Mercurial > dovecot > core-2.2
changeset 1725:cc0690f92d96 HEAD
disable_plaintext_auth defaults to yes now. ipv4 127.* and ipv6 ::1
addresses are considered secure however and plaintext authentication is
allowed from them.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Sun, 24 Aug 2003 10:55:23 +0300 |
parents | b3526668de78 |
children | f5e6f29731c4 |
files | dovecot-example.conf src/imap-login/client-authenticate.c src/imap-login/client-authenticate.h src/imap-login/client.c src/imap-login/client.h src/master/master-settings.c src/pop3-login/client-authenticate.c src/pop3-login/client.c src/pop3-login/client.h |
diffstat | 9 files changed, 32 insertions(+), 14 deletions(-) [+] |
line wrap: on
line diff
--- a/dovecot-example.conf Sun Aug 24 10:37:41 2003 +0300 +++ b/dovecot-example.conf Sun Aug 24 10:55:23 2003 +0300 @@ -44,8 +44,10 @@ #ssl_parameters_regenerate = 24 # Disable LOGIN command and all other plaintext authentications unless -# SSL/TLS is used (LOGINDISABLED capability) -#disable_plaintext_auth = no +# SSL/TLS is used (LOGINDISABLED capability). Note that 127.*.*.* and +# IPv6 ::1 addresses are considered secure, this setting has no effect if +# you connect from those addresses. +#disable_plaintext_auth = yes # Use this logfile instead of syslog(). /dev/stderr can be used if you want to # use stderr for logging (ONLY /dev/stderr - otherwise it is closed).
--- a/src/imap-login/client-authenticate.c Sun Aug 24 10:37:41 2003 +0300 +++ b/src/imap-login/client-authenticate.c Sun Aug 24 10:55:23 2003 +0300 @@ -16,7 +16,7 @@ #include "auth-common.h" #include "master.h" -const char *client_authenticate_get_capabilities(int tls) +const char *client_authenticate_get_capabilities(int secured) { static enum auth_mech cached_auth_mechs = 0; static char *cached_capability = NULL; @@ -36,7 +36,7 @@ for (i = 0; i < AUTH_MECH_COUNT; i++) { if ((auth_mechs & auth_mech_desc[i].mech) && auth_mech_desc[i].name != NULL && - (tls || !auth_mech_desc[i].plaintext || + (secured || !auth_mech_desc[i].plaintext || !disable_plaintext_auth)) { str_append_c(str, ' '); str_append(str, "AUTH="); @@ -167,10 +167,10 @@ user = IMAP_ARG_STR(&args[0]); pass = IMAP_ARG_STR(&args[1]); - if (!client->tls && disable_plaintext_auth) { + if (!client->secured && disable_plaintext_auth) { client_send_line(client, "* BAD [ALERT] Plaintext authentication is disabled, " - "but your client sent password in plaintext anyway." + "but your client sent password in plaintext anyway. " "If anyone was listening, the password was exposed."); client_send_tagline(client, "NO Plaintext authentication disabled."); @@ -304,7 +304,7 @@ return TRUE; } - if (!client->tls && mech->plaintext && disable_plaintext_auth) { + if (!client->secured && mech->plaintext && disable_plaintext_auth) { client_send_tagline(client, "NO Plaintext authentication disabled."); return TRUE;
--- a/src/imap-login/client-authenticate.h Sun Aug 24 10:37:41 2003 +0300 +++ b/src/imap-login/client-authenticate.h Sun Aug 24 10:55:23 2003 +0300 @@ -1,7 +1,7 @@ #ifndef __CLIENT_AUTHENTICATE_H #define __CLIENT_AUTHENTICATE_H -const char *client_authenticate_get_capabilities(int tls); +const char *client_authenticate_get_capabilities(int secured); int cmd_login(struct imap_client *client, struct imap_arg *args); int cmd_authenticate(struct imap_client *client, struct imap_arg *args);
--- a/src/imap-login/client.c Sun Aug 24 10:37:41 2003 +0300 +++ b/src/imap-login/client.c Sun Aug 24 10:55:23 2003 +0300 @@ -89,11 +89,11 @@ { const char *capability, *auths; - auths = client_authenticate_get_capabilities(client->tls); + auths = client_authenticate_get_capabilities(client->secured); capability = t_strconcat("* CAPABILITY " CAPABILITY_STRING, (ssl_initialized && !client->tls) ? " STARTTLS" : "", - disable_plaintext_auth && !client->tls ? + disable_plaintext_auth && !client->secured ? " LOGINDISABLED" : "", auths, NULL); client_send_line(client, capability); client_send_tagline(client, "OK Capability completed."); @@ -127,6 +127,7 @@ fd_ssl = ssl_proxy_new(client->common.fd, &client->common.ip); if (fd_ssl != -1) { client->tls = TRUE; + client->secured = TRUE; client_set_title(client); /* we skipped it already, so don't ignore next command */ @@ -339,6 +340,7 @@ struct client *client_create(int fd, struct ip_addr *ip, int ssl) { struct imap_client *client; + const char *addr; if (max_logging_users > CLIENT_DESTROY_OLDEST_COUNT && hash_size(clients) >= max_logging_users) { @@ -355,6 +357,11 @@ client->refcount = 1; client->tls = ssl; + addr = net_ip2addr(ip); + client->secured = ssl || + (IPADDR_IS_V4(ip) && strncmp(addr, "127.", 4) == 0) || + (IPADDR_IS_V6(ip) && strcmp(addr, "::1") == 0); + client->common.ip = *ip; client->common.fd = fd;
--- a/src/imap-login/client.h Sun Aug 24 10:37:41 2003 +0300 +++ b/src/imap-login/client.h Sun Aug 24 10:55:23 2003 +0300 @@ -23,6 +23,7 @@ buffer_t *plain_login; unsigned int tls:1; + unsigned int secured:1; unsigned int cmd_finished:1; unsigned int skip_line:1; unsigned int input_blocked:1;
--- a/src/master/master-settings.c Sun Aug 24 10:37:41 2003 +0300 +++ b/src/master/master-settings.c Sun Aug 24 10:55:23 2003 +0300 @@ -165,7 +165,7 @@ MEMBER(ssl_key_file) SSLDIR"/private/dovecot.pem", MEMBER(ssl_parameters_file) "ssl-parameters.dat", MEMBER(ssl_parameters_regenerate) 24, - MEMBER(disable_plaintext_auth) FALSE, + MEMBER(disable_plaintext_auth) TRUE, MEMBER(verbose_ssl) FALSE, /* login */
--- a/src/pop3-login/client-authenticate.c Sun Aug 24 10:37:41 2003 +0300 +++ b/src/pop3-login/client-authenticate.c Sun Aug 24 10:55:23 2003 +0300 @@ -36,7 +36,7 @@ for (i = 0; i < AUTH_MECH_COUNT; i++) { if ((auth_mechs & auth_mech_desc[i].mech) && auth_mech_desc[i].name != NULL && - (client->tls || !auth_mech_desc[i].plaintext || + (client->secured || !auth_mech_desc[i].plaintext || !disable_plaintext_auth)) { str_append_c(str, ' '); str_append(str, auth_mech_desc[i].name); @@ -156,7 +156,7 @@ int cmd_user(struct pop3_client *client, const char *args) { - if (!client->tls && disable_plaintext_auth) { + if (!client->secured && disable_plaintext_auth) { client_send_line(client, "-ERR Plaintext authentication disabled."); return TRUE; @@ -284,7 +284,7 @@ return TRUE; } - if (!client->tls && mech->plaintext && disable_plaintext_auth) { + if (!client->secured && mech->plaintext && disable_plaintext_auth) { client_send_line(client, "-ERR Plaintext authentication disabled."); return TRUE;
--- a/src/pop3-login/client.c Sun Aug 24 10:37:41 2003 +0300 +++ b/src/pop3-login/client.c Sun Aug 24 10:55:23 2003 +0300 @@ -83,6 +83,7 @@ fd_ssl = ssl_proxy_new(client->common.fd, &client->common.ip); if (fd_ssl != -1) { client->tls = TRUE; + client->secured = TRUE; client_set_title(client); client->common.fd = fd_ssl; @@ -234,6 +235,7 @@ struct client *client_create(int fd, struct ip_addr *ip, int ssl) { struct pop3_client *client; + const char *addr; if (max_logging_users > CLIENT_DESTROY_OLDEST_COUNT && hash_size(clients) >= max_logging_users) { @@ -250,6 +252,11 @@ client->refcount = 1; client->tls = ssl; + addr = net_ip2addr(ip); + client->secured = ssl || + (IPADDR_IS_V4(ip) && strncmp(addr, "127.", 4) == 0) || + (IPADDR_IS_V6(ip) && strcmp(addr, "::1") == 0); + client->common.ip = *ip; client->common.fd = fd; client->common.io = io_add(fd, IO_READ, client_input, client);