From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Mon, 14 Nov 2022 15:07:52 +0000 (+0200)
Subject: login-common: ssl=required now requires TLS also for non-TLS/localhost haproxy connec... 
X-Git-Tag: 2.4.0~3407
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9b0cc3d84ab929556624a4783416310d9bfed300;p=thirdparty%2Fdovecot%2Fcore.git

login-common: ssl=required now requires TLS also for non-TLS/localhost haproxy connections
---

diff --git a/src/login-common/client-common.c b/src/login-common/client-common.c
index fc837a4999..48e7daf0d7 100644
--- a/src/login-common/client-common.c
+++ b/src/login-common/client-common.c
@@ -218,8 +218,13 @@ client_alloc(int fd, pool_t pool,
 
 	if (conn->haproxied) {
 		/* haproxy connections are always coming from
-		   haproxy_trusted_networks, so we consider them secured. */
-		client->connection_secured = TRUE;
+		   haproxy_trusted_networks, so we consider them secured.
+		   However, ssl=required implies that the client connection is
+		   expected to be secured either via TLS or because the client
+		   is coming from localhost.  */
+		client->connection_secured = conn->haproxy.ssl ||
+			net_ip_compare(&conn->remote_ip, &conn->local_ip) ||
+			strcmp(client->ssl_set->ssl, "required") != 0;
 		/* Assume that the connection is also TLS secured if client
 		   terminated TLS connections on haproxy. If haproxy isn't
 		   running on localhost, the haproxy-Dovecot connection isn't