Mercurial > dovecot > original-hg > dovecot-1.2
changeset 8632:5a4fcfde3e91 HEAD
Renamed "ssl_disable" setting to "ssl". Added support for ssl=required.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Thu, 15 Jan 2009 15:52:44 -0500 |
parents | eb63b1a888e5 |
children | 7e4c1d8b2a1a |
files | dovecot-example.conf src/imap-login/client-authenticate.c src/login-common/common.h src/login-common/main.c src/master/listener.c src/master/login-process.c src/master/master-settings-defs.c src/master/master-settings.c src/master/master-settings.h src/master/ssl-init.c src/pop3-login/client-authenticate.c |
diffstat | 11 files changed, 50 insertions(+), 17 deletions(-) [+] |
line wrap: on
line diff
--- a/dovecot-example.conf Thu Jan 15 15:47:12 2009 -0500 +++ b/dovecot-example.conf Thu Jan 15 15:52:44 2009 -0500 @@ -84,8 +84,8 @@ # setting if not specified. #ssl_listen = -# Disable SSL/TLS support. <doc/wiki/SSL> -#ssl_disable = no +# SSL/TLS support: yes, no, required. <doc/wiki/SSL> +#ssl = yes # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but
--- a/src/imap-login/client-authenticate.c Thu Jan 15 15:47:12 2009 -0500 +++ b/src/imap-login/client-authenticate.c Thu Jan 15 15:52:44 2009 -0500 @@ -347,6 +347,18 @@ init_resp = IMAP_ARG_STR(&args[1]); } + if (!client->common.secured && ssl_required) { + if (verbose_auth) { + client_syslog(&client->common, "Login failed: " + "SSL required for authentication"); + } + client->common.auth_attempts++; + client_send_tagline(client, + "NO ["IMAP_RESP_CODE_PRIVACYREQUIRED"] " + "Authentication not allowed until SSL/TLS is enabled."); + return 1; + } + mech_name = IMAP_ARG_STR(&args[0]); if (*mech_name == '\0') return -1;
--- a/src/login-common/common.h Thu Jan 15 15:47:12 2009 -0500 +++ b/src/login-common/common.h Thu Jan 15 15:52:44 2009 -0500 @@ -15,7 +15,7 @@ extern bool disable_plaintext_auth, process_per_connection; extern bool verbose_proctitle, verbose_ssl, verbose_auth, auth_debug; -extern bool ssl_require_client_cert; +extern bool ssl_required, ssl_require_client_cert; extern const char *greeting, *log_format; extern const char *const *log_format_elements; extern const char *capability_string;
--- a/src/login-common/main.c Thu Jan 15 15:47:12 2009 -0500 +++ b/src/login-common/main.c Thu Jan 15 15:52:44 2009 -0500 @@ -21,7 +21,7 @@ bool disable_plaintext_auth, process_per_connection; bool verbose_proctitle, verbose_ssl, verbose_auth, auth_debug; -bool ssl_require_client_cert; +bool ssl_required, ssl_require_client_cert; const char *greeting, *log_format; const char *const *log_format_elements; const char *trusted_networks; @@ -315,13 +315,15 @@ lib_signals_set_handler(SIGTERM, TRUE, sig_die, NULL); lib_signals_ignore(SIGPIPE, TRUE); - disable_plaintext_auth = getenv("DISABLE_PLAINTEXT_AUTH") != NULL; process_per_connection = getenv("PROCESS_PER_CONNECTION") != NULL; verbose_proctitle = getenv("VERBOSE_PROCTITLE") != NULL; verbose_ssl = getenv("VERBOSE_SSL") != NULL; verbose_auth = getenv("VERBOSE_AUTH") != NULL; auth_debug = getenv("AUTH_DEBUG") != NULL; + ssl_required = getenv("SSL_REQUIRED") != NULL; ssl_require_client_cert = getenv("SSL_REQUIRE_CLIENT_CERT") != NULL; + disable_plaintext_auth = ssl_required || + getenv("DISABLE_PLAINTEXT_AUTH") != NULL; greeting = getenv("GREETING"); if (greeting == NULL)
--- a/src/master/listener.c Thu Jan 15 15:47:12 2009 -0500 +++ b/src/master/listener.c Thu Jan 15 15:52:44 2009 -0500 @@ -217,14 +217,14 @@ nonssl_listen = TRUE; } else if (strcasecmp(*proto, "imaps") == 0) { if (set->protocol == MAIL_PROTOCOL_IMAP && - !set->ssl_disable) + strcmp(set->ssl, "no") != 0) ssl_listen = TRUE; } else if (strcasecmp(*proto, "pop3") == 0) { if (set->protocol == MAIL_PROTOCOL_POP3) nonssl_listen = TRUE; } else if (strcasecmp(*proto, "pop3s") == 0) { if (set->protocol == MAIL_PROTOCOL_POP3 && - !set->ssl_disable) + strcmp(set->ssl, "no") != 0) ssl_listen = TRUE; } }
--- a/src/master/login-process.c Thu Jan 15 15:47:12 2009 -0500 +++ b/src/master/login-process.c Thu Jan 15 15:52:44 2009 -0500 @@ -549,7 +549,7 @@ env_put("DOVECOT_MASTER=1"); - if (!set->ssl_disable) { + if (strcmp(set->ssl, "no") != 0) { const char *ssl_key_password; ssl_key_password = *set->ssl_key_password != '\0' ? @@ -559,6 +559,8 @@ env_put(t_strconcat("SSL_CA_FILE=", set->ssl_ca_file, NULL)); } + if (strcmp(set->ssl, "required") == 0) + env_put("SSL_REQUIRED=1"); env_put(t_strconcat("SSL_CERT_FILE=", set->ssl_cert_file, NULL)); env_put(t_strconcat("SSL_KEY_FILE=",
--- a/src/master/master-settings-defs.c Thu Jan 15 15:47:12 2009 -0500 +++ b/src/master/master-settings-defs.c Thu Jan 15 15:52:44 2009 -0500 @@ -20,7 +20,7 @@ DEF_STR(listen), DEF_STR(ssl_listen), - DEF_BOOL(ssl_disable), + DEF_STR(ssl), DEF_STR(ssl_ca_file), DEF_STR(ssl_cert_file), DEF_STR(ssl_key_file),
--- a/src/master/master-settings.c Thu Jan 15 15:47:12 2009 -0500 +++ b/src/master/master-settings.c Thu Jan 15 15:52:44 2009 -0500 @@ -182,7 +182,7 @@ MEMBER(listen) "*", MEMBER(ssl_listen) "", - MEMBER(ssl_disable) FALSE, + MEMBER(ssl) "yes", MEMBER(ssl_ca_file) "", MEMBER(ssl_cert_file) SSLDIR"/certs/dovecot.pem", MEMBER(ssl_key_file) SSLDIR"/private/dovecot.pem", @@ -846,8 +846,14 @@ return FALSE; } + if (strcmp(set->ssl, "no") != 0 && + strcmp(set->ssl, "yes") != 0 && + strcmp(set->ssl, "required") != 0) { + i_error("ssl setting: Invalid value: %s", set->ssl); + return FALSE; + } #ifdef HAVE_SSL - if (!set->ssl_disable) { + if (strcmp(set->ssl, "no") != 0) { if (*set->ssl_ca_file != '\0' && access(set->ssl_ca_file, R_OK) < 0) { i_fatal("Can't use SSL CA file %s: %m", @@ -867,16 +873,16 @@ } } #else - if (!set->ssl_disable) { - i_error("SSL support not compiled in but ssl_disable=no"); + if (strcmp(set->ssl, "no") != 0) { + i_error("SSL support not compiled in but ssl=%s", set->ssl); return FALSE; } #endif - if (set->ssl_disable && set->disable_plaintext_auth && + if (strcmp(set->ssl, "no") == 0 && set->disable_plaintext_auth && strncmp(set->listen, "127.", 4) != 0 && !settings_have_nonplaintext_auths(set)) { i_warning("There is no way to login to this server: " - "disable_plaintext_auth=yes, ssl_disable=yes, " + "disable_plaintext_auth=yes, ssl=no, " "no non-plaintext auth mechanisms."); }
--- a/src/master/master-settings.h Thu Jan 15 15:47:12 2009 -0500 +++ b/src/master/master-settings.h Thu Jan 15 15:52:44 2009 -0500 @@ -34,7 +34,7 @@ const char *listen; const char *ssl_listen; - bool ssl_disable; + const char *ssl; const char *ssl_ca_file; const char *ssl_cert_file; const char *ssl_key_file;
--- a/src/master/ssl-init.c Thu Jan 15 15:47:12 2009 -0500 +++ b/src/master/ssl-init.c Thu Jan 15 15:52:44 2009 -0500 @@ -86,7 +86,7 @@ struct stat st, st2; time_t regen_time; - if (set->ssl_disable) + if (strcmp(set->ssl, "no") == 0) return TRUE; path = t_strconcat(set->login_dir, "/"SSL_PARAMETERS_FILENAME, NULL);
--- a/src/pop3-login/client-authenticate.c Thu Jan 15 15:47:12 2009 -0500 +++ b/src/pop3-login/client-authenticate.c Thu Jan 15 15:52:44 2009 -0500 @@ -270,6 +270,17 @@ const struct auth_mech_desc *mech; const char *mech_name, *p; + if (!client->common.secured && ssl_required) { + if (verbose_auth) { + client_syslog(&client->common, "Login failed: " + "SSL required for authentication"); + } + client->common.auth_attempts++; + client_send_line(client, "-ERR Authentication not allowed " + "until SSL/TLS is enabled."); + return TRUE; + } + if (*args == '\0') { /* Old-style SASL discovery, used by MS Outlook */ unsigned int i, count;