dovecot-1.2: Renamed "ssl_disable" setting to "ssl". Added suppo...

dovecot at dovecot.org dovecot at dovecot.org
Thu Jan 15 22:52:48 EET 2009 

details:   http://hg.dovecot.org/dovecot-1.2/rev/5a4fcfde3e91
changeset: 8632:5a4fcfde3e91
user:      Timo Sirainen <tss at iki.fi>
date:      Thu Jan 15 15:52:44 2009 -0500
description:
Renamed "ssl_disable" setting to "ssl". Added support for ssl=required.

diffstat:

11 files changed, 50 insertions(+), 17 deletions(-)
dovecot-example.conf                 |    4 ++--
src/imap-login/client-authenticate.c |   12 ++++++++++++
src/login-common/common.h            |    2 +-
src/login-common/main.c              |    6 ++++--
src/master/listener.c                |    4 ++--
src/master/login-process.c           |    4 +++-
src/master/master-settings-defs.c    |    2 +-
src/master/master-settings.c         |   18 ++++++++++++------
src/master/master-settings.h         |    2 +-
src/master/ssl-init.c                |    2 +-
src/pop3-login/client-authenticate.c |   11 +++++++++++

diffs (224 lines):

diff -r eb63b1a888e5 -r 5a4fcfde3e91 dovecot-example.conf
--- a/dovecot-example.conf	Thu Jan 15 15:47:12 2009 -0500
+++ b/dovecot-example.conf	Thu Jan 15 15:52:44 2009 -0500
@@ -84,8 +84,8 @@
 # setting if not specified.
 #ssl_listen =
 
-# Disable SSL/TLS support. <doc/wiki/SSL>
-#ssl_disable = no
+# SSL/TLS support: yes, no, required. <doc/wiki/SSL>
+#ssl = yes
 
 # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
 # dropping root privileges, so keep the key file unreadable by anyone but
diff -r eb63b1a888e5 -r 5a4fcfde3e91 src/imap-login/client-authenticate.c
--- a/src/imap-login/client-authenticate.c	Thu Jan 15 15:47:12 2009 -0500
+++ b/src/imap-login/client-authenticate.c	Thu Jan 15 15:52:44 2009 -0500
@@ -347,6 +347,18 @@ int cmd_authenticate(struct imap_client 
 		init_resp = IMAP_ARG_STR(&args[1]);
 	}
 
+	if (!client->common.secured && ssl_required) {
+		if (verbose_auth) {
+			client_syslog(&client->common, "Login failed: "
+				      "SSL required for authentication");
+		}
+		client->common.auth_attempts++;
+		client_send_tagline(client,
+			"NO ["IMAP_RESP_CODE_PRIVACYREQUIRED"] "
+			"Authentication not allowed until SSL/TLS is enabled.");
+		return 1;
+	}
+
 	mech_name = IMAP_ARG_STR(&args[0]);
 	if (*mech_name == '\0')
 		return -1;
diff -r eb63b1a888e5 -r 5a4fcfde3e91 src/login-common/common.h
--- a/src/login-common/common.h	Thu Jan 15 15:47:12 2009 -0500
+++ b/src/login-common/common.h	Thu Jan 15 15:52:44 2009 -0500
@@ -15,7 +15,7 @@ extern const char *login_protocol;
 
 extern bool disable_plaintext_auth, process_per_connection;
 extern bool verbose_proctitle, verbose_ssl, verbose_auth, auth_debug;
-extern bool ssl_require_client_cert;
+extern bool ssl_required, ssl_require_client_cert;
 extern const char *greeting, *log_format;
 extern const char *const *log_format_elements;
 extern const char *capability_string;
diff -r eb63b1a888e5 -r 5a4fcfde3e91 src/login-common/main.c
--- a/src/login-common/main.c	Thu Jan 15 15:47:12 2009 -0500
+++ b/src/login-common/main.c	Thu Jan 15 15:52:44 2009 -0500
@@ -21,7 +21,7 @@
 
 bool disable_plaintext_auth, process_per_connection;
 bool verbose_proctitle, verbose_ssl, verbose_auth, auth_debug;
-bool ssl_require_client_cert;
+bool ssl_required, ssl_require_client_cert;
 const char *greeting, *log_format;
 const char *const *log_format_elements;
 const char *trusted_networks;
@@ -315,13 +315,15 @@ static void main_init(void)
         lib_signals_set_handler(SIGTERM, TRUE, sig_die, NULL);
         lib_signals_ignore(SIGPIPE, TRUE);
 
-	disable_plaintext_auth = getenv("DISABLE_PLAINTEXT_AUTH") != NULL;
 	process_per_connection = getenv("PROCESS_PER_CONNECTION") != NULL;
 	verbose_proctitle = getenv("VERBOSE_PROCTITLE") != NULL;
         verbose_ssl = getenv("VERBOSE_SSL") != NULL;
         verbose_auth = getenv("VERBOSE_AUTH") != NULL;
         auth_debug = getenv("AUTH_DEBUG") != NULL;
+	ssl_required = getenv("SSL_REQUIRED") != NULL;
 	ssl_require_client_cert = getenv("SSL_REQUIRE_CLIENT_CERT") != NULL;
+	disable_plaintext_auth = ssl_required ||
+		getenv("DISABLE_PLAINTEXT_AUTH") != NULL;
 
 	greeting = getenv("GREETING");
 	if (greeting == NULL)
diff -r eb63b1a888e5 -r 5a4fcfde3e91 src/master/listener.c
--- a/src/master/listener.c	Thu Jan 15 15:47:12 2009 -0500
+++ b/src/master/listener.c	Thu Jan 15 15:52:44 2009 -0500
@@ -217,14 +217,14 @@ static void listen_parse_and_close_unnee
 				nonssl_listen = TRUE;
 		} else if (strcasecmp(*proto, "imaps") == 0) {
 			if (set->protocol == MAIL_PROTOCOL_IMAP &&
-			    !set->ssl_disable)
+			    strcmp(set->ssl, "no") != 0)
 				ssl_listen = TRUE;
 		} else if (strcasecmp(*proto, "pop3") == 0) {
 			if (set->protocol == MAIL_PROTOCOL_POP3)
 				nonssl_listen = TRUE;
 		} else if (strcasecmp(*proto, "pop3s") == 0) {
 			if (set->protocol == MAIL_PROTOCOL_POP3 &&
-			    !set->ssl_disable)
+			    strcmp(set->ssl, "no") != 0)
 				ssl_listen = TRUE;
 		}
 	}
diff -r eb63b1a888e5 -r 5a4fcfde3e91 src/master/login-process.c
--- a/src/master/login-process.c	Thu Jan 15 15:47:12 2009 -0500
+++ b/src/master/login-process.c	Thu Jan 15 15:52:44 2009 -0500
@@ -549,7 +549,7 @@ static void login_process_init_env(struc
 
 	env_put("DOVECOT_MASTER=1");
 
-	if (!set->ssl_disable) {
+	if (strcmp(set->ssl, "no") != 0) {
 		const char *ssl_key_password;
 
 		ssl_key_password = *set->ssl_key_password != '\0' ?
@@ -559,6 +559,8 @@ static void login_process_init_env(struc
 			env_put(t_strconcat("SSL_CA_FILE=",
 					    set->ssl_ca_file, NULL));
 		}
+		if (strcmp(set->ssl, "required") == 0)
+			env_put("SSL_REQUIRED=1");
 		env_put(t_strconcat("SSL_CERT_FILE=",
 				    set->ssl_cert_file, NULL));
 		env_put(t_strconcat("SSL_KEY_FILE=",
diff -r eb63b1a888e5 -r 5a4fcfde3e91 src/master/master-settings-defs.c
--- a/src/master/master-settings-defs.c	Thu Jan 15 15:47:12 2009 -0500
+++ b/src/master/master-settings-defs.c	Thu Jan 15 15:52:44 2009 -0500
@@ -20,7 +20,7 @@ static struct setting_def setting_defs[]
 	DEF_STR(listen),
 	DEF_STR(ssl_listen),
 
-	DEF_BOOL(ssl_disable),
+	DEF_STR(ssl),
 	DEF_STR(ssl_ca_file),
 	DEF_STR(ssl_cert_file),
 	DEF_STR(ssl_key_file),
diff -r eb63b1a888e5 -r 5a4fcfde3e91 src/master/master-settings.c
--- a/src/master/master-settings.c	Thu Jan 15 15:47:12 2009 -0500
+++ b/src/master/master-settings.c	Thu Jan 15 15:52:44 2009 -0500
@@ -182,7 +182,7 @@ struct settings default_settings = {
 	MEMBER(listen) "*",
 	MEMBER(ssl_listen) "",
 
-	MEMBER(ssl_disable) FALSE,
+	MEMBER(ssl) "yes",
 	MEMBER(ssl_ca_file) "",
 	MEMBER(ssl_cert_file) SSLDIR"/certs/dovecot.pem",
 	MEMBER(ssl_key_file) SSLDIR"/private/dovecot.pem",
@@ -846,8 +846,14 @@ static bool settings_verify(struct setti
 		return FALSE;
 	}
 
+	if (strcmp(set->ssl, "no") != 0 &&
+	    strcmp(set->ssl, "yes") != 0 &&
+	    strcmp(set->ssl, "required") != 0) {
+		i_error("ssl setting: Invalid value: %s", set->ssl);
+		return FALSE;
+	}
 #ifdef HAVE_SSL
-	if (!set->ssl_disable) {
+	if (strcmp(set->ssl, "no") != 0) {
 		if (*set->ssl_ca_file != '\0' &&
 		    access(set->ssl_ca_file, R_OK) < 0) {
 			i_fatal("Can't use SSL CA file %s: %m",
@@ -867,16 +873,16 @@ static bool settings_verify(struct setti
 		}
 	}
 #else
-	if (!set->ssl_disable) {
-		i_error("SSL support not compiled in but ssl_disable=no");
+	if (strcmp(set->ssl, "no") != 0) {
+		i_error("SSL support not compiled in but ssl=%s", set->ssl);
 		return FALSE;
 	}
 #endif
-	if (set->ssl_disable && set->disable_plaintext_auth &&
+	if (strcmp(set->ssl, "no") == 0 && set->disable_plaintext_auth &&
 	    strncmp(set->listen, "127.", 4) != 0 &&
 	    !settings_have_nonplaintext_auths(set)) {
 		i_warning("There is no way to login to this server: "
-			  "disable_plaintext_auth=yes, ssl_disable=yes, "
+			  "disable_plaintext_auth=yes, ssl=no, "
 			  "no non-plaintext auth mechanisms.");
 	}
 
diff -r eb63b1a888e5 -r 5a4fcfde3e91 src/master/master-settings.h
--- a/src/master/master-settings.h	Thu Jan 15 15:47:12 2009 -0500
+++ b/src/master/master-settings.h	Thu Jan 15 15:52:44 2009 -0500
@@ -34,7 +34,7 @@ struct settings {
 	const char *listen;
 	const char *ssl_listen;
 
-	bool ssl_disable;
+	const char *ssl;
 	const char *ssl_ca_file;
 	const char *ssl_cert_file;
 	const char *ssl_key_file;
diff -r eb63b1a888e5 -r 5a4fcfde3e91 src/master/ssl-init.c
--- a/src/master/ssl-init.c	Thu Jan 15 15:47:12 2009 -0500
+++ b/src/master/ssl-init.c	Thu Jan 15 15:52:44 2009 -0500
@@ -86,7 +86,7 @@ static bool check_parameters_file_set(st
 	struct stat st, st2;
 	time_t regen_time;
 
-	if (set->ssl_disable)
+	if (strcmp(set->ssl, "no") == 0)
 		return TRUE;
 
 	path = t_strconcat(set->login_dir, "/"SSL_PARAMETERS_FILENAME, NULL);
diff -r eb63b1a888e5 -r 5a4fcfde3e91 src/pop3-login/client-authenticate.c
--- a/src/pop3-login/client-authenticate.c	Thu Jan 15 15:47:12 2009 -0500
+++ b/src/pop3-login/client-authenticate.c	Thu Jan 15 15:52:44 2009 -0500
@@ -270,6 +270,17 @@ bool cmd_auth(struct pop3_client *client
 	const struct auth_mech_desc *mech;
 	const char *mech_name, *p;
 
+	if (!client->common.secured && ssl_required) {
+		if (verbose_auth) {
+			client_syslog(&client->common, "Login failed: "
+				      "SSL required for authentication");
+		}
+		client->common.auth_attempts++;
+		client_send_line(client, "-ERR Authentication not allowed "
+				 "until SSL/TLS is enabled.");
+		return TRUE;
+	}
+
 	if (*args == '\0') {
 		/* Old-style SASL discovery, used by MS Outlook */
 		unsigned int i, count;

More information about the dovecot-cvs mailing list