: https://cwe.mitre.org/data/definitions/312.html
[service-submissions]: https://www.rfc-editor.org/rfc/rfc8314#section-7.3
[port-465]: https://www.rfc-editor.org/rfc/rfc8314#section-3.3
[smtp-auth]: https://www.rfc-editor.org/rfc/rfc6409#section-4.3

## Protection against open redirects

Expand Down

0 comments on commit 97faa0b

Please sign in to comment.