dovecot-2.2: lmtp: Added support for STARTTLS command.

Wed Oct 29 16:59:03 UTC 2014

details:   http://hg.dovecot.org/dovecot-2.2/rev/297192cfbd37
changeset: 18041:297192cfbd37
user:      Timo Sirainen <tss at iki.fi>
date:      Wed Oct 29 09:58:01 2014 -0700
description:
lmtp: Added support for STARTTLS command.

diffstat:

 src/lmtp/Makefile.am |   1 +
 src/lmtp/client.c    |  17 +++++++++++++++++
 src/lmtp/client.h    |   1 +
 src/lmtp/commands.c  |  33 +++++++++++++++++++++++++++++++++
 src/lmtp/commands.h  |   1 +
 src/lmtp/main.c      |   5 +++--
 6 files changed, 56 insertions(+), 2 deletions(-)

diffs (161 lines):

diff -r 0393f550fd82 -r 297192cfbd37 src/lmtp/Makefile.am

--- a/src/lmtp/Makefile.am	Tue Oct 28 17:15:31 2014 -0700
+++ b/src/lmtp/Makefile.am	Wed Oct 29 09:58:01 2014 -0700
@@ -11,6 +11,7 @@
 	-I$(top_srcdir)/src/lib-index \
 	-I$(top_srcdir)/src/lib-master \
 	-I$(top_srcdir)/src/lib-lda \
+	-I$(top_srcdir)/src/lib-ssl-iostream \
 	-I$(top_srcdir)/src/lib-storage \
 	-I$(top_srcdir)/src/lib-storage/index \
 	-I$(top_srcdir)/src/lib-storage/index/raw
diff -r 0393f550fd82 -r 297192cfbd37 src/lmtp/client.c
--- a/src/lmtp/client.c	Tue Oct 28 17:15:31 2014 -0700
+++ b/src/lmtp/client.c	Wed Oct 29 09:58:01 2014 -0700
@@ -12,7 +12,9 @@
 #include "var-expand.h"
 #include "settings-parser.h"
 #include "master-service.h"
+#include "master-service-ssl.h"
 #include "master-service-settings.h"
+#include "iostream-ssl.h"
 #include "mail-namespace.h"
 #include "mail-storage.h"
 #include "mail-storage-service.h"
@@ -69,6 +71,9 @@
 
 	if (strcmp(cmd, "LHLO") == 0)
 		return cmd_lhlo(client, args);
+	if (strcmp(cmd, "STARTTLS") == 0 &&
+	    master_service_ssl_is_enabled(master_service))
+		return cmd_starttls(client);
 	if (strcmp(cmd, "MAIL") == 0)
 		return cmd_mail(client, args);
 	if (strcmp(cmd, "RCPT") == 0)
@@ -274,6 +279,8 @@
 		io_remove(&client->io);
 	if (client->to_idle != NULL)
 		timeout_remove(&client->to_idle);
+	if (client->ssl_iostream != NULL)
+		ssl_iostream_destroy(&client->ssl_iostream);
 	i_stream_destroy(&client->input);
 	o_stream_destroy(&client->output);
 
@@ -290,6 +297,16 @@
 
 static const char *client_get_disconnect_reason(struct client *client)
 {
+	const char *err;
+
+	if (client->ssl_iostream != NULL &&
+	    !ssl_iostream_is_handshaked(client->ssl_iostream)) {
+		err = ssl_iostream_get_last_error(client->ssl_iostream);
+		if (err != NULL) {
+			return t_strdup_printf("TLS handshaking failed: %s",
+					       err);
+		}
+	}
 	errno = client->input->stream_errno != 0 ?
 		client->input->stream_errno :
 		client->output->stream_errno;
diff -r 0393f550fd82 -r 297192cfbd37 src/lmtp/client.h
--- a/src/lmtp/client.h	Tue Oct 28 17:15:31 2014 -0700
+++ b/src/lmtp/client.h	Wed Oct 29 09:58:01 2014 -0700
@@ -48,6 +48,7 @@
 	struct io *io;
 	struct istream *input;
 	struct ostream *output;
+	struct ssl_iostream *ssl_iostream;
 
 	struct timeout *to_idle;
 	time_t last_input;
diff -r 0393f550fd82 -r 297192cfbd37 src/lmtp/commands.c
--- a/src/lmtp/commands.c	Tue Oct 28 17:15:31 2014 -0700
+++ b/src/lmtp/commands.c	Wed Oct 29 09:58:01 2014 -0700
@@ -15,6 +15,8 @@
 #include "restrict-access.h"
 #include "settings-parser.h"
 #include "master-service.h"
+#include "master-service-ssl.h"
+#include "iostream-ssl.h"
 #include "rfc822-parser.h"
 #include "message-date.h"
 #include "auth-master.h"
@@ -70,6 +72,9 @@
 
 	client_state_reset(client);
 	client_send_line(client, "250-%s", client->my_domain);
+	if (master_service_ssl_is_enabled(master_service) &&
+	    client->ssl_iostream == NULL)
+		client_send_line(client, "250-STARTTLS");
 	if (client_is_trusted(client))
 		client_send_line(client, "250-XCLIENT ADDR PORT TTL TIMEOUT");
 	client_send_line(client, "250-8BITMIME");
@@ -82,6 +87,34 @@
 	return 0;
 }
 
+int cmd_starttls(struct client *client)
+{
+	struct ostream *plain_output = client->output;
+	const char *error;
+
+	if (client->ssl_iostream != NULL) {
+		o_stream_nsend_str(client->output,
+				   "443 5.5.1 TLS is already active.\r\n");
+		return 0;
+	}
+
+	if (master_service_ssl_init(master_service,
+				    &client->input, &client->output,
+				    &client->ssl_iostream, &error) < 0) {
+		i_error("TLS initialization failed: %s", error);
+		o_stream_nsend_str(client->output,
+			"454 4.7.0 Internal error, TLS not available.\r\n");
+		return 0;
+	}
+	o_stream_nsend_str(plain_output,
+			   "220 2.0.0 Begin TLS negotiation now.\r\n");
+	if (ssl_iostream_handshake(client->ssl_iostream) < 0) {
+		client_destroy(client, NULL, NULL);
+		return -1;
+	}
+	return 0;
+}
+
 static int parse_address(const char *str, const char **address_r,
 			 const char **rest_r)
 {
diff -r 0393f550fd82 -r 297192cfbd37 src/lmtp/commands.h
--- a/src/lmtp/commands.h	Tue Oct 28 17:15:31 2014 -0700
+++ b/src/lmtp/commands.h	Wed Oct 29 09:58:01 2014 -0700
@@ -4,6 +4,7 @@
 struct client;
 
 int cmd_lhlo(struct client *client, const char *args);
+int cmd_starttls(struct client *client);
 int cmd_mail(struct client *client, const char *args);
 int cmd_rcpt(struct client *client, const char *args);
 int cmd_quit(struct client *client, const char *args);
diff -r 0393f550fd82 -r 297192cfbd37 src/lmtp/main.c
--- a/src/lmtp/main.c	Tue Oct 28 17:15:31 2014 -0700
+++ b/src/lmtp/main.c	Wed Oct 29 09:58:01 2014 -0700
@@ -78,7 +78,8 @@
 		&lmtp_setting_parser_info,
 		NULL
 	};
-	enum master_service_flags service_flags = 0;
+	enum master_service_flags service_flags =
+		MASTER_SERVICE_FLAG_USE_SSL_SETTINGS;
 	enum mail_storage_service_flags storage_service_flags =
 		MAIL_STORAGE_SERVICE_FLAG_DISALLOW_ROOT |
 		MAIL_STORAGE_SERVICE_FLAG_USERDB_LOOKUP |
@@ -91,7 +92,7 @@
 		service_flags |= MASTER_SERVICE_FLAG_STANDALONE |
 			MASTER_SERVICE_FLAG_STD_CLIENT;
 	} else {
-		service_flags |= MASTER_SERVICE_FLAG_KEEP_CONFIG_OPEN;
+		service_flags |= MASTER_SERVICE_FLAG_KEEP_CONFIG_OPEN  ;
 	}
 
 	master_service = master_service_init("lmtp", service_flags,
