From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Mon, 12 Aug 2019 20:10:24 +0000 (+0200)
Subject: login-common: Deny anonymous login by default.
X-Git-Tag: 2.3.9~315
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2a6726b88e37eb028464d7f114b1d42a611fcfe7;p=thirdparty%2Fdovecot%2Fcore.git

login-common: Deny anonymous login by default.

Only services that explicitly enable anonymous logins will permit them. Plugins
can also mask anonymous logins by dropping the anonymous reply flag in the
sasl_check_login() client vfunc.
---

diff --git a/src/imap-login/client-authenticate.c b/src/imap-login/client-authenticate.c
index 2e7f73d3f3..c8c3db288f 100644
--- a/src/imap-login/client-authenticate.c
+++ b/src/imap-login/client-authenticate.c
@@ -105,6 +105,7 @@ void imap_client_auth_result(struct client *client,
 				       IMAP_RESP_CODE_EXPIRED, text);
 		break;
 	case CLIENT_AUTH_RESULT_LOGIN_DISABLED:
+	case CLIENT_AUTH_RESULT_ANONYMOUS_DENIED:
 		client_send_reply_code(client, IMAP_CMD_REPLY_NO,
 				       IMAP_RESP_CODE_CONTACTADMIN, text);
 		break;
diff --git a/src/imap-login/imap-login-client.c b/src/imap-login/imap-login-client.c
index a05584ba2e..2c3cd0d50b 100644
--- a/src/imap-login/imap-login-client.c
+++ b/src/imap-login/imap-login-client.c
@@ -564,7 +564,8 @@ static const struct login_binary imap_login_binary = {
 	.init = imap_login_init,
 	.deinit = imap_login_deinit,
 
-	.sasl_support_final_reply = FALSE
+	.sasl_support_final_reply = FALSE,
+	.anonymous_login_acceptable = TRUE,
 };
 
 int main(int argc, char *argv[])
diff --git a/src/imap-urlauth/imap-urlauth-login.c b/src/imap-urlauth/imap-urlauth-login.c
index 9a627dabd5..fcde9aaf7a 100644
--- a/src/imap-urlauth/imap-urlauth-login.c
+++ b/src/imap-urlauth/imap-urlauth-login.c
@@ -181,6 +181,8 @@ static const struct login_binary imap_urlauth_login_binary = {
 	.preinit = imap_urlauth_login_preinit,
 	.init = imap_urlauth_login_init,
 	.deinit = imap_urlauth_login_deinit,
+
+	.anonymous_login_acceptable = TRUE,
 };
 
 int main(int argc, char *argv[])
diff --git a/src/lib-auth/auth-client-interface.h b/src/lib-auth/auth-client-interface.h
index 7ac2216915..cdccbee38b 100644
--- a/src/lib-auth/auth-client-interface.h
+++ b/src/lib-auth/auth-client-interface.h
@@ -36,5 +36,6 @@ enum mech_security_flags {
 /* not actually returned from auth service */
 #define AUTH_CLIENT_FAIL_CODE_MECH_INVALID      "auth_mech_invalid"
 #define AUTH_CLIENT_FAIL_CODE_MECH_SSL_REQUIRED "auth_mech_ssl_required"
+#define AUTH_CLIENT_FAIL_CODE_ANONYMOUS_DENIED  "anonymous_denied"
 
 #endif
diff --git a/src/login-common/client-common-auth.c b/src/login-common/client-common-auth.c
index 8b87134f04..a51c4a2e87 100644
--- a/src/login-common/client-common-auth.c
+++ b/src/login-common/client-common-auth.c
@@ -43,6 +43,8 @@ static const struct client_auth_fail_code_id client_auth_fail_codes[] = {
 		CLIENT_AUTH_FAIL_CODE_MECH_INVALID },
 	{ AUTH_CLIENT_FAIL_CODE_MECH_SSL_REQUIRED,
 		CLIENT_AUTH_FAIL_CODE_MECH_SSL_REQUIRED },
+	{ AUTH_CLIENT_FAIL_CODE_ANONYMOUS_DENIED,
+		CLIENT_AUTH_FAIL_CODE_ANONYMOUS_DENIED },
 	{ NULL, CLIENT_AUTH_FAIL_CODE_NONE }
 };
 
@@ -549,6 +551,9 @@ client_auth_handle_reply(struct client *client,
 		case CLIENT_AUTH_FAIL_CODE_MECH_SSL_REQUIRED:
 			result = CLIENT_AUTH_RESULT_MECH_SSL_REQUIRED;
 			break;
+		case CLIENT_AUTH_FAIL_CODE_ANONYMOUS_DENIED:
+			result = CLIENT_AUTH_RESULT_ANONYMOUS_DENIED;
+			break;
 		case CLIENT_AUTH_FAIL_CODE_LOGIN_DISABLED:
 			result = CLIENT_AUTH_RESULT_LOGIN_DISABLED;
 			if (reason == NULL)
diff --git a/src/login-common/client-common.h b/src/login-common/client-common.h
index bf44f6e4a9..08f7ebcc20 100644
--- a/src/login-common/client-common.h
+++ b/src/login-common/client-common.h
@@ -56,6 +56,7 @@ enum client_auth_fail_code {
 	CLIENT_AUTH_FAIL_CODE_LOGIN_DISABLED,
 	CLIENT_AUTH_FAIL_CODE_MECH_INVALID,
 	CLIENT_AUTH_FAIL_CODE_MECH_SSL_REQUIRED,
+	CLIENT_AUTH_FAIL_CODE_ANONYMOUS_DENIED,
 };
 
 enum client_auth_result {
@@ -72,7 +73,8 @@ enum client_auth_result {
 	CLIENT_AUTH_RESULT_INVALID_BASE64,
 	CLIENT_AUTH_RESULT_LOGIN_DISABLED,
 	CLIENT_AUTH_RESULT_MECH_INVALID,
-	CLIENT_AUTH_RESULT_MECH_SSL_REQUIRED
+	CLIENT_AUTH_RESULT_MECH_SSL_REQUIRED,
+	CLIENT_AUTH_RESULT_ANONYMOUS_DENIED
 };
 
 struct client_auth_reply {
diff --git a/src/login-common/login-common.h b/src/login-common/login-common.h
index 7974a79b37..23935dd43b 100644
--- a/src/login-common/login-common.h
+++ b/src/login-common/login-common.h
@@ -35,7 +35,8 @@ struct login_binary {
 	void (*init)(void);
 	void (*deinit)(void);
 
-	bool sasl_support_final_reply;
+	bool sasl_support_final_reply:1;
+	bool anonymous_login_acceptable:1;
 };
 
 struct login_module_register {
diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c
index dde238f1d7..7eedbfc1a9 100644
--- a/src/login-common/sasl-server.c
+++ b/src/login-common/sasl-server.c
@@ -37,7 +37,8 @@ sasl_server_filter_mech(struct client *client, struct auth_mech_desc *mech)
 	if (client->v.sasl_filter_mech != NULL &&
 	    !client->v.sasl_filter_mech(client, mech))
 		return FALSE;
-	return TRUE;
+	return ((mech->flags & MECH_SEC_ANONYMOUS) == 0 ||
+		login_binary->anonymous_login_acceptable);
 }
 
 const struct auth_mech_desc *
@@ -278,6 +279,13 @@ sasl_server_check_login(struct client *client)
 	if (client->v.sasl_check_login != NULL &&
 	    !client->v.sasl_check_login(client))
 		return FALSE;
+	if (client->auth_anonymous &&
+	    !login_binary->anonymous_login_acceptable) {
+		sasl_server_auth_failed(client,
+			"Anonymous login denied",
+			AUTH_CLIENT_FAIL_CODE_ANONYMOUS_DENIED);
+		return FALSE;
+	}
 	return TRUE;
 }
 
diff --git a/src/pop3-login/client.c b/src/pop3-login/client.c
index ab8d33d774..3e9cc1bfb8 100644
--- a/src/pop3-login/client.c
+++ b/src/pop3-login/client.c
@@ -344,7 +344,8 @@ static const struct login_binary pop3_login_binary = {
 	.init = pop3_login_init,
 	.deinit = pop3_login_deinit,
 
-	.sasl_support_final_reply = FALSE
+	.sasl_support_final_reply = FALSE,
+	.anonymous_login_acceptable = TRUE,
 };
 
 int main(int argc, char *argv[])
diff --git a/src/submission-login/client-authenticate.c b/src/submission-login/client-authenticate.c
index 6b70701a1a..3b2680a520 100644
--- a/src/submission-login/client-authenticate.c
+++ b/src/submission-login/client-authenticate.c
@@ -177,6 +177,7 @@ void submission_client_auth_result(struct client *client,
 		smtp_server_reply(cmd, 504, "5.5.4", "%s", text);
 		break;
 	case CLIENT_AUTH_RESULT_LOGIN_DISABLED:
+	case CLIENT_AUTH_RESULT_ANONYMOUS_DENIED:
 		/* RFC5248, Section 2.4:
 
 		   525 X.7.13 User Account Disabled
diff --git a/src/submission-login/client.c b/src/submission-login/client.c
index 62e19cc369..6921a4386d 100644
--- a/src/submission-login/client.c
+++ b/src/submission-login/client.c
@@ -306,7 +306,8 @@ static const struct login_binary submission_login_binary = {
 	.init = submission_login_init,
 	.deinit = submission_login_deinit,
 
-	.sasl_support_final_reply = FALSE
+	.sasl_support_final_reply = FALSE,
+	.anonymous_login_acceptable = FALSE,
 };
 
 int main(int argc, char *argv[])