]> git.ipfire.org Git - thirdparty/dovecot/core.git/commitdiff
imap/pop3 proxy: If passdb returns proxy_not_trusted, don't send ID/XCLIENT
authorTimo Sirainen <timo.sirainen@dovecot.fi>
Fri, 16 Sep 2016 06:53:06 +0000 (09:53 +0300)
committerGitLab <gitlab@git.dovecot.net>
Tue, 1 Nov 2016 17:09:14 +0000 (19:09 +0200)
This allows using Dovecot proxying feature towards less trusted servers.

src/imap-login/imap-proxy.c
src/login-common/client-common-auth.c
src/login-common/client-common.h
src/pop3-login/pop3-proxy.c

index 4f49fd9248ecd1cb8b237bbb8a2d8f88f27c687f..1cdce494ff93dcb882b9f7969898364373830fda 100644 (file)
@@ -168,7 +168,8 @@ static int proxy_input_banner(struct imap_client *client,
                i_free(client->proxy_backend_capability);
                client->proxy_backend_capability =
                        i_strdup(t_strcut(line + 5 + 12, ']'));
-               if (str_array_icase_find(capabilities, "ID")) {
+               if (str_array_icase_find(capabilities, "ID") &&
+                   !client->common.proxy_not_trusted) {
                        proxy_write_id(client, str);
                        if (client->common.proxy_nopipelining) {
                                /* write login or starttls after I OK */
index 30a1a6e5d2a7a4c3fac69083c65cdfb943c03a2d..bd7631ba343c9a2c46e471b9e56ab52c467a8e50 100644 (file)
@@ -154,6 +154,8 @@ static void client_auth_parse_args(struct client *client, bool success,
                        reply_r->proxy_mech = value;
                else if (strcmp(key, "proxy_nopipelining") == 0)
                        reply_r->proxy_nopipelining = TRUE;
+               else if (strcmp(key, "proxy_not_trusted") == 0)
+                       reply_r->proxy_not_trusted = TRUE;
                else if (strcmp(key, "master") == 0)
                        reply_r->master_user = value;
                else if (strcmp(key, "ssl") == 0) {
@@ -415,6 +417,7 @@ static int proxy_start(struct client *client,
        client->proxy_master_user = i_strdup(reply->master_user);
        client->proxy_password = i_strdup(reply->password);
        client->proxy_nopipelining = reply->proxy_nopipelining;
+       client->proxy_not_trusted = reply->proxy_not_trusted;
 
        /* disable input until authentication is finished */
        if (client->io != NULL)
index 864af1c5989671cccd1b3fdd949b549ad62923f8..5cf00567ea55a1fd56a38ee3cefe6f9622efb16c 100644 (file)
@@ -70,6 +70,7 @@ struct client_auth_reply {
 
        bool proxy:1;
        bool proxy_nopipelining:1;
+       bool proxy_not_trusted:1;
        bool temp:1;
        bool nologin:1;
        bool authz_failure:1;
@@ -176,6 +177,7 @@ struct client {
        bool auth_process_comm_fail:1;
        bool proxy_auth_failed:1;
        bool proxy_nopipelining:1;
+       bool proxy_not_trusted:1;
        bool auth_waiting:1;
        bool auth_user_disabled:1;
        bool auth_pass_expired:1;
index dd4d0b49b129d3d3a10c574318ce9f56c2b33546..e1cceb087ca5bdce9a8c312430bba7374f913e20 100644 (file)
@@ -30,7 +30,8 @@ static int proxy_send_login(struct pop3_client *client, struct ostream *output)
        string_t *str;
 
        i_assert(client->common.proxy_ttl > 1);
-       if (client->proxy_xclient) {
+       if (client->proxy_xclient &&
+           !client->common.proxy_not_trusted) {
                /* remote supports XCLIENT, send it */
                o_stream_nsend_str(output, t_strdup_printf(
                        "XCLIENT ADDR=%s PORT=%u SESSION=%s TTL=%u\r\n",