/* haproxy connections are always coming from
haproxy_trusted_networks, so we consider them secured. */
client->connection_secured = TRUE;
+ /* Assume that the connection is also TLS secured if client
+ terminated TLS connections on haproxy. If haproxy isn't
+ running on localhost, the haproxy-Dovecot connection isn't
+ TLS secured. However, that's most likely an intentional
+ configuration and we should just consider the connection
+ TLS secured anyway. */
+ client->connection_tls_secured = conn->haproxy.ssl;
client->haproxy_terminated_tls = conn->haproxy.ssl;
client->end_client_tls_secured = conn->haproxy.ssl;
client->local_name = conn->haproxy.hostname;
void client_cmd_starttls(struct client *client)
{
- if (client->connection_tls_secured || client->haproxy_terminated_tls) {
+ if (client->connection_tls_secured) {
client->v.notify_starttls(client, FALSE, "TLS is already active.");
return;
}
{
int fds[2];
- if (!client->connection_tls_secured) {
+ if (client->ssl_iostream == NULL) {
/* Plaintext connection - We can send the fd directly to
the post-login process without any proxying. */
*fd_r = client->fd;
bool input_blocked:1;
bool login_success:1;
bool no_extra_disconnect_reason:1;
- /* Client/proxy connection is using TLS. Dovecot has terminated the
- TLS connection (not haproxy). */
+ /* Client/proxy connection is using TLS. Either Dovecot or HAProxy
+ has terminated the TLS connection. */
bool connection_tls_secured:1;
/* connection_tls_secured=TRUE was started via STARTTLS command. */
bool connection_used_starttls:1;
if (client->ssl_iostream != NULL &&
ssl_iostream_has_valid_client_cert(client->ssl_iostream))
auth_flags |= AUTH_REQUEST_FLAG_VALID_CLIENT_CERT;
- if (client->connection_tls_secured || client->haproxy_terminated_tls)
+ if (client->connection_tls_secured)
auth_flags |= AUTH_REQUEST_FLAG_CONN_SECURED_TLS;
if (client->connection_secured)
auth_flags |= AUTH_REQUEST_FLAG_CONN_SECURED;
projects / thirdparty / dovecot / core.git / commitdiff
