mirror of
				https://github.com/dani-garcia/vaultwarden.git
				synced 2025-10-26 07:50:02 +02:00 
			
		
		
		
	Allow multiple SMTP Auth meganisms.
- Allow all SMTP Auth meganisms supported by Lettre. - The config value order is leading and values can be separated by a comma ',' - Case doesn't matter, and invalid values are ignored. - Warning is printed when no valid value is found at all.
This commit is contained in:
		| @@ -1,7 +1,7 @@ | |||||||
| ## Bitwarden_RS Configuration File | ## Bitwarden_RS Configuration File | ||||||
| ## Uncomment any of the following lines to change the defaults | ## Uncomment any of the following lines to change the defaults | ||||||
| ##  | ## | ||||||
| ## Be aware that most of these settings will be overridden if they were changed  | ## Be aware that most of these settings will be overridden if they were changed | ||||||
| ## in the admin interface. Those overrides are stored within DATA_FOLDER/config.json . | ## in the admin interface. Those overrides are stored within DATA_FOLDER/config.json . | ||||||
|  |  | ||||||
| ## Main data folder | ## Main data folder | ||||||
| @@ -70,7 +70,7 @@ | |||||||
| ## Log level | ## Log level | ||||||
| ## Change the verbosity of the log output | ## Change the verbosity of the log output | ||||||
| ## Valid values are "trace", "debug", "info", "warn", "error" and "off" | ## Valid values are "trace", "debug", "info", "warn", "error" and "off" | ||||||
| ## Setting it to "trace" or "debug" would also show logs for mounted  | ## Setting it to "trace" or "debug" would also show logs for mounted | ||||||
| ## routes and static file, websocket and alive requests | ## routes and static file, websocket and alive requests | ||||||
| # LOG_LEVEL=Info | # LOG_LEVEL=Info | ||||||
|  |  | ||||||
| @@ -184,7 +184,7 @@ | |||||||
| ## Authenticator Settings | ## Authenticator Settings | ||||||
| ## Disable authenticator time drifted codes to be valid. | ## Disable authenticator time drifted codes to be valid. | ||||||
| ## TOTP codes of the previous and next 30 seconds will be invalid | ## TOTP codes of the previous and next 30 seconds will be invalid | ||||||
| ##  | ## | ||||||
| ## According to the RFC6238 (https://tools.ietf.org/html/rfc6238), | ## According to the RFC6238 (https://tools.ietf.org/html/rfc6238), | ||||||
| ## we allow by default the TOTP code which was valid one step back and one in the future. | ## we allow by default the TOTP code which was valid one step back and one in the future. | ||||||
| ## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes. | ## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes. | ||||||
| @@ -210,6 +210,9 @@ | |||||||
| # SMTP_EXPLICIT_TLS=true # N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) | # SMTP_EXPLICIT_TLS=true # N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) | ||||||
| # SMTP_USERNAME=username | # SMTP_USERNAME=username | ||||||
| # SMTP_PASSWORD=password | # SMTP_PASSWORD=password | ||||||
|  | ## Defaults for SSL is "Plain" and "Login" and nothing for Non-SSL connections. | ||||||
|  | ## Possible values: ["Plain", "Login", "Xoauth2"]. | ||||||
|  | ## Multiple options need to be separated by a comma ','. | ||||||
| # SMTP_AUTH_MECHANISM="Plain" | # SMTP_AUTH_MECHANISM="Plain" | ||||||
| # SMTP_TIMEOUT=15 | # SMTP_TIMEOUT=15 | ||||||
|  |  | ||||||
|   | |||||||
| @@ -400,7 +400,7 @@ make_config! { | |||||||
|         smtp_username:          String, true,   option; |         smtp_username:          String, true,   option; | ||||||
|         /// Password |         /// Password | ||||||
|         smtp_password:          Pass,   true,   option; |         smtp_password:          Pass,   true,   option; | ||||||
|         /// Json form auth mechanism |> Defaults for ssl is "Plain" and "Login" and nothing for non-ssl connections. Possible values: ["Plain", "Login", "Xoauth2"] |         /// Json form auth mechanism |> Defaults for ssl is "Plain" and "Login" and nothing for non-ssl connections. Possible values: ["Plain", "Login", "Xoauth2"]. Multiple options need to be separated by a comma. | ||||||
|         smtp_auth_mechanism:    String, true,   option; |         smtp_auth_mechanism:    String, true,   option; | ||||||
|         /// SMTP connection timeout |> Number of seconds when to stop trying to connect to the SMTP server |         /// SMTP connection timeout |> Number of seconds when to stop trying to connect to the SMTP server | ||||||
|         smtp_timeout:           u64,    true,   def,     15; |         smtp_timeout:           u64,    true,   def,     15; | ||||||
| @@ -428,7 +428,7 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> { | |||||||
|  |  | ||||||
|     let dom = cfg.domain.to_lowercase(); |     let dom = cfg.domain.to_lowercase(); | ||||||
|     if !dom.starts_with("http://") && !dom.starts_with("https://") { |     if !dom.starts_with("http://") && !dom.starts_with("https://") { | ||||||
|         err!("DOMAIN variable needs to contain the protocol (http, https). Use 'http[s]://bw.example.com' instead of 'bw.example.com'");  |         err!("DOMAIN variable needs to contain the protocol (http, https). Use 'http[s]://bw.example.com' instead of 'bw.example.com'"); | ||||||
|     } |     } | ||||||
|  |  | ||||||
|     let whitelist = &cfg.signups_domains_whitelist; |     let whitelist = &cfg.signups_domains_whitelist; | ||||||
|   | |||||||
							
								
								
									
										20
									
								
								src/mail.rs
									
									
									
									
									
								
							
							
						
						
									
										20
									
								
								src/mail.rs
									
									
									
									
									
								
							| @@ -55,12 +55,22 @@ fn mailer() -> SmtpTransport { | |||||||
|  |  | ||||||
|     let smtp_client = match CONFIG.smtp_auth_mechanism() { |     let smtp_client = match CONFIG.smtp_auth_mechanism() { | ||||||
|         Some(mechanism) => { |         Some(mechanism) => { | ||||||
|             let correct_mechanism = format!("\"{}\"", crate::util::upcase_first(mechanism.trim_matches('"'))); |             let allowed_mechanisms = vec![SmtpAuthMechanism::Plain, SmtpAuthMechanism::Login, SmtpAuthMechanism::Xoauth2]; | ||||||
|  |             let mut selected_mechanisms = vec![]; | ||||||
|  |             for wanted_mechanism in mechanism.split(',') { | ||||||
|  |                 for m in &allowed_mechanisms { | ||||||
|  |                     if m.to_string().to_lowercase() == wanted_mechanism.trim_matches(|c| c == '"' || c == '\'' || c == ' ').to_lowercase() { | ||||||
|  |                         selected_mechanisms.push(m.clone()); | ||||||
|  |                     } | ||||||
|  |                 } | ||||||
|  |             }; | ||||||
|  |  | ||||||
|             // TODO: Allow more than one mechanism |             if !selected_mechanisms.is_empty() { | ||||||
|             match serde_json::from_str::<SmtpAuthMechanism>(&correct_mechanism) { |                 smtp_client.authentication(selected_mechanisms) | ||||||
|                 Ok(auth_mechanism) => smtp_client.authentication(vec![auth_mechanism]), |             } else { | ||||||
|                 _ => panic!("Failure to parse mechanism. Is it proper Json? Eg. `\"Plain\"` not `Plain`"), |                 // Only show a warning, and return without setting an actual authentication mechanism | ||||||
|  |                 warn!("No valid SMTP Auth mechanism found for '{}', using default values", mechanism); | ||||||
|  |                 smtp_client | ||||||
|             } |             } | ||||||
|         } |         } | ||||||
|         _ => smtp_client, |         _ => smtp_client, | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user