PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-05-06 11:09:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

smtp: enable TLS peer verification, fix envelope injection, fix dot-stuffing

Browse Source
This commit is contained in:
Pontoporeia
2026-04-30 12:36:15 +02:00
parent 33987c9b15
commit 8d115dc965
2 changed files with 77 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
TODO.md
View File

@@ -63,6 +63,14 @@
- [ ] Verify TCP reachability from XAMXAM VM to LDAP server (port 636)
- [ ] See `docs/LDAP_AUTH_PLAN.md` for full phase-by-phase plan
## SMTP transport security hardening
- [x] Enable TLS peer verification (`verify_peer`, `verify_peer_name`, `peer_name`) on both `smtpSend` and `smtpProbe` — removes MITM vulnerability from `verify_peer: false`
- [x] Add `caBundlePath()` — resolves system CA bundle path (php.ini → Debian/RHEL/Alpine candidates → PHP built-in fallback)
- [x] Set SSL context options explicitly on socket before `stream_socket_enable_crypto()` for STARTTLS (both probe and send paths)
- [x] Add `sanitiseEnvelope()` — strips CR/LF from envelope addresses to prevent SMTP command injection
- [x] Fix RFC 5321 §4.5.2 dot-stuffing: replace `preg_replace` with correct CRLF-normalise → `str_replace("\r\n.", "\r\n..")` sequence
## SMTP notify_email fix
- [x] Migration 006: add `notify_email` column to `smtp_settings`