Mercurial > dovecot > original-hg > dovecot-1.2
annotate src/imap-login/client-authenticate.c @ 9575:0a00dcc4f0ea HEAD
lib-storage: Allow shared namespace prefix to use %variable modifiers.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Wed, 26 May 2010 17:07:51 +0100 |
parents | a6d0fa17ddee |
children | e7721f67688a |
rev | line source |
---|---|
9532
00cd9aacd03c
Updated copyright notices to include year 2010.
Timo Sirainen <tss@iki.fi>
parents:
9520
diff
changeset
|
1 /* Copyright (c) 2002-2010 Dovecot authors, see the included COPYING file */ |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
2 |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
3 #include "common.h" |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
4 #include "base64.h" |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
5 #include "buffer.h" |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
6 #include "ioloop.h" |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
7 #include "istream.h" |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
8 #include "ostream.h" |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
9 #include "safe-memset.h" |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
10 #include "str.h" |
2691
46f879c46b45
auth_verbose now affects imap/pop3 login processes too. Every authentication
Timo Sirainen <tss@iki.fi>
parents:
2629
diff
changeset
|
11 #include "str-sanitize.h" |
8412
6e9100795d89
Moved imap-resp-codes to macros.
Timo Sirainen <tss@iki.fi>
parents:
8411
diff
changeset
|
12 #include "imap-resp-code.h" |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
13 #include "imap-parser.h" |
1702
43815588dd6b
Moved client side code for auth process handling to lib-auth. Some other login process cleanups.
Timo Sirainen <tss@iki.fi>
parents:
1499
diff
changeset
|
14 #include "auth-client.h" |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
15 #include "client.h" |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
16 #include "client-authenticate.h" |
2768
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
17 #include "imap-proxy.h" |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
18 |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
19 #include <stdlib.h> |
2691
46f879c46b45
auth_verbose now affects imap/pop3 login processes too. Every authentication
Timo Sirainen <tss@iki.fi>
parents:
2629
diff
changeset
|
20 |
8574
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
21 #define AUTH_FAILURE_DELAY_INCREASE_MSECS 5000 |
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
22 |
4856
f75041ec22ba
Changed the service name from uppercase IMAP/POP3 to lowercase imap/pop3 so
Timo Sirainen <tss@iki.fi>
parents:
4790
diff
changeset
|
23 #define IMAP_SERVICE_NAME "imap" |
f75041ec22ba
Changed the service name from uppercase IMAP/POP3 to lowercase imap/pop3 so
Timo Sirainen <tss@iki.fi>
parents:
4790
diff
changeset
|
24 |
3863
55df57c028d4
Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents:
3384
diff
changeset
|
25 const char *client_authenticate_get_capabilities(bool secured) |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
26 { |
2077
d5b20d679b8a
Removed hardcoded mechanism lists. It's now possible to add them
Timo Sirainen <tss@iki.fi>
parents:
2076
diff
changeset
|
27 const struct auth_mech_desc *mech; |
d5b20d679b8a
Removed hardcoded mechanism lists. It's now possible to add them
Timo Sirainen <tss@iki.fi>
parents:
2076
diff
changeset
|
28 unsigned int i, count; |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
29 string_t *str; |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
30 |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
31 str = t_str_new(128); |
2077
d5b20d679b8a
Removed hardcoded mechanism lists. It's now possible to add them
Timo Sirainen <tss@iki.fi>
parents:
2076
diff
changeset
|
32 mech = auth_client_get_available_mechs(auth_client, &count); |
d5b20d679b8a
Removed hardcoded mechanism lists. It's now possible to add them
Timo Sirainen <tss@iki.fi>
parents:
2076
diff
changeset
|
33 for (i = 0; i < count; i++) { |
1949
d2755efdd187
Don't advertise AUTH=PLAIN unless transport is secure
Timo Sirainen <tss@iki.fi>
parents:
1894
diff
changeset
|
34 /* a) transport is secured |
d2755efdd187
Don't advertise AUTH=PLAIN unless transport is secure
Timo Sirainen <tss@iki.fi>
parents:
1894
diff
changeset
|
35 b) auth mechanism isn't plaintext |
d2755efdd187
Don't advertise AUTH=PLAIN unless transport is secure
Timo Sirainen <tss@iki.fi>
parents:
1894
diff
changeset
|
36 c) we allow insecure authentication |
d2755efdd187
Don't advertise AUTH=PLAIN unless transport is secure
Timo Sirainen <tss@iki.fi>
parents:
1894
diff
changeset
|
37 */ |
2736
0f31778d3c34
Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents:
2734
diff
changeset
|
38 if ((mech[i].flags & MECH_SEC_PRIVATE) == 0 && |
0f31778d3c34
Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents:
2734
diff
changeset
|
39 (secured || !disable_plaintext_auth || |
0f31778d3c34
Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents:
2734
diff
changeset
|
40 (mech[i].flags & MECH_SEC_PLAINTEXT) == 0)) { |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
41 str_append_c(str, ' '); |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
42 str_append(str, "AUTH="); |
2077
d5b20d679b8a
Removed hardcoded mechanism lists. It's now possible to add them
Timo Sirainen <tss@iki.fi>
parents:
2076
diff
changeset
|
43 str_append(str, mech[i].name); |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
44 } |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
45 } |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
46 |
2077
d5b20d679b8a
Removed hardcoded mechanism lists. It's now possible to add them
Timo Sirainen <tss@iki.fi>
parents:
2076
diff
changeset
|
47 return str_c(str); |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
48 } |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
49 |
4907
5b4c9b20eba0
Replaced void *context from a lot of callbacks with the actual context
Timo Sirainen <tss@iki.fi>
parents:
4856
diff
changeset
|
50 static void client_auth_input(struct imap_client *client) |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
51 { |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
52 char *line; |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
53 |
2237
6b05e30c669a
crashfix if client closes connection while authenticating
Timo Sirainen <tss@iki.fi>
parents:
2097
diff
changeset
|
54 if (!client_read(client)) |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
55 return; |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
56 |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
57 if (client->skip_line) { |
7927
2351a81ce699
If commands are pipelined after the login command, pass them to the
Timo Sirainen <tss@iki.fi>
parents:
7922
diff
changeset
|
58 if (i_stream_next_line(client->common.input) == NULL) |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
59 return; |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
60 |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
61 client->skip_line = FALSE; |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
62 } |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
63 |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
64 /* @UNSAFE */ |
7927
2351a81ce699
If commands are pipelined after the login command, pass them to the
Timo Sirainen <tss@iki.fi>
parents:
7922
diff
changeset
|
65 line = i_stream_next_line(client->common.input); |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
66 if (line == NULL) |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
67 return; |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
68 |
9218
754234248510
login processes: Auth code cleanups. Custom IMAP auth errors now have [ALERT] prefix.
Timo Sirainen <tss@iki.fi>
parents:
9086
diff
changeset
|
69 if (strcmp(line, "*") == 0) |
754234248510
login processes: Auth code cleanups. Custom IMAP auth errors now have [ALERT] prefix.
Timo Sirainen <tss@iki.fi>
parents:
9086
diff
changeset
|
70 sasl_server_auth_abort(&client->common); |
754234248510
login processes: Auth code cleanups. Custom IMAP auth errors now have [ALERT] prefix.
Timo Sirainen <tss@iki.fi>
parents:
9086
diff
changeset
|
71 else { |
9086
c7db09d796b9
imap: Don't send "Waiting for auth process" if it's the client that's waiting on AUTHENTICATE.
Timo Sirainen <tss@iki.fi>
parents:
8985
diff
changeset
|
72 client_set_auth_waiting(client); |
2736
0f31778d3c34
Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents:
2734
diff
changeset
|
73 auth_client_request_continue(client->common.auth_request, line); |
6834
ff62b2323a97
Disable processing input while it's not expected, otherwise we could get
Timo Sirainen <tss@iki.fi>
parents:
6472
diff
changeset
|
74 io_remove(&client->io); |
5433 | 75 |
76 /* clear sensitive data */ | |
77 safe_memset(line, 0, strlen(line)); | |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
78 } |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
79 } |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
80 |
8574
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
81 static void client_authfail_delay_timeout(struct imap_client *client) |
7115 | 82 { |
8574
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
83 timeout_remove(&client->to_authfail_delay); |
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
84 |
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
85 /* get back to normal client input. */ |
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
86 i_assert(client->io == NULL); |
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
87 client->io = io_add(client->common.fd, IO_READ, client_input, client); |
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
88 client_input(client); |
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
89 } |
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
90 |
8583
2ff2cac3578b
imap/pop3-login: Cleaned up proxying code. Don't disconnect client on proxy failures.
Timo Sirainen <tss@iki.fi>
parents:
8577
diff
changeset
|
91 void client_auth_failed(struct imap_client *client, bool nodelay) |
8574
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
92 { |
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
93 unsigned int delay_msecs; |
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
94 |
8534
4693c9f72baa
Don't crash if trying to use an unsupported auth mechanism.
Timo Sirainen <tss@iki.fi>
parents:
8413
diff
changeset
|
95 client->common.auth_command_tag = NULL; |
4693c9f72baa
Don't crash if trying to use an unsupported auth mechanism.
Timo Sirainen <tss@iki.fi>
parents:
8413
diff
changeset
|
96 |
4693c9f72baa
Don't crash if trying to use an unsupported auth mechanism.
Timo Sirainen <tss@iki.fi>
parents:
8413
diff
changeset
|
97 if (client->auth_initializing) |
4693c9f72baa
Don't crash if trying to use an unsupported auth mechanism.
Timo Sirainen <tss@iki.fi>
parents:
8413
diff
changeset
|
98 return; |
4693c9f72baa
Don't crash if trying to use an unsupported auth mechanism.
Timo Sirainen <tss@iki.fi>
parents:
8413
diff
changeset
|
99 |
7115 | 100 if (client->io != NULL) |
101 io_remove(&client->io); | |
8574
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
102 if (nodelay) { |
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
103 client->io = io_add(client->common.fd, IO_READ, |
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
104 client_input, client); |
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
105 client_input(client); |
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
106 return; |
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
107 } |
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
108 |
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
109 /* increase the timeout after each unsuccessful attempt, but don't |
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
110 increase it so high that the idle timeout would be triggered */ |
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
111 delay_msecs = client->common.auth_attempts * |
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
112 AUTH_FAILURE_DELAY_INCREASE_MSECS; |
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
113 if (delay_msecs > CLIENT_LOGIN_IDLE_TIMEOUT_MSECS) |
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
114 delay_msecs = CLIENT_LOGIN_IDLE_TIMEOUT_MSECS - 1000; |
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
115 |
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
116 i_assert(client->to_authfail_delay == NULL); |
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
117 client->to_authfail_delay = |
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
118 timeout_add(delay_msecs, client_authfail_delay_timeout, client); |
7115 | 119 } |
120 | |
3863
55df57c028d4
Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents:
3384
diff
changeset
|
121 static bool client_handle_args(struct imap_client *client, |
8574
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
122 const char *const *args, bool success, |
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
123 bool *nodelay_r) |
2766
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
124 { |
2768
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
125 const char *reason = NULL, *host = NULL, *destuser = NULL, *pass = NULL; |
8546
50f49805b13b
imap/pop3 proxy: Support master user logins.
Timo Sirainen <tss@iki.fi>
parents:
8534
diff
changeset
|
126 const char *master_user = NULL; |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
127 const char *key, *value, *p; |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
128 enum login_proxy_ssl_flags ssl_flags = 0; |
2766
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
129 string_t *reply; |
9559
9d472f43bcdb
imap/pop3-login: If proxy returns ssl=yes, change the default port to 993/995.
Timo Sirainen <tss@iki.fi>
parents:
9532
diff
changeset
|
130 unsigned int port = 0; |
9306
e3ccd235a7e5
login proxy: Added client_proxy passdb extra field to specify proxy's connect timeout.
Timo Sirainen <tss@iki.fi>
parents:
9218
diff
changeset
|
131 unsigned int proxy_timeout_msecs = 0; |
8583
2ff2cac3578b
imap/pop3-login: Cleaned up proxying code. Don't disconnect client on proxy failures.
Timo Sirainen <tss@iki.fi>
parents:
8577
diff
changeset
|
132 bool proxy = FALSE, temp = FALSE, nologin = !success; |
8413
24c8bc8098ee
Give a different error message if authentication succeeds but authorization fails.
Timo Sirainen <tss@iki.fi>
parents:
8412
diff
changeset
|
133 bool authz_failure = FALSE; |
2766
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
134 |
8574
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
135 *nodelay_r = FALSE; |
2766
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
136 for (; *args != NULL; args++) { |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
137 p = strchr(*args, '='); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
138 if (p == NULL) { |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
139 key = *args; |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
140 value = ""; |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
141 } else { |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
142 key = t_strdup_until(*args, p); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
143 value = p + 1; |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
144 } |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
145 if (strcmp(key, "nologin") == 0) |
2766
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
146 nologin = TRUE; |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
147 else if (strcmp(key, "nodelay") == 0) |
8574
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
148 *nodelay_r = TRUE; |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
149 else if (strcmp(key, "proxy") == 0) |
2768
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
150 proxy = TRUE; |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
151 else if (strcmp(key, "temp") == 0) |
3059
08c640bdf749
If authentication failed because of temporary failure, show different error
Timo Sirainen <tss@iki.fi>
parents:
2773
diff
changeset
|
152 temp = TRUE; |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
153 else if (strcmp(key, "authz") == 0) |
8413
24c8bc8098ee
Give a different error message if authentication succeeds but authorization fails.
Timo Sirainen <tss@iki.fi>
parents:
8412
diff
changeset
|
154 authz_failure = TRUE; |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
155 else if (strcmp(key, "reason") == 0) |
9395
4c9f068e5ea1
imap-login: Is dovecot-auth gives a reason for the failure, don't eat first 7 chars.
Timo Sirainen <tss@iki.fi>
parents:
9306
diff
changeset
|
156 reason = value; |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
157 else if (strcmp(key, "host") == 0) |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
158 host = value; |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
159 else if (strcmp(key, "port") == 0) |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
160 port = atoi(value); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
161 else if (strcmp(key, "destuser") == 0) |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
162 destuser = value; |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
163 else if (strcmp(key, "pass") == 0) |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
164 pass = value; |
9306
e3ccd235a7e5
login proxy: Added client_proxy passdb extra field to specify proxy's connect timeout.
Timo Sirainen <tss@iki.fi>
parents:
9218
diff
changeset
|
165 else if (strcmp(key, "proxy_timeout") == 0) |
e3ccd235a7e5
login proxy: Added client_proxy passdb extra field to specify proxy's connect timeout.
Timo Sirainen <tss@iki.fi>
parents:
9218
diff
changeset
|
166 proxy_timeout_msecs = 1000*atoi(value); |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
167 else if (strcmp(key, "master") == 0) |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
168 master_user = value; |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
169 else if (strcmp(key, "ssl") == 0) { |
9559
9d472f43bcdb
imap/pop3-login: If proxy returns ssl=yes, change the default port to 993/995.
Timo Sirainen <tss@iki.fi>
parents:
9532
diff
changeset
|
170 if (strcmp(value, "yes") == 0) { |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
171 ssl_flags |= PROXY_SSL_FLAG_YES; |
9560
a6d0fa17ddee
imap/pop3-login: ssl=yes shouldn't change port if port was already specified.
Timo Sirainen <tss@iki.fi>
parents:
9559
diff
changeset
|
172 if (port == 0) |
a6d0fa17ddee
imap/pop3-login: ssl=yes shouldn't change port if port was already specified.
Timo Sirainen <tss@iki.fi>
parents:
9559
diff
changeset
|
173 port = 993; |
9559
9d472f43bcdb
imap/pop3-login: If proxy returns ssl=yes, change the default port to 993/995.
Timo Sirainen <tss@iki.fi>
parents:
9532
diff
changeset
|
174 } else if (strcmp(value, "any-cert") == 0) { |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
175 ssl_flags |= PROXY_SSL_FLAG_YES | |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
176 PROXY_SSL_FLAG_ANY_CERT; |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
177 } |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
178 } else if (strcmp(key, "starttls") == 0) { |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
179 ssl_flags |= PROXY_SSL_FLAG_STARTTLS; |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
180 } else if (strcmp(key, "user") == 0) { |
8344
938700823522
Login prcesses: If auth_debug=yes, don't warn about "user" parameter being unknown.
Timo Sirainen <tss@iki.fi>
parents:
8331
diff
changeset
|
181 /* already handled in login-common */ |
938700823522
Login prcesses: If auth_debug=yes, don't warn about "user" parameter being unknown.
Timo Sirainen <tss@iki.fi>
parents:
8331
diff
changeset
|
182 } else if (auth_debug) { |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8926
diff
changeset
|
183 i_info("Ignoring unknown passdb extra field: %s", key); |
8331
8fb20b423f8b
Login processes: If auth_debug=yes, log about received unknown passdb extra fields.
Timo Sirainen <tss@iki.fi>
parents:
8302
diff
changeset
|
184 } |
2766
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
185 } |
9559
9d472f43bcdb
imap/pop3-login: If proxy returns ssl=yes, change the default port to 993/995.
Timo Sirainen <tss@iki.fi>
parents:
9532
diff
changeset
|
186 if (port == 0) |
9d472f43bcdb
imap/pop3-login: If proxy returns ssl=yes, change the default port to 993/995.
Timo Sirainen <tss@iki.fi>
parents:
9532
diff
changeset
|
187 port = 143; |
2766
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
188 |
2768
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
189 if (destuser == NULL) |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
190 destuser = client->common.virtual_user; |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
191 |
8583
2ff2cac3578b
imap/pop3-login: Cleaned up proxying code. Don't disconnect client on proxy failures.
Timo Sirainen <tss@iki.fi>
parents:
8577
diff
changeset
|
192 if (proxy) { |
2768
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
193 /* we want to proxy the connection to another server. |
5173
723cf9d39692
If authentication failed but it still returns proxy, don't do the proxying.
Timo Sirainen <tss@iki.fi>
parents:
5150
diff
changeset
|
194 don't do this unless authentication succeeded. with |
723cf9d39692
If authentication failed but it still returns proxy, don't do the proxying.
Timo Sirainen <tss@iki.fi>
parents:
5150
diff
changeset
|
195 master user proxying we can get FAIL with proxy still set. |
2766
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
196 |
2768
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
197 proxy host=.. [port=..] [destuser=..] pass=.. */ |
5173
723cf9d39692
If authentication failed but it still returns proxy, don't do the proxying.
Timo Sirainen <tss@iki.fi>
parents:
5150
diff
changeset
|
198 if (!success) |
723cf9d39692
If authentication failed but it still returns proxy, don't do the proxying.
Timo Sirainen <tss@iki.fi>
parents:
5150
diff
changeset
|
199 return FALSE; |
8546
50f49805b13b
imap/pop3 proxy: Support master user logins.
Timo Sirainen <tss@iki.fi>
parents:
8534
diff
changeset
|
200 if (imap_proxy_new(client, host, port, destuser, master_user, |
9520
d1548d794f72
*-login: Don't assert-crash if trying to proxy caused the connection to be killed.
Timo Sirainen <tss@iki.fi>
parents:
9395
diff
changeset
|
201 pass, ssl_flags, proxy_timeout_msecs) < 0) { |
d1548d794f72
*-login: Don't assert-crash if trying to proxy caused the connection to be killed.
Timo Sirainen <tss@iki.fi>
parents:
9395
diff
changeset
|
202 if (!client->destroyed) |
d1548d794f72
*-login: Don't assert-crash if trying to proxy caused the connection to be killed.
Timo Sirainen <tss@iki.fi>
parents:
9395
diff
changeset
|
203 client_auth_failed(client, TRUE); |
d1548d794f72
*-login: Don't assert-crash if trying to proxy caused the connection to be killed.
Timo Sirainen <tss@iki.fi>
parents:
9395
diff
changeset
|
204 } |
2768
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
205 return TRUE; |
3384
3b75956d20c4
Added configurable logging for login process. Added configurable pop3 logout
Timo Sirainen <tss@iki.fi>
parents:
3059
diff
changeset
|
206 } |
3b75956d20c4
Added configurable logging for login process. Added configurable pop3 logout
Timo Sirainen <tss@iki.fi>
parents:
3059
diff
changeset
|
207 |
8583
2ff2cac3578b
imap/pop3-login: Cleaned up proxying code. Don't disconnect client on proxy failures.
Timo Sirainen <tss@iki.fi>
parents:
8577
diff
changeset
|
208 if (host != NULL) { |
2768
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
209 /* IMAP referral |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
210 |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
211 [nologin] referral host=.. [port=..] [destuser=..] |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
212 [reason=..] |
2766
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
213 |
2768
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
214 NO [REFERRAL imap://destuser;AUTH=..@host:port/] Can't login. |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
215 OK [...] Logged in, but you should use this server instead. |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
216 .. [REFERRAL ..] (Reason from auth server) |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
217 */ |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
218 reply = t_str_new(128); |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
219 str_append(reply, nologin ? "NO " : "OK "); |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
220 str_printfa(reply, "[REFERRAL imap://%s;AUTH=%s@%s", |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
221 destuser, client->common.auth_mech_name, host); |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
222 if (port != 143) |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
223 str_printfa(reply, ":%u", port); |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
224 str_append(reply, "/] "); |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
225 if (reason != NULL) |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
226 str_append(reply, reason); |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
227 else if (nologin) |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
228 str_append(reply, "Try this server instead."); |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
229 else { |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
230 str_append(reply, "Logged in, but you should use " |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
231 "this server instead."); |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
232 } |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
233 client_send_tagline(client, str_c(reply)); |
3384
3b75956d20c4
Added configurable logging for login process. Added configurable pop3 logout
Timo Sirainen <tss@iki.fi>
parents:
3059
diff
changeset
|
234 if (!nologin) { |
7438
65fbb6226141
Log clearly with "auth failed, # attempts" if user gets disconnected before
Timo Sirainen <tss@iki.fi>
parents:
7395
diff
changeset
|
235 client_destroy_success(client, "Login with referral"); |
3384
3b75956d20c4
Added configurable logging for login process. Added configurable pop3 logout
Timo Sirainen <tss@iki.fi>
parents:
3059
diff
changeset
|
236 return TRUE; |
3b75956d20c4
Added configurable logging for login process. Added configurable pop3 logout
Timo Sirainen <tss@iki.fi>
parents:
3059
diff
changeset
|
237 } |
8583
2ff2cac3578b
imap/pop3-login: Cleaned up proxying code. Don't disconnect client on proxy failures.
Timo Sirainen <tss@iki.fi>
parents:
8577
diff
changeset
|
238 } else if (nologin) { |
2768
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
239 /* Authentication went ok, but for some reason user isn't |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
240 allowed to log in. Shouldn't probably happen. */ |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
241 reply = t_str_new(128); |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
242 if (reason != NULL) |
9218
754234248510
login processes: Auth code cleanups. Custom IMAP auth errors now have [ALERT] prefix.
Timo Sirainen <tss@iki.fi>
parents:
9086
diff
changeset
|
243 str_printfa(reply, "NO [ALERT] %s", reason); |
8583
2ff2cac3578b
imap/pop3-login: Cleaned up proxying code. Don't disconnect client on proxy failures.
Timo Sirainen <tss@iki.fi>
parents:
8577
diff
changeset
|
244 else if (temp) { |
8412
6e9100795d89
Moved imap-resp-codes to macros.
Timo Sirainen <tss@iki.fi>
parents:
8411
diff
changeset
|
245 str_append(reply, "NO ["IMAP_RESP_CODE_UNAVAILABLE"] " |
8411
abd0ef855a33
Implemented imap-response-codes draft.
Timo Sirainen <tss@iki.fi>
parents:
8351
diff
changeset
|
246 AUTH_TEMP_FAILED_MSG); |
8413
24c8bc8098ee
Give a different error message if authentication succeeds but authorization fails.
Timo Sirainen <tss@iki.fi>
parents:
8412
diff
changeset
|
247 } else if (authz_failure) { |
24c8bc8098ee
Give a different error message if authentication succeeds but authorization fails.
Timo Sirainen <tss@iki.fi>
parents:
8412
diff
changeset
|
248 str_append(reply, "NO "IMAP_AUTHZ_FAILED_MSG); |
8411
abd0ef855a33
Implemented imap-response-codes draft.
Timo Sirainen <tss@iki.fi>
parents:
8351
diff
changeset
|
249 } else { |
abd0ef855a33
Implemented imap-response-codes draft.
Timo Sirainen <tss@iki.fi>
parents:
8351
diff
changeset
|
250 str_append(reply, "NO "IMAP_AUTH_FAILED_MSG); |
abd0ef855a33
Implemented imap-response-codes draft.
Timo Sirainen <tss@iki.fi>
parents:
8351
diff
changeset
|
251 } |
2768
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
252 client_send_tagline(client, str_c(reply)); |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
253 } else { |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
254 /* normal login/failure */ |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
255 return FALSE; |
d344be0bb70f
Added IMAP and POP3 proxying support.
Timo Sirainen <tss@iki.fi>
parents:
2766
diff
changeset
|
256 } |
2766
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
257 |
8583
2ff2cac3578b
imap/pop3-login: Cleaned up proxying code. Don't disconnect client on proxy failures.
Timo Sirainen <tss@iki.fi>
parents:
8577
diff
changeset
|
258 i_assert(nologin); |
3384
3b75956d20c4
Added configurable logging for login process. Added configurable pop3 logout
Timo Sirainen <tss@iki.fi>
parents:
3059
diff
changeset
|
259 |
7115 | 260 if (!client->destroyed) |
8574
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
261 client_auth_failed(client, *nodelay_r); |
2766
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
262 return TRUE; |
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
263 } |
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
264 |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
265 static void sasl_callback(struct client *_client, enum sasl_server_reply reply, |
2766
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
266 const char *data, const char *const *args) |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
267 { |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
268 struct imap_client *client = (struct imap_client *)_client; |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
269 struct const_iovec iov[3]; |
4301
0e10b01960a0
IMAP: Reply with tagged BAD if authentication is aborted because client sent
Timo Sirainen <tss@iki.fi>
parents:
3955
diff
changeset
|
270 const char *msg; |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
271 size_t data_len; |
8574
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
272 bool nodelay; |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
273 |
4790
c6d77f917d12
Fixed potential problems with client disconnecting while master was handling
Timo Sirainen <tss@iki.fi>
parents:
4770
diff
changeset
|
274 i_assert(!client->destroyed || |
9218
754234248510
login processes: Auth code cleanups. Custom IMAP auth errors now have [ALERT] prefix.
Timo Sirainen <tss@iki.fi>
parents:
9086
diff
changeset
|
275 reply == SASL_SERVER_REPLY_AUTH_ABORTED || |
4790
c6d77f917d12
Fixed potential problems with client disconnecting while master was handling
Timo Sirainen <tss@iki.fi>
parents:
4770
diff
changeset
|
276 reply == SASL_SERVER_REPLY_MASTER_FAILED); |
4770
88c29111fcee
Crashfixes and more asserts. Mostly related to use of AUTHENTICATE/AUTH
Timo Sirainen <tss@iki.fi>
parents:
4416
diff
changeset
|
277 |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
278 switch (reply) { |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
279 case SASL_SERVER_REPLY_SUCCESS: |
7395
de4881149c0e
If we sent client "waiting for auth process" message, we crashed later.
Timo Sirainen <tss@iki.fi>
parents:
7121
diff
changeset
|
280 if (client->to_auth_waiting != NULL) |
de4881149c0e
If we sent client "waiting for auth process" message, we crashed later.
Timo Sirainen <tss@iki.fi>
parents:
7121
diff
changeset
|
281 timeout_remove(&client->to_auth_waiting); |
2766
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
282 if (args != NULL) { |
8574
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
283 if (client_handle_args(client, args, TRUE, &nodelay)) |
2766
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
284 break; |
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
285 } |
7438
65fbb6226141
Log clearly with "auth failed, # attempts" if user gets disconnected before
Timo Sirainen <tss@iki.fi>
parents:
7395
diff
changeset
|
286 client_destroy_success(client, "Login"); |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
287 break; |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
288 case SASL_SERVER_REPLY_AUTH_FAILED: |
9218
754234248510
login processes: Auth code cleanups. Custom IMAP auth errors now have [ALERT] prefix.
Timo Sirainen <tss@iki.fi>
parents:
9086
diff
changeset
|
289 case SASL_SERVER_REPLY_AUTH_ABORTED: |
7395
de4881149c0e
If we sent client "waiting for auth process" message, we crashed later.
Timo Sirainen <tss@iki.fi>
parents:
7121
diff
changeset
|
290 if (client->to_auth_waiting != NULL) |
de4881149c0e
If we sent client "waiting for auth process" message, we crashed later.
Timo Sirainen <tss@iki.fi>
parents:
7121
diff
changeset
|
291 timeout_remove(&client->to_auth_waiting); |
2766
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
292 if (args != NULL) { |
8574
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
293 if (client_handle_args(client, args, FALSE, &nodelay)) |
2766
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
294 break; |
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
295 } |
26a091f3add6
Implemented support for LOGIN-REFERRALS using "referral" and "reason"
Timo Sirainen <tss@iki.fi>
parents:
2736
diff
changeset
|
296 |
9218
754234248510
login processes: Auth code cleanups. Custom IMAP auth errors now have [ALERT] prefix.
Timo Sirainen <tss@iki.fi>
parents:
9086
diff
changeset
|
297 if (reply == SASL_SERVER_REPLY_AUTH_ABORTED) |
754234248510
login processes: Auth code cleanups. Custom IMAP auth errors now have [ALERT] prefix.
Timo Sirainen <tss@iki.fi>
parents:
9086
diff
changeset
|
298 msg = "BAD Authentication aborted by client."; |
754234248510
login processes: Auth code cleanups. Custom IMAP auth errors now have [ALERT] prefix.
Timo Sirainen <tss@iki.fi>
parents:
9086
diff
changeset
|
299 else if (data == NULL) |
754234248510
login processes: Auth code cleanups. Custom IMAP auth errors now have [ALERT] prefix.
Timo Sirainen <tss@iki.fi>
parents:
9086
diff
changeset
|
300 msg = "NO "IMAP_AUTH_FAILED_MSG; |
754234248510
login processes: Auth code cleanups. Custom IMAP auth errors now have [ALERT] prefix.
Timo Sirainen <tss@iki.fi>
parents:
9086
diff
changeset
|
301 else |
754234248510
login processes: Auth code cleanups. Custom IMAP auth errors now have [ALERT] prefix.
Timo Sirainen <tss@iki.fi>
parents:
9086
diff
changeset
|
302 msg = t_strconcat("NO [ALERT] ", data, NULL); |
4301
0e10b01960a0
IMAP: Reply with tagged BAD if authentication is aborted because client sent
Timo Sirainen <tss@iki.fi>
parents:
3955
diff
changeset
|
303 client_send_tagline(client, msg); |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
304 |
7099
3f5b7bebfd82
Use separate per-client timeouts instead of going through all clients in one
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
305 if (!client->destroyed) |
8574
1b744c38bcac
Increase failed login's reply delay by 5 seconds for each failure.
Timo Sirainen <tss@iki.fi>
parents:
8564
diff
changeset
|
306 client_auth_failed(client, nodelay); |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
307 break; |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
308 case SASL_SERVER_REPLY_MASTER_FAILED: |
5846
21e529b8a701
Initial implementation for mail_max_user_connections setting.
Timo Sirainen <tss@iki.fi>
parents:
5835
diff
changeset
|
309 if (data == NULL) |
21e529b8a701
Initial implementation for mail_max_user_connections setting.
Timo Sirainen <tss@iki.fi>
parents:
5835
diff
changeset
|
310 client_destroy_internal_failure(client); |
21e529b8a701
Initial implementation for mail_max_user_connections setting.
Timo Sirainen <tss@iki.fi>
parents:
5835
diff
changeset
|
311 else { |
21e529b8a701
Initial implementation for mail_max_user_connections setting.
Timo Sirainen <tss@iki.fi>
parents:
5835
diff
changeset
|
312 client_send_tagline(client, |
21e529b8a701
Initial implementation for mail_max_user_connections setting.
Timo Sirainen <tss@iki.fi>
parents:
5835
diff
changeset
|
313 t_strconcat("NO ", data, NULL)); |
7438
65fbb6226141
Log clearly with "auth failed, # attempts" if user gets disconnected before
Timo Sirainen <tss@iki.fi>
parents:
7395
diff
changeset
|
314 /* authentication itself succeeded, we just hit some |
65fbb6226141
Log clearly with "auth failed, # attempts" if user gets disconnected before
Timo Sirainen <tss@iki.fi>
parents:
7395
diff
changeset
|
315 internal failure. */ |
65fbb6226141
Log clearly with "auth failed, # attempts" if user gets disconnected before
Timo Sirainen <tss@iki.fi>
parents:
7395
diff
changeset
|
316 client_destroy_success(client, data); |
5846
21e529b8a701
Initial implementation for mail_max_user_connections setting.
Timo Sirainen <tss@iki.fi>
parents:
5835
diff
changeset
|
317 } |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
318 break; |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
319 case SASL_SERVER_REPLY_CONTINUE: |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
320 data_len = strlen(data); |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
321 iov[0].iov_base = "+ "; |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
322 iov[0].iov_len = 2; |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
323 iov[1].iov_base = data; |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
324 iov[1].iov_len = data_len; |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
325 iov[2].iov_base = "\r\n"; |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
326 iov[2].iov_len = 2; |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
327 |
3955
295af5c1cce6
If client disconnected while we were trying to send authentication
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
328 /* don't check return value here. it gets tricky if we try |
295af5c1cce6
If client disconnected while we were trying to send authentication
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
329 to call client_destroy() in here. */ |
295af5c1cce6
If client disconnected while we were trying to send authentication
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
330 (void)o_stream_sendv(client->output, iov, 3); |
6834
ff62b2323a97
Disable processing input while it's not expected, otherwise we could get
Timo Sirainen <tss@iki.fi>
parents:
6472
diff
changeset
|
331 |
9086
c7db09d796b9
imap: Don't send "Waiting for auth process" if it's the client that's waiting on AUTHENTICATE.
Timo Sirainen <tss@iki.fi>
parents:
8985
diff
changeset
|
332 if (client->to_auth_waiting != NULL) |
c7db09d796b9
imap: Don't send "Waiting for auth process" if it's the client that's waiting on AUTHENTICATE.
Timo Sirainen <tss@iki.fi>
parents:
8985
diff
changeset
|
333 timeout_remove(&client->to_auth_waiting); |
c7db09d796b9
imap: Don't send "Waiting for auth process" if it's the client that's waiting on AUTHENTICATE.
Timo Sirainen <tss@iki.fi>
parents:
8985
diff
changeset
|
334 |
6834
ff62b2323a97
Disable processing input while it's not expected, otherwise we could get
Timo Sirainen <tss@iki.fi>
parents:
6472
diff
changeset
|
335 i_assert(client->io == NULL); |
ff62b2323a97
Disable processing input while it's not expected, otherwise we could get
Timo Sirainen <tss@iki.fi>
parents:
6472
diff
changeset
|
336 client->io = io_add(client->common.fd, IO_READ, |
ff62b2323a97
Disable processing input while it's not expected, otherwise we could get
Timo Sirainen <tss@iki.fi>
parents:
6472
diff
changeset
|
337 client_auth_input, client); |
ff62b2323a97
Disable processing input while it's not expected, otherwise we could get
Timo Sirainen <tss@iki.fi>
parents:
6472
diff
changeset
|
338 client_auth_input(client); |
3955
295af5c1cce6
If client disconnected while we were trying to send authentication
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
339 return; |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
340 } |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
341 |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
342 client_unref(client); |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
343 } |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
344 |
7099
3f5b7bebfd82
Use separate per-client timeouts instead of going through all clients in one
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
345 static int client_auth_begin(struct imap_client *client, const char *mech_name, |
3f5b7bebfd82
Use separate per-client timeouts instead of going through all clients in one
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
346 const char *init_resp) |
3f5b7bebfd82
Use separate per-client timeouts instead of going through all clients in one
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
347 { |
7928
9e226056a208
Send login command OK reply in IMAP/POP3 process.
Timo Sirainen <tss@iki.fi>
parents:
7927
diff
changeset
|
348 client->common.auth_command_tag = client->cmd_tag; |
9e226056a208
Send login command OK reply in IMAP/POP3 process.
Timo Sirainen <tss@iki.fi>
parents:
7927
diff
changeset
|
349 |
7099
3f5b7bebfd82
Use separate per-client timeouts instead of going through all clients in one
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
350 client_ref(client); |
8534
4693c9f72baa
Don't crash if trying to use an unsupported auth mechanism.
Timo Sirainen <tss@iki.fi>
parents:
8413
diff
changeset
|
351 client->auth_initializing = TRUE; |
7099
3f5b7bebfd82
Use separate per-client timeouts instead of going through all clients in one
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
352 sasl_server_auth_begin(&client->common, IMAP_SERVICE_NAME, mech_name, |
3f5b7bebfd82
Use separate per-client timeouts instead of going through all clients in one
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
353 init_resp, sasl_callback); |
8534
4693c9f72baa
Don't crash if trying to use an unsupported auth mechanism.
Timo Sirainen <tss@iki.fi>
parents:
8413
diff
changeset
|
354 client->auth_initializing = FALSE; |
7099
3f5b7bebfd82
Use separate per-client timeouts instead of going through all clients in one
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
355 if (!client->common.authenticating) |
3f5b7bebfd82
Use separate per-client timeouts instead of going through all clients in one
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
356 return 1; |
3f5b7bebfd82
Use separate per-client timeouts instead of going through all clients in one
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
357 |
3f5b7bebfd82
Use separate per-client timeouts instead of going through all clients in one
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
358 /* don't handle input until we get the initial auth reply */ |
3f5b7bebfd82
Use separate per-client timeouts instead of going through all clients in one
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
359 if (client->io != NULL) |
3f5b7bebfd82
Use separate per-client timeouts instead of going through all clients in one
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
360 io_remove(&client->io); |
3f5b7bebfd82
Use separate per-client timeouts instead of going through all clients in one
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
361 client_set_auth_waiting(client); |
3f5b7bebfd82
Use separate per-client timeouts instead of going through all clients in one
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
362 return 0; |
3f5b7bebfd82
Use separate per-client timeouts instead of going through all clients in one
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
363 } |
3f5b7bebfd82
Use separate per-client timeouts instead of going through all clients in one
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
364 |
5835
d59ed6a31b66
Added more consts to imap-parser API
Timo Sirainen <tss@iki.fi>
parents:
5433
diff
changeset
|
365 int cmd_authenticate(struct imap_client *client, const struct imap_arg *args) |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
366 { |
4416
fc135e4c169e
Don't crash if the initial response isn't given for AUTHENTICATE..
Timo Sirainen <tss@iki.fi>
parents:
4411
diff
changeset
|
367 const char *mech_name, *init_resp = NULL; |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
368 |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
369 /* we want only one argument: authentication mechanism name */ |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
370 if (args[0].type != IMAP_ARG_ATOM && args[0].type != IMAP_ARG_STRING) |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
371 return -1; |
4411
a2420b745cd5
Added support for SASL-IR extension.
Timo Sirainen <tss@iki.fi>
parents:
4301
diff
changeset
|
372 if (args[1].type != IMAP_ARG_EOL) { |
a2420b745cd5
Added support for SASL-IR extension.
Timo Sirainen <tss@iki.fi>
parents:
4301
diff
changeset
|
373 /* optional SASL initial response */ |
a2420b745cd5
Added support for SASL-IR extension.
Timo Sirainen <tss@iki.fi>
parents:
4301
diff
changeset
|
374 if (args[1].type != IMAP_ARG_ATOM || |
a2420b745cd5
Added support for SASL-IR extension.
Timo Sirainen <tss@iki.fi>
parents:
4301
diff
changeset
|
375 args[2].type != IMAP_ARG_EOL) |
a2420b745cd5
Added support for SASL-IR extension.
Timo Sirainen <tss@iki.fi>
parents:
4301
diff
changeset
|
376 return -1; |
4416
fc135e4c169e
Don't crash if the initial response isn't given for AUTHENTICATE..
Timo Sirainen <tss@iki.fi>
parents:
4411
diff
changeset
|
377 init_resp = IMAP_ARG_STR(&args[1]); |
4411
a2420b745cd5
Added support for SASL-IR extension.
Timo Sirainen <tss@iki.fi>
parents:
4301
diff
changeset
|
378 } |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
379 |
8632
5a4fcfde3e91
Renamed "ssl_disable" setting to "ssl". Added support for ssl=required.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
380 if (!client->common.secured && ssl_required) { |
5a4fcfde3e91
Renamed "ssl_disable" setting to "ssl". Added support for ssl=required.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
381 if (verbose_auth) { |
5a4fcfde3e91
Renamed "ssl_disable" setting to "ssl". Added support for ssl=required.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
382 client_syslog(&client->common, "Login failed: " |
5a4fcfde3e91
Renamed "ssl_disable" setting to "ssl". Added support for ssl=required.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
383 "SSL required for authentication"); |
5a4fcfde3e91
Renamed "ssl_disable" setting to "ssl". Added support for ssl=required.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
384 } |
5a4fcfde3e91
Renamed "ssl_disable" setting to "ssl". Added support for ssl=required.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
385 client->common.auth_attempts++; |
5a4fcfde3e91
Renamed "ssl_disable" setting to "ssl". Added support for ssl=required.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
386 client_send_tagline(client, |
5a4fcfde3e91
Renamed "ssl_disable" setting to "ssl". Added support for ssl=required.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
387 "NO ["IMAP_RESP_CODE_PRIVACYREQUIRED"] " |
5a4fcfde3e91
Renamed "ssl_disable" setting to "ssl". Added support for ssl=required.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
388 "Authentication not allowed until SSL/TLS is enabled."); |
5a4fcfde3e91
Renamed "ssl_disable" setting to "ssl". Added support for ssl=required.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
389 return 1; |
5a4fcfde3e91
Renamed "ssl_disable" setting to "ssl". Added support for ssl=required.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
390 } |
5a4fcfde3e91
Renamed "ssl_disable" setting to "ssl". Added support for ssl=required.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
391 |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
392 mech_name = IMAP_ARG_STR(&args[0]); |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
393 if (*mech_name == '\0') |
6238
458aa25822fb
AUTHENTICATE "" command should return BAD instead of silence.
Timo Sirainen <tss@iki.fi>
parents:
5846
diff
changeset
|
394 return -1; |
7099
3f5b7bebfd82
Use separate per-client timeouts instead of going through all clients in one
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
395 return client_auth_begin(client, mech_name, init_resp); |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
396 } |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
397 |
5835
d59ed6a31b66
Added more consts to imap-parser API
Timo Sirainen <tss@iki.fi>
parents:
5433
diff
changeset
|
398 int cmd_login(struct imap_client *client, const struct imap_arg *args) |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
399 { |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
400 const char *user, *pass; |
2736
0f31778d3c34
Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents:
2734
diff
changeset
|
401 string_t *plain_login, *base64; |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
402 |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
403 /* two arguments: username and password */ |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
404 if (args[0].type != IMAP_ARG_ATOM && args[0].type != IMAP_ARG_STRING) |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
405 return -1; |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
406 if (args[1].type != IMAP_ARG_ATOM && args[1].type != IMAP_ARG_STRING) |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
407 return -1; |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
408 if (args[2].type != IMAP_ARG_EOL) |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
409 return -1; |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
410 |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
411 user = IMAP_ARG_STR(&args[0]); |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
412 pass = IMAP_ARG_STR(&args[1]); |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
413 |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
414 if (!client->common.secured && disable_plaintext_auth) { |
2691
46f879c46b45
auth_verbose now affects imap/pop3 login processes too. Every authentication
Timo Sirainen <tss@iki.fi>
parents:
2629
diff
changeset
|
415 if (verbose_auth) { |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
416 client_syslog(&client->common, "Login failed: " |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
417 "Plaintext authentication disabled"); |
2691
46f879c46b45
auth_verbose now affects imap/pop3 login processes too. Every authentication
Timo Sirainen <tss@iki.fi>
parents:
2629
diff
changeset
|
418 } |
6992
249e6c711e8d
Instead of logging only "Aborted login", log also if client tried to use
Timo Sirainen <tss@iki.fi>
parents:
6834
diff
changeset
|
419 client->common.auth_tried_disabled_plaintext = TRUE; |
8302
0db37acdc59f
Login process: Log auth failure reasons better in disconnect message.
Timo Sirainen <tss@iki.fi>
parents:
7928
diff
changeset
|
420 client->common.auth_attempts++; |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
421 client_send_line(client, |
8564
3c4934783aff
Mention SSL/TLS in "plaintext auth disallowed" error.
Timo Sirainen <tss@iki.fi>
parents:
8546
diff
changeset
|
422 "* BAD [ALERT] Plaintext authentication not allowed " |
3c4934783aff
Mention SSL/TLS in "plaintext auth disallowed" error.
Timo Sirainen <tss@iki.fi>
parents:
8546
diff
changeset
|
423 "without SSL/TLS, but your client did it anyway. " |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
424 "If anyone was listening, the password was exposed."); |
8412
6e9100795d89
Moved imap-resp-codes to macros.
Timo Sirainen <tss@iki.fi>
parents:
8411
diff
changeset
|
425 client_send_tagline(client, "NO ["IMAP_RESP_CODE_CLIENTBUG"] " |
8411
abd0ef855a33
Implemented imap-response-codes draft.
Timo Sirainen <tss@iki.fi>
parents:
8351
diff
changeset
|
426 AUTH_PLAINTEXT_DISABLED_MSG); |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
427 return 1; |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
428 } |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
429 |
2733
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
430 /* authorization ID \0 authentication ID \0 pass */ |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
431 plain_login = buffer_create_dynamic(pool_datastack_create(), 64); |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
432 buffer_append_c(plain_login, '\0'); |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
433 buffer_append(plain_login, user, strlen(user)); |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
434 buffer_append_c(plain_login, '\0'); |
9b9d9c164a31
Login process cleanups. Share more authentication code between pop3/imap.
Timo Sirainen <tss@iki.fi>
parents:
2708
diff
changeset
|
435 buffer_append(plain_login, pass, strlen(pass)); |
2097
4e77cb0aff21
Added %l, %r and %P variables and mail_log_prefix setting.
Timo Sirainen <tss@iki.fi>
parents:
2088
diff
changeset
|
436 |
2736
0f31778d3c34
Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents:
2734
diff
changeset
|
437 base64 = buffer_create_dynamic(pool_datastack_create(), |
0f31778d3c34
Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents:
2734
diff
changeset
|
438 MAX_BASE64_ENCODED_SIZE(plain_login->used)); |
0f31778d3c34
Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents:
2734
diff
changeset
|
439 base64_encode(plain_login->data, plain_login->used, base64); |
7099
3f5b7bebfd82
Use separate per-client timeouts instead of going through all clients in one
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
440 return client_auth_begin(client, "PLAIN", str_c(base64)); |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
441 } |