*-login: Don't advertise/allow STARTTLS if haproxy already terminated TLS

diff --git a/src/imap-login/imap-login-client.c b/src/imap-login/imap-login-client.c
index 62bf410ab79c6f5db89e1b8fc0831e58a26ec6e7..38794e08219d197521dc7bafda5d12bcaa690d1b 100644 (file)
--- a/src/imap-login/imap-login-client.c
+++ b/src/imap-login/imap-login-client.c
@@ -112,7 +112,8 @@ static const char *get_capability(struct client *client)
                        str_append(cap_str, " LITERAL+");
        }
 
-       if (client_is_tls_enabled(client) && !client->connection_tls_secured)
+       if (client_is_tls_enabled(client) && !client->connection_tls_secured &&
+           !client->haproxy_terminated_tls)
                str_append(cap_str, " STARTTLS");
        if (is_login_cmd_disabled(client))
                str_append(cap_str, " LOGINDISABLED");

diff --git a/src/login-common/client-common.c b/src/login-common/client-common.c
index 33de97c4cb71a54beba54bca401616f2b85d6ab0..d95c37bf6dd38327f845a014c7d4e36b1db33e41 100644 (file)
--- a/src/login-common/client-common.c
+++ b/src/login-common/client-common.c
@@ -637,7 +637,7 @@ static int client_output_starttls(struct client *client)
 
 void client_cmd_starttls(struct client *client)
 {
-       if (client->connection_tls_secured) {
+       if (client->connection_tls_secured || client->haproxy_terminated_tls) {
                client->v.notify_starttls(client, FALSE, "TLS is already active.");
                return;
        }

diff --git a/src/pop3-login/client-authenticate.c b/src/pop3-login/client-authenticate.c
index 0ba12b36849125083121cf0049aa0f6e46b926d8..64cf662ab397c75e566dcd34f8b4ea07d300fa04 100644 (file)
--- a/src/pop3-login/client-authenticate.c
+++ b/src/pop3-login/client-authenticate.c
@@ -32,7 +32,8 @@ bool cmd_capa(struct pop3_client *client, const char *args ATTR_UNUSED)
        str_append(str, capability_string);
 
        if (client_is_tls_enabled(&client->common) &&
-           !client->common.connection_tls_secured)
+           !client->common.connection_tls_secured &&
+           !client->common.haproxy_terminated_tls)
                str_append(str, "STLS\r\n");
        if (client->common.set->auth_allow_cleartext ||
            client->common.connection_secured)

diff --git a/src/submission-login/client-authenticate.c b/src/submission-login/client-authenticate.c
index a2f6b9e7fe12fa4335c39f38f290c735ba714f22..5fd1f4874cd1e8beead78f793b8e09ee93f1ca76 100644 (file)
--- a/src/submission-login/client-authenticate.c
+++ b/src/submission-login/client-authenticate.c
@@ -81,7 +81,8 @@ static void cmd_helo_reply(struct submission_client *subm_client,
                }
 
                if (client_is_tls_enabled(client) &&
-                   !client->connection_tls_secured)
+                   !client->connection_tls_secured &&
+                   !client->haproxy_terminated_tls)
                        smtp_server_reply_ehlo_add(reply, "STARTTLS");
                if (!exotic_backend ||
                    (backend_caps & SMTP_CAPABILITY_PIPELINING) != 0)