From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Fri, 8 Aug 2025 09:12:51 +0000 (+0300)
Subject: login-common: If proxying fails due to remote having invalid SSL cert, don't reconnect
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1c459ce614233ec6ad6e229f75430e9753f39970;p=thirdparty%2Fdovecot%2Fcore.git

login-common: If proxying fails due to remote having invalid SSL cert, don't reconnect

Consistently use LOGIN_PROXY_FAILURE_TYPE_INTERNAL_CONFIG type regardless of
whether the failure happens in ssl_iostream_handshake() or later.
---

diff --git a/src/login-common/client-common-auth.c b/src/login-common/client-common-auth.c
index 3d9d6530bd..ec110e81d9 100644
--- a/src/login-common/client-common-auth.c
+++ b/src/login-common/client-common-auth.c
@@ -353,9 +353,14 @@ static void proxy_input(struct client *client)
 			client_proxy_get_state(client), duration,
 			line == NULL ? "" : t_strdup_printf(
 				" - BUG: line not read: %s", line));
+
+		enum login_proxy_failure_type type =
+			login_proxy_failed_because_invalid_cert(client->login_proxy) ?
+			LOGIN_PROXY_FAILURE_TYPE_INTERNAL_CONFIG :
+			LOGIN_PROXY_FAILURE_TYPE_CONNECT;
 		login_proxy_failed(client->login_proxy,
 				   login_proxy_get_event(client->login_proxy),
-				   LOGIN_PROXY_FAILURE_TYPE_CONNECT, reason);
+				   type, reason);
 		return;
 	}
 
diff --git a/src/login-common/login-proxy.c b/src/login-common/login-proxy.c
index cf2af358ca..01561fedcb 100644
--- a/src/login-common/login-proxy.c
+++ b/src/login-common/login-proxy.c
@@ -1320,8 +1320,12 @@ int login_proxy_starttls(struct login_proxy *proxy)
 		const char *reason = t_strdup_printf(
 			"Failed to start SSL handshake: %s",
 			ssl_iostream_get_last_error(proxy->server_ssl_iostream));
-		login_proxy_failed(proxy, proxy->event,
-				   LOGIN_PROXY_FAILURE_TYPE_INTERNAL, reason);
+
+		enum login_proxy_failure_type type =
+			login_proxy_failed_because_invalid_cert(proxy) ?
+			LOGIN_PROXY_FAILURE_TYPE_INTERNAL_CONFIG :
+			LOGIN_PROXY_FAILURE_TYPE_INTERNAL;
+		login_proxy_failed(proxy, proxy->event, type, reason);
 		return -1;
 	}
 	proxy_rawlog_init(proxy);
@@ -1333,6 +1337,17 @@ int login_proxy_starttls(struct login_proxy *proxy)
 	return 0;
 }
 
+bool login_proxy_failed_because_invalid_cert(struct login_proxy *proxy)
+{
+	if (proxy->server_ssl_iostream == NULL)
+		return FALSE;
+
+	enum ssl_iostream_state state =
+		ssl_iostream_get_state(proxy->server_ssl_iostream);
+	return state == SSL_IOSTREAM_STATE_INVALID_CERT ||
+		state == SSL_IOSTREAM_STATE_NAME_MISMATCH;
+}
+
 void login_proxy_multiplex_input_start(struct login_proxy *proxy)
 {
 	struct istream *input = i_stream_create_multiplex(proxy->server_input,
diff --git a/src/login-common/login-proxy.h b/src/login-common/login-proxy.h
index 7ce6a04838..0064b81258 100644
--- a/src/login-common/login-proxy.h
+++ b/src/login-common/login-proxy.h
@@ -116,6 +116,8 @@ void login_proxy_detach(struct login_proxy *proxy);
 
 /* STARTTLS command was issued. */
 int login_proxy_starttls(struct login_proxy *proxy);
+/* Returns TRUE if proxying failed because of invalid SSL certificate. */
+bool login_proxy_failed_because_invalid_cert(struct login_proxy *proxy);
 /* MULTIPLEX input was started. */
 void login_proxy_multiplex_input_start(struct login_proxy *proxy);