Permission denied error

tom · October 31, 2023, 8:53pm

IE:

["demo2.kumomta.com"]
relay_from_authz = [ 'myusername' ]

["anotherdomain.au"]
relay_from_authz = [ 'yourusername' ]

["kiwisareawesome.nz"]
relay_from_authz = [ 'tane' ]

tom · October 31, 2023, 8:55pm

so even if myusername passes authentication, they can only do so while sending for demo2.kumomta.com, otherwise it is rejected.

zany-ibis · October 31, 2023, 9:44pm

Tom how can we make it so there is no other way - so the only way to send messages via HTTP or SMTP is by AUTH checks only?

zany-ibis · October 31, 2023, 10:08pm

At the moment, I am trying to make SMTP auth work first before moving to HTTP Auth. Here’s the snippet from my init.lua file

kumo.on('smtp_server_auth_plain', function(authz, authc, password)
-- Custom AUTH start
function sqlite_auth_check(user, password)
  local db = sqlite.open '/home/simple.db'
  local result = db:execute(
    'select * from mw_customer where email=? and apikey=?',
    user,
    password
  )
  -- if we got any rows, it was because a user+pass matched
  return #result == 1
end

-- This creates a new function called `cached_sqlite_auth_check`
-- that remembers the results for a given set of parameters for up
-- to 5 minutes or up to 100 different sets of parameters
cached_sqlite_auth_check = kumo.memoize(sqlite_auth_check, {
  name = 'sqlite_auth',
  ttl = '5 minutes',
  capacity = 100,
})
-- Custom AUTH end
  return cached_sqlite_auth_check(authc, password)
end)

kumo.on('smtp_server_message_received', function(msg)
-- Assign tenant based on X-Tenant header.
local tenant = msg:get_first_named_header_value 'X-Tenant'
if not tenant then
  kumo.reject(500, 'Sorry the message is missing X-Tenant header')
end

local TENANT_TO_POOL = {
  ['nz397cgzsz1f1'] = 'nz397cgzsz1f1',
  ['ak9312q2lwc8d'] = 'Low',
}

if not TENANT_TO_POOL[tenant] then
  kumo.reject(500, 'Invalid/unknown tenant ' .. tenant)
end

msg:set_meta('tenant', tenant)
msg:remove_x_headers { 'x-tenant' }

end)

zany-ibis · October 31, 2023, 10:08pm

When I do testing using SWAKS, here’s what I am getting

swaks -auth PLAIN -server mta-test.xxx.com:25 -au AUTH_USERNAME -ap 'AUTH_PASSWORD' --to 07b30c2a-d305-44f5-b8d3-9a76815707a7@email.webhook.site --from roshan@xxx.com --header "Subject: Testing from mailing server" --body "Testing to see if all is working as planned"
=== Trying mta-test.xxx.com:25...
=== Connected to mta-test.xxx.com.
<-  220 mta-test.xxx.com Gday!
 -> EHLO macbook-pro-2.local
<-  250-mta-test.xxx.com Aloha macbook-pro-2.local
<-  250-PIPELINING
<-  250-ENHANCEDSTATUSCODES
<-  250 STARTTLS
*** Host did not advertise authentication
 -> QUIT
<-  221 So long, and thanks for all the fish!
=== Connection closed with remote host.

avid-raccoon · October 31, 2023, 10:08pm

Hey there <@!900516762410442773>, did you just paste a trace with AUTH PLAIN in it?
The AUTH PLAIN part of an SMTP trace reveals the auth credentials; they are only obscured by base64 encoding, not encrypted.
I’d recommend that you change the credentials shown in that trace!

zany-ibis · November 1, 2023, 3:31am

Unfortunately even by placing it there, the kumod user has permission issues. I need to chown the SSL files from root ownership to kumod - I wish there was an easier way to use Let’s Encrypt SSL files without having to copy them - I currently have a CRON job that replaces them every x amount of days so we don’t have invalid SSL issues.

zany-ibis · November 1, 2023, 3:37am

@free-spirited-yorksh Did I cause this or is this default ownership in these directories? I am not quite sure if the whole /opt/kumomta folder/files should be owned by kumod user?

ls -la /opt/kumomta
total 20
drwxr-xr-x 5 root  root  4096 Oct 30 03:37 .
drwxr-xr-x 3 root  root  4096 Oct 30 03:37 ..
drwxr-xr-x 5 kumod kumod 4096 Oct 31 08:21 etc
drwxr-xr-x 2 root  root  4096 Oct 30 21:58 sbin
drwxr-xr-x 4 root  root  4096 Oct 30 21:58 share

tom · November 1, 2023, 5:48pm

Checking this against my own .. will be a few minutes

tom · November 1, 2023, 7:44pm

That seems right:

total 20
4 drwxr-xr-x 3 root  root  4096 Oct 24 18:57 ..
4 drwxr-xr-x 5 root  root  4096 Oct 24 18:57 .
4 drwxrwxr-x 4 root  root  4096 Oct 24 18:57 share
4 drwxrwxr-x 2 root  root  4096 Oct 24 18:57 sbin
4 drwxr-xr-x 4 kumod kumod 4096 Oct 24 19:55 etc

tom · November 1, 2023, 7:45pm

except sbin and share should be 775 not 755

zany-ibis · November 1, 2023, 7:47pm

Thanks for that. Just need to get HTTP and SMTP auth working now.

tom · November 1, 2023, 7:47pm

yes, looking

tom · November 1, 2023, 8:34pm

To clarify the TLS permissions thing, the dirs up to the cert path should have 775 permission. The cert files should be 644.

total 12
4 drwxrwxr-x 3 kumod kumod 4096 Sep  5 16:55 .
4 drwxrwxr-x 2 kumod kumod 4096 Sep  7 21:27 my.demo.kumomta.com
4 drwxr-xr-x 5 kumod kumod 4096 Oct 31 21:08 ..
ubuntu@my:/opt/kumomta$ ls -asltr etc/tls/my.demo.kumomta.com/
total 28
4 -rw-r--r-- 1 kumod kumod 1704 Sep  5 16:55 ca.key
4 -rw-r--r-- 1 kumod kumod 1013 Sep  5 16:55 ca.csr
4 -rw-r--r-- 1 kumod kumod 1233 Sep  5 16:55 ca.crt
4 drwxrwxr-x 3 kumod kumod 4096 Sep  5 16:55 ..
4 -rw-r--r-- 1 kumod kumod 1497 Sep  7 21:27 cert.pem
4 -rw-r--r-- 1 kumod kumod  241 Sep  7 21:27 privkey.pem
4 drwxrwxr-x 2 kumod kumod 4096 Sep  7 21:27 .

tom · November 1, 2023, 8:38pm

And when you test with swaks, you need to make sure swaks is using tls too.
swaks --to tom@kumomta.com --from mkt@demo2.kumomta.com --server demo2.kumomta.com --port 587 --auth plain --tls --auth-user testuser --auth-password ThisIsABadPassword

avid-raccoon · November 1, 2023, 8:38pm

Hey there <@!1073644991701856326>, did you just paste a trace with AUTH PLAIN in it?
The AUTH PLAIN part of an SMTP trace reveals the auth credentials; they are only obscured by base64 encoding, not encrypted.
I’d recommend that you change the credentials shown in that trace!

tom · November 1, 2023, 8:40pm

You may need to specify the cert path if it is not obvious to swaks.

    --tls-ca-path <ca-location>
        Specify an alternate location for CA information for verifying
        server certificates. The argument can point to a file or directory.
        The default behavior is to use the underlying OpenSSL library's
        default information. (Arg-Required)

    --tls-cert <cert-file>
        Provide a path to a file containing the local certificate Swaks
        should use if TLS is negotiated. The file path argument is required.
        As currently implemented the certificate in the file must be in PEM
        format. Contact the author if there's a compelling need for ASN1. If
        this option is set, "--tls-key" is also required. (Arg-Required)

    --tls-key <key-file>
        Provide a path to a file containing the local private key Swaks
        should use if TLS is negotiated. The file path argument is required.
        As currently implemented the certificate in the file must be in PEM
        format. Contact the author if there's a compelling need for ASN1. If
        this option is set, "--tls-cert" is also required. (Arg-Required)

tom · November 1, 2023, 8:40pm

Letsencrypt should not be a problem - I use it myself.

zany-ibis · November 1, 2023, 9:05pm

But the problem is, KumoMTA is allowing relay without authentication.

tom · November 1, 2023, 9:07pm

yes, I am fixing that now