Merge pull request #246 from sebadob/localhost-smtp-relay

Allow insecure smtp relay by config
sebadob · Jan 18, 2024 · ef46414 · ef46414
2 parents 9964fa4 + 03f52ca
commit ef46414
Show file tree

Hide file tree

Showing 11 changed files with 200 additions and 22 deletions.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -61,6 +61,17 @@ The rest works just the same and as expected: http://localhost:5173/auth/v1/inde
 As long as you don't use passkeys, it should work right away. If you however want to test passkeys with the local
 dev ui, you need to adjust the port for `RP_ORIGIN` in the `rauthy.cfg`.
 
+### Local SMTP Relay
+
+If you want to use a local SMTP relay for testing E-Mails, there are just recipes for [maildev](https://github.com/maildev/maildev):
+
+`just maildev-start` will start the docker container for `maildev`. The UI will be available via http://localhost:1080
+You need to set in the config:
+- `SMTP_URL=localhost`
+- `SMTP_DANGER_INSECURE=true`
+
+You can stop the container with `just maildev-stop`.
+
 ## Before Submitting a PR
 
 This project does not have any actions and automatic pipelines set up yet.  

diff --git a/Cargo.toml b/Cargo.toml
@@ -11,7 +11,7 @@ members = [
 exclude = ["rauthy-client"]
 
 [workspace.package]
-version = "0.20.1"
+version = "0.20.2-20240118"
 edition = "2021"
 authors = ["Sebastian Dobe <sebastiandobe@mailbox.org>"]
 license = "Apache-2.0"

diff --git a/dev_notes.md b/dev_notes.md
@@ -7,9 +7,6 @@
 https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation -> 15.1
 These are mandatory and will come with the next PR's.
 
-- respect `prompt` on `/authorize` (mandatory: `none` + `login`)
-- respect `max_age` on `/authorize`
-- add `auth_time` claim to the ID token
 - double check `redirect_uri` during final token request with auth code
 
 ## TODO next features

diff --git a/docs/config/config.html b/docs/config/config.html
@@ -456,11 +456,38 @@ <h1 id="reference-config"><a class="header" href="#reference-config">Reference C
 # default: &quot;Rauthy IAM&quot;
 EMAIL_SUB_PREFIX=&quot;Rauthy IAM&quot;
 
-SMTP_USERNAME=
+# Rauthy will force TLS and try a downgrade to STARTTLS, if
+# TLS fails. It will never allow an unencrypted connection.
+# You might want to set `SMTP_DANGER_INSECURE=true` if you
+# need this for local dev.
+#SMTP_URL=
+#SMTP_USERNAME=
 #SMTP_PASSWORD=
-SMTP_URL=
 # Format: &quot;Rauthy &lt;rauthy@localhost.de&gt;&quot;
-SMTP_FROM=
+#SMTP_FROM=
+
+# The number of retries that should be done for connecting to
+# the given SMTP_URL.
+# When these retries are exceeded without success, Rauthy will
+# panic and exit, so no E-Mail can get lost silently because of
+# a missing SMTP connection.
+# default: 3
+#SMTP_CONNECT_RETRIES=3
+
+# You can set this to `true` to allow an unencrypted and
+# unauthenticated SMTP connection to an SMTP relay on your localhost
+# or for development purposes.
+# When set to `true`, `SMTP_USERNAME` and `SMTP_PASSWORD` will be
+# ignored and you can modify the target port with
+# `SMTP_DANGER_INSECURE_PORT`.
+# default: false
+#SMTP_DANGER_INSECURE=false
+
+# The port for an insecure SMTP relay.
+# This will most likely be used for testing only.
+# It will only be taken into account if `SMTP_DANGER_INSECURE=true` is set.
+# default: 1025
+#SMTP_DANGER_INSECURE_PORT=1025
 
 #####################################
 ###### ENCRYPTION / HASHING #########

diff --git a/docs/print.html b/docs/print.html
@@ -1700,11 +1700,38 @@ <h4 id="config-adjustments---rest-api"><a class="header" href="#config-adjustmen
 # default: &quot;Rauthy IAM&quot;
 EMAIL_SUB_PREFIX=&quot;Rauthy IAM&quot;
 
-SMTP_USERNAME=
+# Rauthy will force TLS and try a downgrade to STARTTLS, if
+# TLS fails. It will never allow an unencrypted connection.
+# You might want to set `SMTP_DANGER_INSECURE=true` if you
+# need this for local dev.
+#SMTP_URL=
+#SMTP_USERNAME=
 #SMTP_PASSWORD=
-SMTP_URL=
 # Format: &quot;Rauthy &lt;rauthy@localhost.de&gt;&quot;
-SMTP_FROM=
+#SMTP_FROM=
+
+# The number of retries that should be done for connecting to
+# the given SMTP_URL.
+# When these retries are exceeded without success, Rauthy will
+# panic and exit, so no E-Mail can get lost silently because of
+# a missing SMTP connection.
+# default: 3
+#SMTP_CONNECT_RETRIES=3
+
+# You can set this to `true` to allow an unencrypted and
+# unauthenticated SMTP connection to an SMTP relay on your localhost
+# or for development purposes.
+# When set to `true`, `SMTP_USERNAME` and `SMTP_PASSWORD` will be
+# ignored and you can modify the target port with
+# `SMTP_DANGER_INSECURE_PORT`.
+# default: false
+#SMTP_DANGER_INSECURE=false
+
+# The port for an insecure SMTP relay.
+# This will most likely be used for testing only.
+# It will only be taken into account if `SMTP_DANGER_INSECURE=true` is set.
+# default: 1025
+#SMTP_DANGER_INSECURE_PORT=1025
 
 #####################################
 ###### ENCRYPTION / HASHING #########

diff --git a/docs/searchindex.js b/docs/searchindex.js
diff --git a/docs/searchindex.json b/docs/searchindex.json
diff --git a/justfile b/justfile
@@ -64,6 +64,18 @@ docker-buildx-setup:
     docker buildx inspect rauthy_builder
 
 
+# Starts maildev (https://github.com/maildev/maildev) on your localhost for E-Mail testing
+maildev-start:
+    #!/usr/bin/env bash
+    docker run -d --rm -p 1080:1080 -p 1025:1025 --name maildev maildev/maildev
+
+
+# Stops maildev
+maildev-stop:
+    #!/usr/bin/env bash
+    docker stop maildev
+
+
 # Just uses `cargo fmt --all`
 fmt:
     #!/usr/bin/env bash

diff --git a/rauthy-book/src/config/config.md b/rauthy-book/src/config/config.md
@@ -280,11 +280,38 @@ DPOP_NONCE_EXP=900
 # default: "Rauthy IAM"
 EMAIL_SUB_PREFIX="Rauthy IAM"
 
-SMTP_USERNAME=
+# Rauthy will force TLS and try a downgrade to STARTTLS, if
+# TLS fails. It will never allow an unencrypted connection.
+# You might want to set `SMTP_DANGER_INSECURE=true` if you
+# need this for local dev.
+#SMTP_URL=
+#SMTP_USERNAME=
 #SMTP_PASSWORD=
-SMTP_URL=
 # Format: "Rauthy <rauthy@localhost.de>"
-SMTP_FROM=
+#SMTP_FROM=
+
+# The number of retries that should be done for connecting to
+# the given SMTP_URL.
+# When these retries are exceeded without success, Rauthy will
+# panic and exit, so no E-Mail can get lost silently because of
+# a missing SMTP connection.
+# default: 3
+#SMTP_CONNECT_RETRIES=3
+
+# You can set this to `true` to allow an unencrypted and
+# unauthenticated SMTP connection to an SMTP relay on your localhost
+# or for development purposes.
+# When set to `true`, `SMTP_USERNAME` and `SMTP_PASSWORD` will be
+# ignored and you can modify the target port with
+# `SMTP_DANGER_INSECURE_PORT`.
+# default: false
+#SMTP_DANGER_INSECURE=false
+
+# The port for an insecure SMTP relay.
+# This will most likely be used for testing only.
+# It will only be taken into account if `SMTP_DANGER_INSECURE=true` is set.
+# default: 1025
+#SMTP_DANGER_INSECURE_PORT=1025
 
 #####################################
 ###### ENCRYPTION / HASHING #########

diff --git a/rauthy-models/src/email.rs b/rauthy-models/src/email.rs
@@ -17,6 +17,7 @@ use rauthy_common::constants::{
 };
 use rauthy_common::error_response::{ErrorResponse, ErrorResponseType};
 use rauthy_notify::Notification;
+use std::env;
 use std::time::Duration;
 use tokio::sync::mpsc;
 use tokio::sync::mpsc::Receiver;
@@ -412,21 +413,40 @@ pub async fn sender(mut rx: Receiver<EMail>, test_mode: bool) {
         }
     }
 
-    let smtp_url = SMTP_URL.as_deref().unwrap();
     let mailer = {
+        let smtp_url = SMTP_URL.as_deref().unwrap();
+        let smtp_insecure = env::var("SMTP_DANGER_INSECURE")
+            .unwrap_or_else(|_| "false".to_string())
+            .parse::<bool>()
+            .expect("Cannot parse SMTP_DANGER_INSECURE to bool");
+
         let mut retries = 0;
+        let retries_max = env::var("SMTP_CONNECT_RETRIES")
+            .unwrap_or_else(|_| "3".to_string())
+            .trim()
+            .parse::<u16>()
+            .expect("Cannot parse SMTP_CONNECT_RETRIES to u16");
+
+        let mut conn = if smtp_insecure {
+            conn_test_smtp_localhost().await
+        } else {
+            connect_test_smtp(smtp_url).await
+        };
 
-        let mut conn = connect_test_smtp(smtp_url).await;
         while let Err(err) = conn {
             error!("{:?}", err);
 
-            if retries >= 3 {
+            if retries >= retries_max {
                 panic!("SMTP connection retries exceeded");
             }
             retries += 1;
             tokio::time::sleep(Duration::from_secs(5)).await;
 
-            conn = connect_test_smtp(smtp_url).await;
+            conn = if smtp_insecure {
+                conn_test_smtp_localhost().await
+            } else {
+                connect_test_smtp(smtp_url).await
+            }
         }
         conn.unwrap()
     };
@@ -524,6 +544,35 @@ async fn connect_test_smtp(
     Ok(conn)
 }
 
+async fn conn_test_smtp_localhost(
+) -> Result<AsyncSmtpTransport<lettre::Tokio1Executor>, ErrorResponse> {
+    let port = env::var("SMTP_DANGER_INSECURE_PORT")
+        .unwrap_or_else(|_| "1025".to_string())
+        .trim()
+        .parse::<u16>()
+        .expect("Cannot parse SMTP_DANGER_INSECURE_PORT to u16");
+
+    let conn = AsyncSmtpTransport::<lettre::Tokio1Executor>::builder_dangerous("localhost")
+        .port(port)
+        .build();
+    match conn.test_connection().await {
+        Ok(true) => {
+            info!(
+                "Successfully connected to localhost SMTP relay on port {}",
+                port
+            );
+            Ok(conn)
+        }
+        Ok(false) | Err(_) => {
+            error!("Could not connect to localhost SMTP relay on port {}", port);
+            Err(ErrorResponse::new(
+                ErrorResponseType::Internal,
+                "Could not connect to localhost SMTP relay".to_string(),
+            ))
+        }
+    }
+}
+
 //github.com/ Prettifies unix timestamps for E-Mails in a better readable format for end users
 #[inline]
 fn email_ts_prettify(ts: i64) -> String {

diff --git a/rauthy.cfg b/rauthy.cfg
@@ -232,17 +232,45 @@ DPOP_NONCE_EXP=900
 ############# E-MAIL ################
 #####################################
 
-# Will be used as the prefix for the E-Mail subject for each E-Mail that will be sent out to a client.
+# Will be used as the prefix for the E-Mail subject for each E-Mail
+# that will be sent out to a client.
 # This can be used to further customize your deployment.
 # default: "Rauthy IAM"
 EMAIL_SUB_PREFIX="Rauthy IAM"
 
+# Rauthy will force TLS and try a downgrade to STARTTLS, if
+# TLS fails. It will never allow an unencrypted connection.
+# You might want to set `SMTP_DANGER_INSECURE=true` if you
+# need this for local dev.
+#SMTP_URL=
 #SMTP_USERNAME=
 #SMTP_PASSWORD=
-#SMTP_URL=
 # Format: "Rauthy <rauthy@localhost.de>"
 #SMTP_FROM=
 
+# The number of retries that should be done for connecting to
+# the given SMTP_URL.
+# When these retries are exceeded without success, Rauthy will
+# panic and exit, so no E-Mail can get lost silently because of
+# a missing SMTP connection.
+# default: 3
+SMTP_CONNECT_RETRIES=0
+
+# You can set this to `true` to allow an unencrypted and
+# unauthenticated SMTP connection to an SMTP relay on your localhost
+# or for development purposes.
+# When set to `true`, `SMTP_USERNAME` and `SMTP_PASSWORD` will be
+# ignored and you can modify the target port with
+# `SMTP_DANGER_INSECURE_PORT`.
+# default: false
+SMTP_DANGER_INSECURE=true
+
+# The port for an insecure SMTP relay.
+# This will most likely be used for testing only.
+# It will only be taken into account if `SMTP_DANGER_INSECURE=true` is set.
+# default: 1025
+SMTP_DANGER_INSECURE_PORT=1025
+
 #####################################
 ###### ENCRYPTION / HASHING #########
 #####################################
@@ -406,7 +434,7 @@ EVENT_MATRIX_ERROR_NO_PANIC=true
 # - critical
 #
 # default: 'warning'
-EVENT_NOTIFY_LEVEL_EMAIL=warning
+EVENT_NOTIFY_LEVEL_EMAIL=info
 # default: 'notice'
 EVENT_NOTIFY_LEVEL_MATRIX=notice
 # default: 'notice'