fix(mail): support LOGIN auth, fix this issue: #2688

fiftin · fiftin · commit 9aa077a52030 · 2025-03-24T00:02:33.000+05:00
diff --git a/util/mailer/auth.go b/util/mailer/auth.go
@@ -0,0 +1,66 @@
+package mailer
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"net/smtp"
+	"slices"
+)
+
+func PlainOrLoginAuth(username, password, host string) smtp.Auth {
+	return &plainOrLoginAuth{username: username, password: password, host: host}
+}
+
+func isLocalhost(name string) bool {
+	return name == "localhost" || name == "127.0.0.1" || name == "::1"
+}
+
+type plainOrLoginAuth struct {
+	username   string
+	password   string
+	host       string
+	authMethod string
+}
+
+func (a *plainOrLoginAuth) Start(server *smtp.ServerInfo) (string, []byte, error) {
+	// Must have TLS, or else localhost server.
+	// Note: If TLS is not true, then we can't trust ANYTHING in ServerInfo.
+	// In particular, it doesn't matter if the server advertises PLAIN auth.
+	// That might just be the attacker saying
+	// "it's ok, you can trust me with your password."
+	if !server.TLS && !isLocalhost(server.Name) {
+		return "", nil, errors.New("unencrypted connection")
+	}
+	if server.Name != a.host {
+		return "", nil, errors.New("wrong host name")
+	}
+	if !slices.Contains(server.Auth, "PLAIN") {
+		a.authMethod = "LOGIN"
+		return a.authMethod, nil, nil
+	} else {
+		a.authMethod = "PLAIN"
+		resp := []byte("\x00" + a.username + "\x00" + a.password)
+		return a.authMethod, resp, nil
+	}
+}
+
+func (a *plainOrLoginAuth) Next(fromServer []byte, more bool) ([]byte, error) {
+	if !more {
+		return nil, nil
+	}
+
+	if a.authMethod == "PLAIN" {
+		// We've already sent everything.
+		return nil, errors.New("unexpected server challenge")
+	}
+
+	switch {
+	case bytes.Equal(fromServer, []byte("Username:")):
+		return []byte(a.username), nil
+	case bytes.Equal(fromServer, []byte("Password:")):
+		return []byte(a.password), nil
+	default:
+		return nil, fmt.Errorf("unexpected server challenge: %s", fromServer)
+	}
+}
diff --git a/util/mailer/mailer.go b/util/mailer/mailer.go
@@ -97,17 +97,12 @@ func plainauth(
 	to string,
 	body *bytes.Buffer,
 ) error {
+	auth := PlainOrLoginAuth(username, password, host)
+	//auth := smtp.PlainAuth("", username, password, host)
+
 	return smtp.SendMail(
-		net.JoinHostPort(
-			host,
-			port,
-		),
-		smtp.PlainAuth(
-			"",
-			username,
-			password,
-			host,
-		),
+		net.JoinHostPort(host, port),
+		auth,
 		from,
 		[]string{to},
 		body.Bytes(),
@@ -121,12 +116,7 @@ func anonymous(
 	to string,
 	body *bytes.Buffer,
 ) error {
-	c, err := smtp.Dial(
-		net.JoinHostPort(
-			host,
-			port,
-		),
-	)
+	c, err := smtp.Dial(net.JoinHostPort(host, port))
 
 	if err != nil {
 		return err
