#ssl_parameters_regenerate = 24
# Disable LOGIN command and all other plaintext authentications unless
-# SSL/TLS is used (LOGINDISABLED capability)
-#disable_plaintext_auth = no
+# SSL/TLS is used (LOGINDISABLED capability). Note that 127.*.*.* and
+# IPv6 ::1 addresses are considered secure, this setting has no effect if
+# you connect from those addresses.
+#disable_plaintext_auth = yes
# Use this logfile instead of syslog(). /dev/stderr can be used if you want to
# use stderr for logging (ONLY /dev/stderr - otherwise it is closed).
#include "auth-common.h"
#include "master.h"
-const char *client_authenticate_get_capabilities(int tls)
+const char *client_authenticate_get_capabilities(int secured)
{
static enum auth_mech cached_auth_mechs = 0;
static char *cached_capability = NULL;
for (i = 0; i < AUTH_MECH_COUNT; i++) {
if ((auth_mechs & auth_mech_desc[i].mech) &&
auth_mech_desc[i].name != NULL &&
- (tls || !auth_mech_desc[i].plaintext ||
+ (secured || !auth_mech_desc[i].plaintext ||
!disable_plaintext_auth)) {
str_append_c(str, ' ');
str_append(str, "AUTH=");
user = IMAP_ARG_STR(&args[0]);
pass = IMAP_ARG_STR(&args[1]);
- if (!client->tls && disable_plaintext_auth) {
+ if (!client->secured && disable_plaintext_auth) {
client_send_line(client,
"* BAD [ALERT] Plaintext authentication is disabled, "
- "but your client sent password in plaintext anyway."
+ "but your client sent password in plaintext anyway. "
"If anyone was listening, the password was exposed.");
client_send_tagline(client,
"NO Plaintext authentication disabled.");
return TRUE;
}
- if (!client->tls && mech->plaintext && disable_plaintext_auth) {
+ if (!client->secured && mech->plaintext && disable_plaintext_auth) {
client_send_tagline(client,
"NO Plaintext authentication disabled.");
return TRUE;
#ifndef __CLIENT_AUTHENTICATE_H
#define __CLIENT_AUTHENTICATE_H
-const char *client_authenticate_get_capabilities(int tls);
+const char *client_authenticate_get_capabilities(int secured);
int cmd_login(struct imap_client *client, struct imap_arg *args);
int cmd_authenticate(struct imap_client *client, struct imap_arg *args);
{
const char *capability, *auths;
- auths = client_authenticate_get_capabilities(client->tls);
+ auths = client_authenticate_get_capabilities(client->secured);
capability = t_strconcat("* CAPABILITY " CAPABILITY_STRING,
(ssl_initialized && !client->tls) ?
" STARTTLS" : "",
- disable_plaintext_auth && !client->tls ?
+ disable_plaintext_auth && !client->secured ?
" LOGINDISABLED" : "", auths, NULL);
client_send_line(client, capability);
client_send_tagline(client, "OK Capability completed.");
fd_ssl = ssl_proxy_new(client->common.fd, &client->common.ip);
if (fd_ssl != -1) {
client->tls = TRUE;
+ client->secured = TRUE;
client_set_title(client);
/* we skipped it already, so don't ignore next command */
struct client *client_create(int fd, struct ip_addr *ip, int ssl)
{
struct imap_client *client;
+ const char *addr;
if (max_logging_users > CLIENT_DESTROY_OLDEST_COUNT &&
hash_size(clients) >= max_logging_users) {
client->refcount = 1;
client->tls = ssl;
+ addr = net_ip2addr(ip);
+ client->secured = ssl ||
+ (IPADDR_IS_V4(ip) && strncmp(addr, "127.", 4) == 0) ||
+ (IPADDR_IS_V6(ip) && strcmp(addr, "::1") == 0);
+
client->common.ip = *ip;
client->common.fd = fd;
buffer_t *plain_login;
unsigned int tls:1;
+ unsigned int secured:1;
unsigned int cmd_finished:1;
unsigned int skip_line:1;
unsigned int input_blocked:1;
MEMBER(ssl_key_file) SSLDIR"/private/dovecot.pem",
MEMBER(ssl_parameters_file) "ssl-parameters.dat",
MEMBER(ssl_parameters_regenerate) 24,
- MEMBER(disable_plaintext_auth) FALSE,
+ MEMBER(disable_plaintext_auth) TRUE,
MEMBER(verbose_ssl) FALSE,
/* login */
for (i = 0; i < AUTH_MECH_COUNT; i++) {
if ((auth_mechs & auth_mech_desc[i].mech) &&
auth_mech_desc[i].name != NULL &&
- (client->tls || !auth_mech_desc[i].plaintext ||
+ (client->secured || !auth_mech_desc[i].plaintext ||
!disable_plaintext_auth)) {
str_append_c(str, ' ');
str_append(str, auth_mech_desc[i].name);
int cmd_user(struct pop3_client *client, const char *args)
{
- if (!client->tls && disable_plaintext_auth) {
+ if (!client->secured && disable_plaintext_auth) {
client_send_line(client,
"-ERR Plaintext authentication disabled.");
return TRUE;
return TRUE;
}
- if (!client->tls && mech->plaintext && disable_plaintext_auth) {
+ if (!client->secured && mech->plaintext && disable_plaintext_auth) {
client_send_line(client,
"-ERR Plaintext authentication disabled.");
return TRUE;
fd_ssl = ssl_proxy_new(client->common.fd, &client->common.ip);
if (fd_ssl != -1) {
client->tls = TRUE;
+ client->secured = TRUE;
client_set_title(client);
client->common.fd = fd_ssl;
struct client *client_create(int fd, struct ip_addr *ip, int ssl)
{
struct pop3_client *client;
+ const char *addr;
if (max_logging_users > CLIENT_DESTROY_OLDEST_COUNT &&
hash_size(clients) >= max_logging_users) {
client->refcount = 1;
client->tls = ssl;
+ addr = net_ip2addr(ip);
+ client->secured = ssl ||
+ (IPADDR_IS_V4(ip) && strncmp(addr, "127.", 4) == 0) ||
+ (IPADDR_IS_V6(ip) && strcmp(addr, "::1") == 0);
+
client->common.ip = *ip;
client->common.fd = fd;
client->common.io = io_add(fd, IO_READ, client_input, client);
buffer_t *plain_login;
unsigned int tls:1;
+ unsigned int secured:1;
unsigned int input_blocked:1;
unsigned int destroyed:1;
};
projects / thirdparty / dovecot / core.git / commitdiff
