Skip to content

chore: add comment about SMTP PLAIN authentication #4741

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore: add comment about SMTP PLAIN authentication #4741

wants to merge 1 commit into from

Conversation

@TheMeier
Copy link
Contributor

@TheMeier TheMeier commented Nov 14, 2025

Ref: #1236

@SoloJacobs SoloJacobs self-requested a review November 15, 2025 08:55
SoloJacobs
SoloJacobs approved these changes Nov 15, 2025
View reviewed changes
Copy link
Contributor

@SoloJacobs SoloJacobs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

I have been thinking whether we should also a validation step to amtool check-config. This should be possible, since the validation done by PlainAuth is straightforward.

@TheMeier
Copy link
Contributor Author

TheMeier commented Nov 17, 2025

So I have added a commit that implements validation if TLS is disabled and SMTP PLAIN auth config params are set. But I would consider this somewhat breaking since it will prevent AM starting with some (broken) configs which it previously did accept.
I can also break out that commit into another PR.

@SoloJacobs SoloJacobs self-requested a review November 18, 2025 07:30
SoloJacobs
SoloJacobs suggested changes Nov 18, 2025
View reviewed changes
Copy link
Contributor

@SoloJacobs SoloJacobs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • I don't know about our backwards compatibility requirements. Hopefully one of the maintainers can help out. I think from a semver perspective this is fine, and catching a notification not being sent out is pretty important in my opinion.
  • I would definitely allow localhost.
  • If you have the time, then I would split the PR. The doc change is ready to merge in my mind.

config/config.go Outdated
ec.RequireTLS = new(bool)
*ec.RequireTLS = c.Global.SMTPRequireTLS
}
if (ec.AuthUsername != "" || ec.AuthPassword != "" || ec.AuthPasswordFile != "") && !*ec.RequireTLS {
Copy link
Contributor

@SoloJacobs SoloJacobs Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we still allow localhost? This is how PlainAuth checks it:

func isLocalhost(name string) bool {                                                                  
    return name == "localhost" || name == "127.0.0.1" || name == "::1"                                  
}

Copy link
Contributor Author

@TheMeier TheMeier Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have removed the validation and will open another PR for it. Thanks for your feedback @SoloJacobs

@TheMeier
Copy link
Contributor Author

TheMeier commented Nov 18, 2025

So about that validation. I think a more correct implementation would be to use something like this:

			if !*ec.RequireTLS && (ec.AuthUsername != "" || ec.AuthPassword != "" || ec.AuthPasswordFile != "") {
				if ip := net.ParseIP(ec.Smarthost.Host); ip != nil && !ip.IsLoopback() {
					return errors.New("PLAIN SMTP authentication without TLS can only be used with loopback (aka localhost) addresses")
				}
			}

But that of cause is different than https://cs.opensource.google/go/go/+/refs/tags/go1.25.4:src/net/smtp/auth.go;l=67
The issue I see here is, whatever validation we implement is prone to become different at some point if the implementation in net/smtp changes in the future. So I also don't feel very happy to just copy their isLocalhost implementation.

@TheMeier TheMeier requested a review from SoloJacobs November 18, 2025 17:43
@SoloJacobs
Copy link
Contributor

SoloJacobs commented Nov 18, 2025

The validation also seems ok to me. Shame that there is no public function to check that SMTP is safe.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@SoloJacobs SoloJacobs SoloJacobs approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TheMeier @SoloJacobs