Mercurial > dovecot > original-hg > dovecot-1.2

changeset 8632:5a4fcfde3e91 HEAD

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Renamed "ssl_disable" setting to "ssl". Added support for ssl=required.
author Timo Sirainen <tss@iki.fi>
date Thu, 15 Jan 2009 15:52:44 -0500
parents eb63b1a888e5
children 7e4c1d8b2a1a
files dovecot-example.conf src/imap-login/client-authenticate.c src/login-common/common.h src/login-common/main.c src/master/listener.c src/master/login-process.c src/master/master-settings-defs.c src/master/master-settings.c src/master/master-settings.h src/master/ssl-init.c src/pop3-login/client-authenticate.c
diffstat 11 files changed, 50 insertions(+), 17 deletions(-) [+]
line wrap: on
line diff
--- a/dovecot-example.conf	Thu Jan 15 15:47:12 2009 -0500
+++ b/dovecot-example.conf	Thu Jan 15 15:52:44 2009 -0500
@@ -84,8 +84,8 @@
 # setting if not specified.
 #ssl_listen =
 
-# Disable SSL/TLS support. <doc/wiki/SSL>
-#ssl_disable = no
+# SSL/TLS support: yes, no, required. <doc/wiki/SSL>
+#ssl = yes
 
 # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
 # dropping root privileges, so keep the key file unreadable by anyone but
--- a/src/imap-login/client-authenticate.c	Thu Jan 15 15:47:12 2009 -0500
+++ b/src/imap-login/client-authenticate.c	Thu Jan 15 15:52:44 2009 -0500
@@ -347,6 +347,18 @@
 		init_resp = IMAP_ARG_STR(&args[1]);
 	}
 
+	if (!client->common.secured && ssl_required) {
+		if (verbose_auth) {
+			client_syslog(&client->common, "Login failed: "
+				      "SSL required for authentication");
+		}
+		client->common.auth_attempts++;
+		client_send_tagline(client,
+			"NO ["IMAP_RESP_CODE_PRIVACYREQUIRED"] "
+			"Authentication not allowed until SSL/TLS is enabled.");
+		return 1;
+	}
+
 	mech_name = IMAP_ARG_STR(&args[0]);
 	if (*mech_name == '\0')
 		return -1;
--- a/src/login-common/common.h	Thu Jan 15 15:47:12 2009 -0500
+++ b/src/login-common/common.h	Thu Jan 15 15:52:44 2009 -0500
@@ -15,7 +15,7 @@
 
 extern bool disable_plaintext_auth, process_per_connection;
 extern bool verbose_proctitle, verbose_ssl, verbose_auth, auth_debug;
-extern bool ssl_require_client_cert;
+extern bool ssl_required, ssl_require_client_cert;
 extern const char *greeting, *log_format;
 extern const char *const *log_format_elements;
 extern const char *capability_string;
--- a/src/login-common/main.c	Thu Jan 15 15:47:12 2009 -0500
+++ b/src/login-common/main.c	Thu Jan 15 15:52:44 2009 -0500
@@ -21,7 +21,7 @@
 
 bool disable_plaintext_auth, process_per_connection;
 bool verbose_proctitle, verbose_ssl, verbose_auth, auth_debug;
-bool ssl_require_client_cert;
+bool ssl_required, ssl_require_client_cert;
 const char *greeting, *log_format;
 const char *const *log_format_elements;
 const char *trusted_networks;
@@ -315,13 +315,15 @@
         lib_signals_set_handler(SIGTERM, TRUE, sig_die, NULL);
         lib_signals_ignore(SIGPIPE, TRUE);
 
-	disable_plaintext_auth = getenv("DISABLE_PLAINTEXT_AUTH") != NULL;
 	process_per_connection = getenv("PROCESS_PER_CONNECTION") != NULL;
 	verbose_proctitle = getenv("VERBOSE_PROCTITLE") != NULL;
         verbose_ssl = getenv("VERBOSE_SSL") != NULL;
         verbose_auth = getenv("VERBOSE_AUTH") != NULL;
         auth_debug = getenv("AUTH_DEBUG") != NULL;
+	ssl_required = getenv("SSL_REQUIRED") != NULL;
 	ssl_require_client_cert = getenv("SSL_REQUIRE_CLIENT_CERT") != NULL;
+	disable_plaintext_auth = ssl_required ||
+		getenv("DISABLE_PLAINTEXT_AUTH") != NULL;
 
 	greeting = getenv("GREETING");
 	if (greeting == NULL)
--- a/src/master/listener.c	Thu Jan 15 15:47:12 2009 -0500
+++ b/src/master/listener.c	Thu Jan 15 15:52:44 2009 -0500
@@ -217,14 +217,14 @@
 				nonssl_listen = TRUE;
 		} else if (strcasecmp(*proto, "imaps") == 0) {
 			if (set->protocol == MAIL_PROTOCOL_IMAP &&
-			    !set->ssl_disable)
+			    strcmp(set->ssl, "no") != 0)
 				ssl_listen = TRUE;
 		} else if (strcasecmp(*proto, "pop3") == 0) {
 			if (set->protocol == MAIL_PROTOCOL_POP3)
 				nonssl_listen = TRUE;
 		} else if (strcasecmp(*proto, "pop3s") == 0) {
 			if (set->protocol == MAIL_PROTOCOL_POP3 &&
-			    !set->ssl_disable)
+			    strcmp(set->ssl, "no") != 0)
 				ssl_listen = TRUE;
 		}
 	}
--- a/src/master/login-process.c	Thu Jan 15 15:47:12 2009 -0500
+++ b/src/master/login-process.c	Thu Jan 15 15:52:44 2009 -0500
@@ -549,7 +549,7 @@
 
 	env_put("DOVECOT_MASTER=1");
 
-	if (!set->ssl_disable) {
+	if (strcmp(set->ssl, "no") != 0) {
 		const char *ssl_key_password;
 
 		ssl_key_password = *set->ssl_key_password != '\0' ?
@@ -559,6 +559,8 @@
 			env_put(t_strconcat("SSL_CA_FILE=",
 					    set->ssl_ca_file, NULL));
 		}
+		if (strcmp(set->ssl, "required") == 0)
+			env_put("SSL_REQUIRED=1");
 		env_put(t_strconcat("SSL_CERT_FILE=",
 				    set->ssl_cert_file, NULL));
 		env_put(t_strconcat("SSL_KEY_FILE=",
--- a/src/master/master-settings-defs.c	Thu Jan 15 15:47:12 2009 -0500
+++ b/src/master/master-settings-defs.c	Thu Jan 15 15:52:44 2009 -0500
@@ -20,7 +20,7 @@
 	DEF_STR(listen),
 	DEF_STR(ssl_listen),
 
-	DEF_BOOL(ssl_disable),
+	DEF_STR(ssl),
 	DEF_STR(ssl_ca_file),
 	DEF_STR(ssl_cert_file),
 	DEF_STR(ssl_key_file),
--- a/src/master/master-settings.c	Thu Jan 15 15:47:12 2009 -0500
+++ b/src/master/master-settings.c	Thu Jan 15 15:52:44 2009 -0500
@@ -182,7 +182,7 @@
 	MEMBER(listen) "*",
 	MEMBER(ssl_listen) "",
 
-	MEMBER(ssl_disable) FALSE,
+	MEMBER(ssl) "yes",
 	MEMBER(ssl_ca_file) "",
 	MEMBER(ssl_cert_file) SSLDIR"/certs/dovecot.pem",
 	MEMBER(ssl_key_file) SSLDIR"/private/dovecot.pem",
@@ -846,8 +846,14 @@
 		return FALSE;
 	}
 
+	if (strcmp(set->ssl, "no") != 0 &&
+	    strcmp(set->ssl, "yes") != 0 &&
+	    strcmp(set->ssl, "required") != 0) {
+		i_error("ssl setting: Invalid value: %s", set->ssl);
+		return FALSE;
+	}
 #ifdef HAVE_SSL
-	if (!set->ssl_disable) {
+	if (strcmp(set->ssl, "no") != 0) {
 		if (*set->ssl_ca_file != '\0' &&
 		    access(set->ssl_ca_file, R_OK) < 0) {
 			i_fatal("Can't use SSL CA file %s: %m",
@@ -867,16 +873,16 @@
 		}
 	}
 #else
-	if (!set->ssl_disable) {
-		i_error("SSL support not compiled in but ssl_disable=no");
+	if (strcmp(set->ssl, "no") != 0) {
+		i_error("SSL support not compiled in but ssl=%s", set->ssl);
 		return FALSE;
 	}
 #endif
-	if (set->ssl_disable && set->disable_plaintext_auth &&
+	if (strcmp(set->ssl, "no") == 0 && set->disable_plaintext_auth &&
 	    strncmp(set->listen, "127.", 4) != 0 &&
 	    !settings_have_nonplaintext_auths(set)) {
 		i_warning("There is no way to login to this server: "
-			  "disable_plaintext_auth=yes, ssl_disable=yes, "
+			  "disable_plaintext_auth=yes, ssl=no, "
 			  "no non-plaintext auth mechanisms.");
 	}
 
--- a/src/master/master-settings.h	Thu Jan 15 15:47:12 2009 -0500
+++ b/src/master/master-settings.h	Thu Jan 15 15:52:44 2009 -0500
@@ -34,7 +34,7 @@
 	const char *listen;
 	const char *ssl_listen;
 
-	bool ssl_disable;
+	const char *ssl;
 	const char *ssl_ca_file;
 	const char *ssl_cert_file;
 	const char *ssl_key_file;
--- a/src/master/ssl-init.c	Thu Jan 15 15:47:12 2009 -0500
+++ b/src/master/ssl-init.c	Thu Jan 15 15:52:44 2009 -0500
@@ -86,7 +86,7 @@
 	struct stat st, st2;
 	time_t regen_time;
 
-	if (set->ssl_disable)
+	if (strcmp(set->ssl, "no") == 0)
 		return TRUE;
 
 	path = t_strconcat(set->login_dir, "/"SSL_PARAMETERS_FILENAME, NULL);
--- a/src/pop3-login/client-authenticate.c	Thu Jan 15 15:47:12 2009 -0500
+++ b/src/pop3-login/client-authenticate.c	Thu Jan 15 15:52:44 2009 -0500
@@ -270,6 +270,17 @@
 	const struct auth_mech_desc *mech;
 	const char *mech_name, *p;
 
+	if (!client->common.secured && ssl_required) {
+		if (verbose_auth) {
+			client_syslog(&client->common, "Login failed: "
+				      "SSL required for authentication");
+		}
+		client->common.auth_attempts++;
+		client_send_line(client, "-ERR Authentication not allowed "
+				 "until SSL/TLS is enabled.");
+		return TRUE;
+	}
+
 	if (*args == '\0') {
 		/* Old-style SASL discovery, used by MS Outlook */
 		unsigned int i, count;