From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Fri, 4 Nov 2022 23:10:57 +0000 (+0200)
Subject: login-common: ssl=required now requires TLS also for trusted connections
X-Git-Tag: 2.4.0~3408
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6e31981b3f9b1253c31d58216017f150b5c0f709;p=thirdparty%2Fdovecot%2Fcore.git

login-common: ssl=required now requires TLS also for trusted connections
---

diff --git a/src/login-common/client-common.c b/src/login-common/client-common.c
index 5d2991726a..fc837a4999 100644
--- a/src/login-common/client-common.c
+++ b/src/login-common/client-common.c
@@ -233,9 +233,14 @@ client_alloc(int fd, pool_t pool,
 		client->end_client_tls_secured = conn->haproxy.ssl;
 		client->local_name = conn->haproxy.hostname;
 		client->client_cert_common_name = conn->haproxy.cert_common_name;
-	} else {
-		client->connection_secured = client->connection_trusted ||
-			net_ip_compare(&conn->real_remote_ip, &conn->real_local_ip);
+	} else if (net_ip_compare(&conn->real_remote_ip, &conn->real_local_ip)) {
+		/* localhost connections are always secured */
+		client->connection_secured = TRUE;
+	} else if (client->connection_trusted &&
+		   strcmp(client->ssl_set->ssl, "required") != 0) {
+		/* Connections from login_trusted_networks are assumed to be
+		   secured, except if ssl=required. */
+		client->connection_secured = TRUE;
 	}
 	client->proxy_ttl = LOGIN_PROXY_TTL;