dovecot-1.2: Renamed "ssl_disable" setting to "ssl". Added suppo...
dovecot at dovecot.org
dovecot at dovecot.org
Thu Jan 15 22:52:48 EET 2009
details: http://hg.dovecot.org/dovecot-1.2/rev/5a4fcfde3e91
changeset: 8632:5a4fcfde3e91
user: Timo Sirainen <tss at iki.fi>
date: Thu Jan 15 15:52:44 2009 -0500
description:
Renamed "ssl_disable" setting to "ssl". Added support for ssl=required.
diffstat:
11 files changed, 50 insertions(+), 17 deletions(-)
dovecot-example.conf | 4 ++--
src/imap-login/client-authenticate.c | 12 ++++++++++++
src/login-common/common.h | 2 +-
src/login-common/main.c | 6 ++++--
src/master/listener.c | 4 ++--
src/master/login-process.c | 4 +++-
src/master/master-settings-defs.c | 2 +-
src/master/master-settings.c | 18 ++++++++++++------
src/master/master-settings.h | 2 +-
src/master/ssl-init.c | 2 +-
src/pop3-login/client-authenticate.c | 11 +++++++++++
diffs (224 lines):
diff -r eb63b1a888e5 -r 5a4fcfde3e91 dovecot-example.conf
--- a/dovecot-example.conf Thu Jan 15 15:47:12 2009 -0500
+++ b/dovecot-example.conf Thu Jan 15 15:52:44 2009 -0500
@@ -84,8 +84,8 @@
# setting if not specified.
#ssl_listen =
-# Disable SSL/TLS support. <doc/wiki/SSL>
-#ssl_disable = no
+# SSL/TLS support: yes, no, required. <doc/wiki/SSL>
+#ssl = yes
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
diff -r eb63b1a888e5 -r 5a4fcfde3e91 src/imap-login/client-authenticate.c
--- a/src/imap-login/client-authenticate.c Thu Jan 15 15:47:12 2009 -0500
+++ b/src/imap-login/client-authenticate.c Thu Jan 15 15:52:44 2009 -0500
@@ -347,6 +347,18 @@ int cmd_authenticate(struct imap_client
init_resp = IMAP_ARG_STR(&args[1]);
}
+ if (!client->common.secured && ssl_required) {
+ if (verbose_auth) {
+ client_syslog(&client->common, "Login failed: "
+ "SSL required for authentication");
+ }
+ client->common.auth_attempts++;
+ client_send_tagline(client,
+ "NO ["IMAP_RESP_CODE_PRIVACYREQUIRED"] "
+ "Authentication not allowed until SSL/TLS is enabled.");
+ return 1;
+ }
+
mech_name = IMAP_ARG_STR(&args[0]);
if (*mech_name == '\0')
return -1;
diff -r eb63b1a888e5 -r 5a4fcfde3e91 src/login-common/common.h
--- a/src/login-common/common.h Thu Jan 15 15:47:12 2009 -0500
+++ b/src/login-common/common.h Thu Jan 15 15:52:44 2009 -0500
@@ -15,7 +15,7 @@ extern const char *login_protocol;
extern bool disable_plaintext_auth, process_per_connection;
extern bool verbose_proctitle, verbose_ssl, verbose_auth, auth_debug;
-extern bool ssl_require_client_cert;
+extern bool ssl_required, ssl_require_client_cert;
extern const char *greeting, *log_format;
extern const char *const *log_format_elements;
extern const char *capability_string;
diff -r eb63b1a888e5 -r 5a4fcfde3e91 src/login-common/main.c
--- a/src/login-common/main.c Thu Jan 15 15:47:12 2009 -0500
+++ b/src/login-common/main.c Thu Jan 15 15:52:44 2009 -0500
@@ -21,7 +21,7 @@
bool disable_plaintext_auth, process_per_connection;
bool verbose_proctitle, verbose_ssl, verbose_auth, auth_debug;
-bool ssl_require_client_cert;
+bool ssl_required, ssl_require_client_cert;
const char *greeting, *log_format;
const char *const *log_format_elements;
const char *trusted_networks;
@@ -315,13 +315,15 @@ static void main_init(void)
lib_signals_set_handler(SIGTERM, TRUE, sig_die, NULL);
lib_signals_ignore(SIGPIPE, TRUE);
- disable_plaintext_auth = getenv("DISABLE_PLAINTEXT_AUTH") != NULL;
process_per_connection = getenv("PROCESS_PER_CONNECTION") != NULL;
verbose_proctitle = getenv("VERBOSE_PROCTITLE") != NULL;
verbose_ssl = getenv("VERBOSE_SSL") != NULL;
verbose_auth = getenv("VERBOSE_AUTH") != NULL;
auth_debug = getenv("AUTH_DEBUG") != NULL;
+ ssl_required = getenv("SSL_REQUIRED") != NULL;
ssl_require_client_cert = getenv("SSL_REQUIRE_CLIENT_CERT") != NULL;
+ disable_plaintext_auth = ssl_required ||
+ getenv("DISABLE_PLAINTEXT_AUTH") != NULL;
greeting = getenv("GREETING");
if (greeting == NULL)
diff -r eb63b1a888e5 -r 5a4fcfde3e91 src/master/listener.c
--- a/src/master/listener.c Thu Jan 15 15:47:12 2009 -0500
+++ b/src/master/listener.c Thu Jan 15 15:52:44 2009 -0500
@@ -217,14 +217,14 @@ static void listen_parse_and_close_unnee
nonssl_listen = TRUE;
} else if (strcasecmp(*proto, "imaps") == 0) {
if (set->protocol == MAIL_PROTOCOL_IMAP &&
- !set->ssl_disable)
+ strcmp(set->ssl, "no") != 0)
ssl_listen = TRUE;
} else if (strcasecmp(*proto, "pop3") == 0) {
if (set->protocol == MAIL_PROTOCOL_POP3)
nonssl_listen = TRUE;
} else if (strcasecmp(*proto, "pop3s") == 0) {
if (set->protocol == MAIL_PROTOCOL_POP3 &&
- !set->ssl_disable)
+ strcmp(set->ssl, "no") != 0)
ssl_listen = TRUE;
}
}
diff -r eb63b1a888e5 -r 5a4fcfde3e91 src/master/login-process.c
--- a/src/master/login-process.c Thu Jan 15 15:47:12 2009 -0500
+++ b/src/master/login-process.c Thu Jan 15 15:52:44 2009 -0500
@@ -549,7 +549,7 @@ static void login_process_init_env(struc
env_put("DOVECOT_MASTER=1");
- if (!set->ssl_disable) {
+ if (strcmp(set->ssl, "no") != 0) {
const char *ssl_key_password;
ssl_key_password = *set->ssl_key_password != '\0' ?
@@ -559,6 +559,8 @@ static void login_process_init_env(struc
env_put(t_strconcat("SSL_CA_FILE=",
set->ssl_ca_file, NULL));
}
+ if (strcmp(set->ssl, "required") == 0)
+ env_put("SSL_REQUIRED=1");
env_put(t_strconcat("SSL_CERT_FILE=",
set->ssl_cert_file, NULL));
env_put(t_strconcat("SSL_KEY_FILE=",
diff -r eb63b1a888e5 -r 5a4fcfde3e91 src/master/master-settings-defs.c
--- a/src/master/master-settings-defs.c Thu Jan 15 15:47:12 2009 -0500
+++ b/src/master/master-settings-defs.c Thu Jan 15 15:52:44 2009 -0500
@@ -20,7 +20,7 @@ static struct setting_def setting_defs[]
DEF_STR(listen),
DEF_STR(ssl_listen),
- DEF_BOOL(ssl_disable),
+ DEF_STR(ssl),
DEF_STR(ssl_ca_file),
DEF_STR(ssl_cert_file),
DEF_STR(ssl_key_file),
diff -r eb63b1a888e5 -r 5a4fcfde3e91 src/master/master-settings.c
--- a/src/master/master-settings.c Thu Jan 15 15:47:12 2009 -0500
+++ b/src/master/master-settings.c Thu Jan 15 15:52:44 2009 -0500
@@ -182,7 +182,7 @@ struct settings default_settings = {
MEMBER(listen) "*",
MEMBER(ssl_listen) "",
- MEMBER(ssl_disable) FALSE,
+ MEMBER(ssl) "yes",
MEMBER(ssl_ca_file) "",
MEMBER(ssl_cert_file) SSLDIR"/certs/dovecot.pem",
MEMBER(ssl_key_file) SSLDIR"/private/dovecot.pem",
@@ -846,8 +846,14 @@ static bool settings_verify(struct setti
return FALSE;
}
+ if (strcmp(set->ssl, "no") != 0 &&
+ strcmp(set->ssl, "yes") != 0 &&
+ strcmp(set->ssl, "required") != 0) {
+ i_error("ssl setting: Invalid value: %s", set->ssl);
+ return FALSE;
+ }
#ifdef HAVE_SSL
- if (!set->ssl_disable) {
+ if (strcmp(set->ssl, "no") != 0) {
if (*set->ssl_ca_file != '\0' &&
access(set->ssl_ca_file, R_OK) < 0) {
i_fatal("Can't use SSL CA file %s: %m",
@@ -867,16 +873,16 @@ static bool settings_verify(struct setti
}
}
#else
- if (!set->ssl_disable) {
- i_error("SSL support not compiled in but ssl_disable=no");
+ if (strcmp(set->ssl, "no") != 0) {
+ i_error("SSL support not compiled in but ssl=%s", set->ssl);
return FALSE;
}
#endif
- if (set->ssl_disable && set->disable_plaintext_auth &&
+ if (strcmp(set->ssl, "no") == 0 && set->disable_plaintext_auth &&
strncmp(set->listen, "127.", 4) != 0 &&
!settings_have_nonplaintext_auths(set)) {
i_warning("There is no way to login to this server: "
- "disable_plaintext_auth=yes, ssl_disable=yes, "
+ "disable_plaintext_auth=yes, ssl=no, "
"no non-plaintext auth mechanisms.");
}
diff -r eb63b1a888e5 -r 5a4fcfde3e91 src/master/master-settings.h
--- a/src/master/master-settings.h Thu Jan 15 15:47:12 2009 -0500
+++ b/src/master/master-settings.h Thu Jan 15 15:52:44 2009 -0500
@@ -34,7 +34,7 @@ struct settings {
const char *listen;
const char *ssl_listen;
- bool ssl_disable;
+ const char *ssl;
const char *ssl_ca_file;
const char *ssl_cert_file;
const char *ssl_key_file;
diff -r eb63b1a888e5 -r 5a4fcfde3e91 src/master/ssl-init.c
--- a/src/master/ssl-init.c Thu Jan 15 15:47:12 2009 -0500
+++ b/src/master/ssl-init.c Thu Jan 15 15:52:44 2009 -0500
@@ -86,7 +86,7 @@ static bool check_parameters_file_set(st
struct stat st, st2;
time_t regen_time;
- if (set->ssl_disable)
+ if (strcmp(set->ssl, "no") == 0)
return TRUE;
path = t_strconcat(set->login_dir, "/"SSL_PARAMETERS_FILENAME, NULL);
diff -r eb63b1a888e5 -r 5a4fcfde3e91 src/pop3-login/client-authenticate.c
--- a/src/pop3-login/client-authenticate.c Thu Jan 15 15:47:12 2009 -0500
+++ b/src/pop3-login/client-authenticate.c Thu Jan 15 15:52:44 2009 -0500
@@ -270,6 +270,17 @@ bool cmd_auth(struct pop3_client *client
const struct auth_mech_desc *mech;
const char *mech_name, *p;
+ if (!client->common.secured && ssl_required) {
+ if (verbose_auth) {
+ client_syslog(&client->common, "Login failed: "
+ "SSL required for authentication");
+ }
+ client->common.auth_attempts++;
+ client_send_line(client, "-ERR Authentication not allowed "
+ "until SSL/TLS is enabled.");
+ return TRUE;
+ }
+
if (*args == '\0') {
/* Old-style SASL discovery, used by MS Outlook */
unsigned int i, count;
More information about the dovecot-cvs
mailing list