nginx · raboof · Nov 23, 2024 · Nov 26, 2024
diff --git a/lib/Test/Nginx/SMTP.pm b/lib/Test/Nginx/SMTP.pm
@@ -150,8 +150,14 @@ sub socket {
 
 ###############################################################################
 
+sub fail {
+	my ($client, $reason) = @_;
+	print $client '500 failed: ' . $reason . CRLF;
+	$client->close();
+}
+
 sub smtp_test_daemon {
-	my ($port) = @_;
+	my ($port, $with_auth) = @_;
 	my $proxy_protocol;
 
 	my $server = IO::Socket::INET->new(
@@ -167,6 +173,7 @@ sub smtp_test_daemon {
 		print $client "220 fake esmtp server ready" . CRLF;
 
 		$proxy_protocol = '';
+		my $authenticated = 0;
 
 		while (<$client>) {
 			Test::Nginx::log_core('||', $_);
@@ -177,8 +184,15 @@ sub smtp_test_daemon {
 				print $client '250 hello ok' . CRLF;
 			} elsif (/^rset/i) {
 				print $client '250 rset ok' . CRLF;
+			} elsif (/^auth/i and not $with_auth) {
+				fail($client, "No authentication expected");
 			} elsif (/^auth plain/i) {
 				print $client '235 auth ok' . CRLF;
+				$authenticated = 1;
+			} elsif (/^mail/i and $with_auth and not $authenticated) {
+				fail($client, "Authentication expected");
+			} elsif (/^rcpt/i and $with_auth and not $authenticated) {
+				fail($client, "Authentication expected");
 			} elsif (/^mail from:[^@]+$/i) {
 				print $client '500 mail from error' . CRLF;
 			} elsif (/^mail from:/i) {

diff --git a/mail_proxy_protocol.t b/mail_proxy_protocol.t
@@ -91,7 +91,7 @@ http {
 
 EOF
 
-$t->run_daemon(\&Test::Nginx::SMTP::smtp_test_daemon);
+$t->run_daemon(\&Test::Nginx::SMTP::smtp_test_daemon, port(8026), 1);
 $t->run()->plan(8);
 
 $t->waitforsocket('127.0.0.1:' . port(8026));

diff --git a/mail_proxy_smtp_auth.t b/mail_proxy_smtp_auth.t
@@ -75,7 +75,7 @@ http {
 
 EOF
 
-$t->run_daemon(\&Test::Nginx::SMTP::smtp_test_daemon);
+$t->run_daemon(\&Test::Nginx::SMTP::smtp_test_daemon, port(8026), 1);
 $t->run()->plan(7);
 
 $t->waitforsocket('127.0.0.1:' . port(8026));

diff --git a/mail_proxy_smtp_auth_none.t b/mail_proxy_smtp_auth_none.t
@@ -0,0 +1,149 @@
+#!/usr/bin/perl
+
+# (C) Sergey Kandaurov
+# (C) Nginx, Inc.
+
+# Tests for nginx mail proxy module, the proxy_smtp_auth directive.
+
+###############################################################################
+
+use warnings;
+use strict;
+
+use Test::More;
+
+use MIME::Base64;
+
+BEGIN { use FindBin; chdir($FindBin::Bin); }
+
+use lib 'lib';
+use Test::Nginx;
+use Test::Nginx::SMTP;
+
+###############################################################################
+
+select STDERR; $| = 1;
+select STDOUT; $| = 1;
+
+local $SIG{PIPE} = 'IGNORE';
+
+my $t = Test::Nginx->new()->has(qw/mail smtp http rewrite/)
+	->write_file_expand('nginx.conf', <<'EOF');
+
+%%TEST_GLOBALS%%
+
+daemon off;
+
+events {
+}
+
+mail {
+    proxy_pass_error_message  on;
+    proxy_timeout             15s;
+    proxy_smtp_auth           on;
+    auth_http  http://127.0.0.1:8080/mail/auth;
+    smtp_auth  login plain external;
+
+    server {
+        listen     127.0.0.1:8025;
+        protocol   smtp;
+    }
+
+    server {
+        listen     127.0.0.1:8027;
+        protocol   smtp;
+        xclient    off;
+    }
+}
+
+http {
+    %%TEST_GLOBALS_HTTP%%
+
+    server {
+        listen       127.0.0.1:8080;
+        server_name  localhost;
+
+        location = /mail/auth {
+            add_header Auth-Status OK;
+            add_header Auth-Server 127.0.0.1;
+            add_header Auth-Port   %%PORT_8026%%;
+            add_header Auth-Wait   1;
+            add_header Auth-Method none;
+            return 204;
+        }
+    }
+}
+
+EOF
+
+$t->run_daemon(\&Test::Nginx::SMTP::smtp_test_daemon, port(8026), 0);
+$t->run()->plan(7);
+
+$t->waitforsocket('127.0.0.1:' . port(8026));
+
+###############################################################################
+
+# The following combinations may be sent to backend with proxy_smtp_auth on:
+#
+# ehlo, xclient, auth
+# ehlo, xclient, helo, auth
+# ehlo, xclient, ehlo, auth
+# helo, auth
+# ehlo, auth
+#
+# Test them in order.
+
+# ehlo, xclient, auth
+
+my $s = Test::Nginx::SMTP->new();
+$s->read();
+$s->send('AUTH PLAIN ' . encode_base64("\0test\@example.com\0secret", ''));
+$s->authok('ehlo, xclient, auth');
+
+# ehlo, xclient, helo, auth
+
+$s = Test::Nginx::SMTP->new();
+$s->read();
+$s->send('HELO example.com');
+$s->read();
+$s->send('AUTH PLAIN ' . encode_base64("\0test\@example.com\0secret", ''));
+$s->authok('ehlo, xclient, helo, auth');
+
+# ehlo, xclient, ehlo, auth
+
+$s = Test::Nginx::SMTP->new();
+$s->read();
+$s->send('EHLO example.com');
+$s->read();
+$s->send('AUTH PLAIN ' . encode_base64("\0test\@example.com\0secret", ''));
+$s->authok('ehlo, xclient, ehlo, auth');
+
+# helo, auth
+
+$s = Test::Nginx::SMTP->new(PeerAddr => '127.0.0.1:' . port(8027));
+$s->read();
+$s->send('AUTH PLAIN ' . encode_base64("\0test\@example.com\0secret", ''));
+$s->authok('helo, auth');
+
+# ehlo, auth
+
+$s = Test::Nginx::SMTP->new(PeerAddr => '127.0.0.1:' . port(8027));
+$s->read();
+$s->send('EHLO example.com');
+$s->read();
+$s->send('AUTH PLAIN ' . encode_base64("\0test\@example.com\0secret", ''));
+$s->authok('ehlo, auth');
+
+# Try auth external
+
+$s = Test::Nginx::SMTP->new();
+$s->read();
+$s->send('EHLO example.com');
+$s->read();
+
+$s->send('AUTH EXTERNAL');
+$s->check(qr/^334 VXNlcm5hbWU6/, 'auth external challenge');
+$s->send(encode_base64('test@example.com', ''));
+$s->authok('auth external');
+
+###############################################################################