如何使用aiosmtpd正确支持STARTTLS?

时间:2017-08-01 20:51:17

标签: python python-3.x aiosmtpd

我几乎直接从aiosmtpd文档中获取了以下服务器:

import asyncio
import ssl
from aiosmtpd.controller import Controller


class ExampleHandler:
    async def handle_RCPT(self, server, session, envelope, address, rcpt_options):
        if not address.endswith('@example.com'):
            return '550 not relaying to that domain'
        envelope.rcpt_tos.append(address)
        return '250 OK'

    async def handle_DATA(self, server, session, envelope):
        print(f'Message from {envelope.mail_from}')
        print(f'Message for {envelope.rcpt_tos}')
        print(f'Message data:\n{envelope.content.decode("utf8", errors="replace")}')
        print('End of message')
        return '250 Message accepted for delivery'

context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
controller = Controller(ExampleHandler(), port=8026, ssl_context=context)
controller.start()

input('Press enter to stop')
controller.stop()

然而,当我启动此服务器并尝试使用swaks发送电子邮件时:

echo 'Testing' | swaks --to wayne@example.com --from "something@example.org" --server localhost --port 8026 -tls

30秒后超时。如果我从服务器中删除ssl_context=context并从客户端删除-tls,那么它会发送邮件。

此外,当我尝试通过telnet连接并发送EHLO whatever时,服务器实际上会关闭连接。

实现支持tls的aiosmtpd服务器的正确方法是什么?

2 个答案:

答案 0 :(得分:1)

我很亲密。我认为我可以通过telnet连接,但是EHLO hostname会断开服务器提前要求TLS连接的连接。

当我检查swaks --help时,我发现有一个稍微不同的选项,可能会做我想要的:

--tlsc, --tls-on-connect
    Initiate a TLS connection immediately on connection.  Following common convention,
    if this option is specified the default port changes from 25 to 465, though this can
    still be overridden with the --port option.

当我尝试这个时,我仍然遇到错误:

$ echo 'Testing' | swaks --to wayne@example.com --from "something@example.com" --server localhost --port 8026 -tlsc
=== Trying localhost:8026...
=== Connected to localhost.
*** TLS startup failed (connect(): error:00000000:lib(0):func(0):reason(0))

通过我对Python ssl文档的一些了解,我注意到了load_cert_chain方法。事实证明,这正是我所需要的。在these instructions之后,我生成了一个完全不安全的自签名证书:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj '/CN=localhost'

然后我添加了这一行:

context.load_cert_chain('cert.pem', 'key.pem')

现在我可以发送电子邮件了。对于 lazy 好奇,这是整个服务器代码:

import asyncio
import ssl
from aiosmtpd.controller import Controller


class ExampleHandler:
    async def handle_RCPT(self, server, session, envelope, address, rcpt_options):
        if not address.endswith('@example.com'):
            return '550 not relaying to that domain'
        envelope.rcpt_tos.append(address)
        return '250 OK'

    async def handle_DATA(self, server, session, envelope):
        print(f'Message from {envelope.mail_from}')
        print(f'Message for {envelope.rcpt_tos}')
        print(f'Message data:\n{envelope.content.decode("utf8", errors="replace")}')
        print('End of message')
        return '250 Message accepted for delivery'

context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.load_cert_chain('cert.pem', 'key.pem')
controller = Controller(ExampleHandler(), port=8026, ssl_context=context)
controller.start()

input('Press enter to stop')
controller.stop()

可以通过以下方式验证:

echo 'Testing' | swaks --to someone@example.com --from "someone_else@example.org" --server localhost --port 8026 -tlsc

答案 1 :(得分:1)

根据Wayne自己的答案,以下是如何使用aiosmtpd创建STARTTLS服务器。

1。创建SSL上下文

要进行测试,请使用以下命令为localhost生成自签名证书:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj '/CN=localhost'

使用ssl模块将其加载到Python中:

import ssl
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.load_cert_chain('cert.pem', 'key.pem')

2。将SSL上下文传递给aiosmtpd

创建aiosmtpd控制器的子类,将此上下文作为tls_context传递给SMTP

from aiosmtpd.smtp import SMTP
from aiosmtpd.controller import Controller

class ControllerTls(Controller):
    def factory(self):
        return SMTP(self.handler, require_starttls=True, tls_context=context)

3。运行它

使用处理程序实例化此控制器并启动它。在这里,我使用aiosmtpd自己的Debugging处理程序:

from aiosmtpd.handlers import Debugging
controller = ControllerTls(Debugging(), port=1025)
controller.start()
input('Press enter to stop')
controller.stop()

4。测试它

将本地邮件客户端配置为发送至localhost:1025,或使用swaks

swaks -tls -t test --server localhost:1025

...或者在发出初始openssl s_client命令后使用STARTTLS与服务器通信:

openssl s_client -crlf -CAfile cert.pem -connect localhost:1025 -starttls smtp

完整代码

下面的代码还使用swaks测试服务器,并且还显示了如何创建TLS-on-connect服务器(如Wayne的答案)。

import os
import ssl
import subprocess
from aiosmtpd.smtp import SMTP
from aiosmtpd.controller import Controller
from aiosmtpd.handlers import Debugging

# Create cert and key if they don't exist
if not os.path.exists('cert.pem') and not os.path.exists('key.pem'):
    subprocess.call('openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem ' +
                    '-days 365 -nodes -subj "/CN=localhost"', shell=True)

# Load SSL context
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.load_cert_chain('cert.pem', 'key.pem')

# Pass SSL context to aiosmtpd
class ControllerStarttls(Controller):
    def factory(self):
        return SMTP(self.handler, require_starttls=True, tls_context=context)

# Start server
controller = ControllerStarttls(Debugging(), port=1025)
controller.start()
# Test using swaks (if available)
subprocess.call('swaks -tls -t test --server localhost:1025', shell=True)
input('Running STARTTLS server. Press enter to stop.\n')
controller.stop()

# Alternatively: Use TLS-on-connect
controller = Controller(Debugging(), port=1025, ssl_context=context)
controller.start()
# Test using swaks (if available)
subprocess.call('swaks -tlsc -t test --server localhost:1025', shell=True)
input('Running TLSC server. Press enter to stop.\n')
controller.stop()
相关问题
最新问题