[pocketbase#1217] add support for smtp LOGIN auth

core/base.go

@@ -358,13 +358,14 @@ func (app *BaseApp) SubscriptionsBroker() *subscriptions.Broker {
 // based on the current app settings.
 func (app *BaseApp) NewMailClient() mailer.Mailer {
 	if app.Settings().Smtp.Enabled {
-		return mailer.NewSmtpClient(
-			app.Settings().Smtp.Host,
-			app.Settings().Smtp.Port,
-			app.Settings().Smtp.Username,
-			app.Settings().Smtp.Password,
-			app.Settings().Smtp.Tls,
-		)
+		return &mailer.SmtpClient{
+			Host:       app.Settings().Smtp.Host,
+			Port:       app.Settings().Smtp.Port,
+			Username:   app.Settings().Smtp.Username,
+			Password:   app.Settings().Smtp.Password,
+			Tls:        app.Settings().Smtp.Tls,
+			AuthMethod: app.Settings().Smtp.AuthMethod,
+		}
 	}
 
 	return &mailer.Sendmail{}

models/settings/settings.go

@@ -10,6 +10,7 @@ import (
 	validation "github.com/go-ozzo/ozzo-validation/v4"
 	"github.com/go-ozzo/ozzo-validation/v4/is"
 	"github.com/pocketbase/pocketbase/tools/auth"
+	"github.com/pocketbase/pocketbase/tools/mailer"
 	"github.com/pocketbase/pocketbase/tools/rest"
 	"github.com/pocketbase/pocketbase/tools/security"
 )
@@ -262,6 +263,9 @@ type SmtpConfig struct {
 	Username string `form:"username" json:"username"`
 	Password string `form:"password" json:"password"`
 
+	// SMTP AUTH - PLAIN (default) or LOGIN
+	AuthMethod string `form:"authMethod" json:"authMethod"`
+
 	// Whether to enforce TLS encryption for the mail server connection.
 	//
 	// When set to false StartTLS command is send, leaving the server
@@ -272,8 +276,23 @@ type SmtpConfig struct {
 // Validate makes SmtpConfig validatable by implementing [validation.Validatable] interface.
 func (c SmtpConfig) Validate() error {
 	return validation.ValidateStruct(&c,
-		validation.Field(&c.Host, is.Host, validation.When(c.Enabled, validation.Required)),
-		validation.Field(&c.Port, validation.When(c.Enabled, validation.Required), validation.Min(0)),
+		validation.Field(
+			&c.Host,
+			validation.When(c.Enabled, validation.Required),
+			is.Host,
+		),
+		validation.Field(
+			&c.Port,
+			validation.When(c.Enabled, validation.Required),
+			validation.Min(0),
+		),
+		validation.Field(
+			&c.AuthMethod,
+			// don't require it for backward compatibility
+			// (fallback internally to PLAIN)
+			// validation.When(c.Enabled, validation.Required),
+			validation.In(mailer.SmtpAuthLogin, mailer.SmtpAuthPlain),
+		),
 	)
 }
 

models/settings/settings_test.go

@@ -9,6 +9,7 @@ import (
 	validation "github.com/go-ozzo/ozzo-validation/v4"
 	"github.com/pocketbase/pocketbase/models/settings"
 	"github.com/pocketbase/pocketbase/tools/auth"
+	"github.com/pocketbase/pocketbase/tools/mailer"
 )
 
 func TestSettingsValidate(t *testing.T) {
@@ -205,7 +206,7 @@ func TestSettingsRedactClone(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	expected := `{"meta":{"appName":"test123","appUrl":"http://localhost:8090","hideControls":false,"senderName":"Support","senderAddress":"[email protected]","verificationTemplate":{"body":"\u003cp\u003eHello,\u003c/p\u003e\n\u003cp\u003eThank you for joining us at {APP_NAME}.\u003c/p\u003e\n\u003cp\u003eClick on the button below to verify your email address.\u003c/p\u003e\n\u003cp\u003e\n  \u003ca class=\"btn\" href=\"{ACTION_URL}\" target=\"_blank\" rel=\"noopener\"\u003eVerify\u003c/a\u003e\n\u003c/p\u003e\n\u003cp\u003e\n  Thanks,\u003cbr/\u003e\n  {APP_NAME} team\n\u003c/p\u003e","subject":"Verify your {APP_NAME} email","actionUrl":"{APP_URL}/_/#/auth/confirm-verification/{TOKEN}"},"resetPasswordTemplate":{"body":"\u003cp\u003eHello,\u003c/p\u003e\n\u003cp\u003eClick on the button below to reset your password.\u003c/p\u003e\n\u003cp\u003e\n  \u003ca class=\"btn\" href=\"{ACTION_URL}\" target=\"_blank\" rel=\"noopener\"\u003eReset password\u003c/a\u003e\n\u003c/p\u003e\n\u003cp\u003e\u003ci\u003eIf you didn't ask to reset your password, you can ignore this email.\u003c/i\u003e\u003c/p\u003e\n\u003cp\u003e\n  Thanks,\u003cbr/\u003e\n  {APP_NAME} team\n\u003c/p\u003e","subject":"Reset your {APP_NAME} password","actionUrl":"{APP_URL}/_/#/auth/confirm-password-reset/{TOKEN}"},"confirmEmailChangeTemplate":{"body":"\u003cp\u003eHello,\u003c/p\u003e\n\u003cp\u003eClick on the button below to confirm your new email address.\u003c/p\u003e\n\u003cp\u003e\n  \u003ca class=\"btn\" href=\"{ACTION_URL}\" target=\"_blank\" rel=\"noopener\"\u003eConfirm new email\u003c/a\u003e\n\u003c/p\u003e\n\u003cp\u003e\u003ci\u003eIf you didn't ask to change your email address, you can ignore this email.\u003c/i\u003e\u003c/p\u003e\n\u003cp\u003e\n  Thanks,\u003cbr/\u003e\n  {APP_NAME} team\n\u003c/p\u003e","subject":"Confirm your {APP_NAME} new email address","actionUrl":"{APP_URL}/_/#/auth/confirm-email-change/{TOKEN}"}},"logs":{"maxDays":5},"smtp":{"enabled":false,"host":"smtp.example.com","port":587,"username":"","password":"******","tls":true},"s3":{"enabled":false,"bucket":"","region":"","endpoint":"","accessKey":"","secret":"******","forcePathStyle":false},"adminAuthToken":{"secret":"******","duration":1209600},"adminPasswordResetToken":{"secret":"******","duration":1800},"recordAuthToken":{"secret":"******","duration":1209600},"recordPasswordResetToken":{"secret":"******","duration":1800},"recordEmailChangeToken":{"secret":"******","duration":1800},"recordVerificationToken":{"secret":"******","duration":604800},"emailAuth":{"enabled":false,"exceptDomains":null,"onlyDomains":null,"minPasswordLength":0},"googleAuth":{"enabled":false,"clientSecret":"******"},"facebookAuth":{"enabled":false,"clientSecret":"******"},"githubAuth":{"enabled":false,"clientSecret":"******"},"gitlabAuth":{"enabled":false,"clientSecret":"******"},"discordAuth":{"enabled":false,"clientSecret":"******"},"twitterAuth":{"enabled":false,"clientSecret":"******"},"microsoftAuth":{"enabled":false,"clientSecret":"******"},"spotifyAuth":{"enabled":false,"clientSecret":"******"},"kakaoAuth":{"enabled":false,"clientSecret":"******"},"twitchAuth":{"enabled":false,"clientSecret":"******"}}`
+	expected := `{"meta":{"appName":"test123","appUrl":"http://localhost:8090","hideControls":false,"senderName":"Support","senderAddress":"[email protected]","verificationTemplate":{"body":"\u003cp\u003eHello,\u003c/p\u003e\n\u003cp\u003eThank you for joining us at {APP_NAME}.\u003c/p\u003e\n\u003cp\u003eClick on the button below to verify your email address.\u003c/p\u003e\n\u003cp\u003e\n  \u003ca class=\"btn\" href=\"{ACTION_URL}\" target=\"_blank\" rel=\"noopener\"\u003eVerify\u003c/a\u003e\n\u003c/p\u003e\n\u003cp\u003e\n  Thanks,\u003cbr/\u003e\n  {APP_NAME} team\n\u003c/p\u003e","subject":"Verify your {APP_NAME} email","actionUrl":"{APP_URL}/_/#/auth/confirm-verification/{TOKEN}"},"resetPasswordTemplate":{"body":"\u003cp\u003eHello,\u003c/p\u003e\n\u003cp\u003eClick on the button below to reset your password.\u003c/p\u003e\n\u003cp\u003e\n  \u003ca class=\"btn\" href=\"{ACTION_URL}\" target=\"_blank\" rel=\"noopener\"\u003eReset password\u003c/a\u003e\n\u003c/p\u003e\n\u003cp\u003e\u003ci\u003eIf you didn't ask to reset your password, you can ignore this email.\u003c/i\u003e\u003c/p\u003e\n\u003cp\u003e\n  Thanks,\u003cbr/\u003e\n  {APP_NAME} team\n\u003c/p\u003e","subject":"Reset your {APP_NAME} password","actionUrl":"{APP_URL}/_/#/auth/confirm-password-reset/{TOKEN}"},"confirmEmailChangeTemplate":{"body":"\u003cp\u003eHello,\u003c/p\u003e\n\u003cp\u003eClick on the button below to confirm your new email address.\u003c/p\u003e\n\u003cp\u003e\n  \u003ca class=\"btn\" href=\"{ACTION_URL}\" target=\"_blank\" rel=\"noopener\"\u003eConfirm new email\u003c/a\u003e\n\u003c/p\u003e\n\u003cp\u003e\u003ci\u003eIf you didn't ask to change your email address, you can ignore this email.\u003c/i\u003e\u003c/p\u003e\n\u003cp\u003e\n  Thanks,\u003cbr/\u003e\n  {APP_NAME} team\n\u003c/p\u003e","subject":"Confirm your {APP_NAME} new email address","actionUrl":"{APP_URL}/_/#/auth/confirm-email-change/{TOKEN}"}},"logs":{"maxDays":5},"smtp":{"enabled":false,"host":"smtp.example.com","port":587,"username":"","password":"******","authMethod":"","tls":true},"s3":{"enabled":false,"bucket":"","region":"","endpoint":"","accessKey":"","secret":"******","forcePathStyle":false},"adminAuthToken":{"secret":"******","duration":1209600},"adminPasswordResetToken":{"secret":"******","duration":1800},"recordAuthToken":{"secret":"******","duration":1209600},"recordPasswordResetToken":{"secret":"******","duration":1800},"recordEmailChangeToken":{"secret":"******","duration":1800},"recordVerificationToken":{"secret":"******","duration":604800},"emailAuth":{"enabled":false,"exceptDomains":null,"onlyDomains":null,"minPasswordLength":0},"googleAuth":{"enabled":false,"clientSecret":"******"},"facebookAuth":{"enabled":false,"clientSecret":"******"},"githubAuth":{"enabled":false,"clientSecret":"******"},"gitlabAuth":{"enabled":false,"clientSecret":"******"},"discordAuth":{"enabled":false,"clientSecret":"******"},"twitterAuth":{"enabled":false,"clientSecret":"******"},"microsoftAuth":{"enabled":false,"clientSecret":"******"},"spotifyAuth":{"enabled":false,"clientSecret":"******"},"kakaoAuth":{"enabled":false,"clientSecret":"******"},"twitchAuth":{"enabled":false,"clientSecret":"******"}}`
 
 	if encodedStr := string(encoded); encodedStr != expected {
 		t.Fatalf("Expected\n%v\ngot\n%v", expected, encodedStr)
@@ -327,7 +328,17 @@ func TestSmtpConfigValidate(t *testing.T) {
 			},
 			true,
 		},
-		// valid data
+		// invalid auth method
+		{
+			settings.SmtpConfig{
+				Enabled:    true,
+				Host:       "example.com",
+				Port:       100,
+				AuthMethod: "example",
+			},
+			true,
+		},
+		// valid data (no explicit auth method)
 		{
 			settings.SmtpConfig{
 				Enabled: true,
@@ -337,6 +348,16 @@ func TestSmtpConfigValidate(t *testing.T) {
 			},
 			false,
 		},
+		// valid data (explicit auth method - login)
+		{
+			settings.SmtpConfig{
+				Enabled:    true,
+				Host:       "example.com",
+				Port:       100,
+				AuthMethod: mailer.SmtpAuthLogin,
+			},
+			false,
+		},
 	}
 
 	for i, scenario := range scenarios {

tools/mailer/sendmail.go

@@ -10,8 +10,8 @@ import (
 
 var _ Mailer = (*Sendmail)(nil)
 
-// Sendmail implements `mailer.Mailer` interface and defines a mail
-// client that sends emails via the `sendmail` *nix command.
+// Sendmail implements [mailer.Mailer] interface and defines a mail
+// client that sends emails via the "sendmail" *nix command.
 //
 // This client is usually recommended only for development and testing.
 type Sendmail struct {

tools/mailer/smtp.go

@@ -1,6 +1,7 @@
 package mailer
 
 import (
+	"errors"
 	"fmt"
 	"net/smtp"
 	"strings"
@@ -11,7 +12,14 @@ import (
 
 var _ Mailer = (*SmtpClient)(nil)
 
-// NewSmtpClient creates new `SmtpClient` with the provided configuration.
+const (
+	SmtpAuthPlain = "PLAIN"
+	SmtpAuthLogin = "LOGIN"
+)
+
+// Deprecated: Use directly the SmtpClient struct literal.
+//
+// NewSmtpClient creates new SmtpClient with the provided configuration.
 func NewSmtpClient(
 	host string,
 	port int,
@@ -20,41 +28,47 @@ func NewSmtpClient(
 	tls bool,
 ) *SmtpClient {
 	return &SmtpClient{
-		host:     host,
-		port:     port,
-		username: username,
-		password: password,
-		tls:      tls,
+		Host:     host,
+		Port:     port,
+		Username: username,
+		Password: password,
+		Tls:      tls,
 	}
 }
 
 // SmtpClient defines a SMTP mail client structure that implements
 // `mailer.Mailer` interface.
 type SmtpClient struct {
-	host     string
-	port     int
-	username string
-	password string
-	tls      bool
+	Host       string
+	Port       int
+	Username   string
+	Password   string
+	Tls        bool
+	AuthMethod string // default to "PLAIN"
 }
 
 // Send implements `mailer.Mailer` interface.
 func (c *SmtpClient) Send(m *Message) error {
 	var smtpAuth smtp.Auth
-	if c.username != "" || c.password != "" {
-		smtpAuth = smtp.PlainAuth("", c.username, c.password, c.host)
+	if c.Username != "" || c.Password != "" {
+		switch c.AuthMethod {
+		case SmtpAuthLogin:
+			smtpAuth = &smtpLoginAuth{c.Username, c.Password}
+		default:
+			smtpAuth = smtp.PlainAuth("", c.Username, c.Password, c.Host)
+		}
 	}
 
 	// create mail instance
 	var yak *mailyak.MailYak
-	if c.tls {
+	if c.Tls {
 		var tlsErr error
-		yak, tlsErr = mailyak.NewWithTLS(fmt.Sprintf("%s:%d", c.host, c.port), smtpAuth, nil)
+		yak, tlsErr = mailyak.NewWithTLS(fmt.Sprintf("%s:%d", c.Host, c.Port), smtpAuth, nil)
 		if tlsErr != nil {
 			return tlsErr
 		}
 	} else {
-		yak = mailyak.New(fmt.Sprintf("%s:%d", c.host, c.port), smtpAuth)
+		yak = mailyak.New(fmt.Sprintf("%s:%d", c.Host, c.Port), smtpAuth)
 	}
 
 	if m.From.Name != "" {
@@ -108,3 +122,59 @@ func (c *SmtpClient) Send(m *Message) error {
 
 	return yak.Send()
 }
+
+// -------------------------------------------------------------------
+// AUTH LOGIN
+// -------------------------------------------------------------------
+
+var _ smtp.Auth = (*smtpLoginAuth)(nil)
+
+// smtpLoginAuth defines an AUTH that implements the LOGIN authentication mechanism.
+//
+// AUTH LOGIN is obsolete[1] but some mail services like outlook requires it [2].
+//
+// NB!
+// It will only send the credentials if the connection is using TLS or is connected to localhost.
+// Otherwise authentication will fail with an error, without sending the credentials.
+//
+// [1]: https://github.com/golang/go/issues/40817
+// [2]: https://support.microsoft.com/en-us/office/outlook-com-no-longer-supports-auth-plain-authentication-07f7d5e9-1697-465f-84d2-4513d4ff0145?ui=en-us&rs=en-us&ad=us
+type smtpLoginAuth struct {
+	username, password string
+}
+
+// Start initializes an authentication with the server.
+//
+// It is part of the [smtp.Auth] interface.
+func (a *smtpLoginAuth) Start(server *smtp.ServerInfo) (string, []byte, error) {
+	// Must have TLS, or else localhost server.
+	// Note: If TLS is not true, then we can't trust ANYTHING in ServerInfo.
+	// In particular, it doesn't matter if the server advertises LOGIN auth.
+	// That might just be the attacker saying
+	// "it's ok, you can trust me with your password."
+	if !server.TLS && !isLocalhost(server.Name) {
+		return "", nil, errors.New("unencrypted connection")
+	}
+
+	return "LOGIN", nil, nil
+}
+
+// Next "continues" the auth process by feeding the server with the requested data.
+//
+// It is part of the [smtp.Auth] interface.
+func (a *smtpLoginAuth) Next(fromServer []byte, more bool) ([]byte, error) {
+	if more {
+		switch strings.ToLower(string(fromServer)) {
+		case "username:":
+			return []byte(a.username), nil
+		case "password:":
+			return []byte(a.password), nil
+		}
+	}
+
+	return nil, nil
+}
+
+func isLocalhost(name string) bool {
+	return name == "localhost" || name == "127.0.0.1" || name == "::1"
+}