Mercurial > dovecot > core-2.2
changeset 19596:3e4358b58c3f
imap-login: If LOGINDISABLED capability is advertised in banner, don't try to LOGIN without SSL/TLS.
This avoids accidentally sending the password in plaintext. Also the server
should fail the LOGIN in any case.
author | Timo Sirainen <timo.sirainen@dovecot.fi> |
---|---|
date | Tue, 19 Jan 2016 23:47:08 +0200 |
parents | d993ed368ee0 |
children | b8e8ea7a1871 |
files | src/imap-login/imap-login-client.h src/imap-login/imap-proxy.c |
diffstat | 2 files changed, 10 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/src/imap-login/imap-login-client.h Tue Jan 19 20:45:27 2016 +0200 +++ b/src/imap-login/imap-login-client.h Tue Jan 19 23:47:08 2016 +0200 @@ -36,6 +36,7 @@ unsigned int cmd_finished:1; unsigned int proxy_sasl_ir:1; + unsigned int proxy_logindisabled:1; unsigned int proxy_seen_banner:1; unsigned int skip_line:1; unsigned int id_logged:1;
--- a/src/imap-login/imap-proxy.c Tue Jan 19 20:45:27 2016 +0200 +++ b/src/imap-login/imap-proxy.c Tue Jan 19 23:47:08 2016 +0200 @@ -81,6 +81,12 @@ if (client->common.proxy_mech == NULL) { /* logging in normally - use LOGIN command */ + if (client->proxy_logindisabled && + login_proxy_get_ssl_flags(client->common.login_proxy) == 0) { + client_log_err(&client->common, + "proxy: Remote advertised LOGINDISABLED and SSL/TLS not enabled"); + return -1; + } str_append(str, "L LOGIN "); imap_append_string(str, client->common.proxy_user); str_append_c(str, ' '); @@ -143,6 +149,8 @@ proxy_write_id(client, str); if (str_array_icase_find(capabilities, "SASL-IR")) client->proxy_sasl_ir = TRUE; + if (str_array_icase_find(capabilities, "LOGINDISABLED")) + client->proxy_logindisabled = TRUE; i_free(client->proxy_backend_capability); client->proxy_backend_capability = i_strdup(t_strcut(line + 5 + 12, ']')); @@ -374,6 +382,7 @@ struct imap_client *imap_client = (struct imap_client *)client; imap_client->proxy_sasl_ir = FALSE; + imap_client->proxy_logindisabled = FALSE; imap_client->proxy_seen_banner = FALSE; imap_client->proxy_capability_request_sent = FALSE; client->proxy_state = IMAP_PROXY_STATE_NONE;