From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Thu, 3 Nov 2022 17:12:46 +0000 (+0200)
Subject: *-login: Don't advertise/allow STARTTLS if haproxy already terminated TLS
X-Git-Tag: 2.4.0~3421
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9e450d27f3f06b76fbe8e8163acbce1cf7b66b60;p=thirdparty%2Fdovecot%2Fcore.git

*-login: Don't advertise/allow STARTTLS if haproxy already terminated TLS
---

diff --git a/src/imap-login/imap-login-client.c b/src/imap-login/imap-login-client.c
index 62bf410ab7..38794e0821 100644
--- a/src/imap-login/imap-login-client.c
+++ b/src/imap-login/imap-login-client.c
@@ -112,7 +112,8 @@ static const char *get_capability(struct client *client)
 			str_append(cap_str, " LITERAL+");
 	}
 
-	if (client_is_tls_enabled(client) && !client->connection_tls_secured)
+	if (client_is_tls_enabled(client) && !client->connection_tls_secured &&
+	    !client->haproxy_terminated_tls)
 		str_append(cap_str, " STARTTLS");
 	if (is_login_cmd_disabled(client))
 		str_append(cap_str, " LOGINDISABLED");
diff --git a/src/login-common/client-common.c b/src/login-common/client-common.c
index 33de97c4cb..d95c37bf6d 100644
--- a/src/login-common/client-common.c
+++ b/src/login-common/client-common.c
@@ -637,7 +637,7 @@ static int client_output_starttls(struct client *client)
 
 void client_cmd_starttls(struct client *client)
 {
-	if (client->connection_tls_secured) {
+	if (client->connection_tls_secured || client->haproxy_terminated_tls) {
 		client->v.notify_starttls(client, FALSE, "TLS is already active.");
 		return;
 	}
diff --git a/src/pop3-login/client-authenticate.c b/src/pop3-login/client-authenticate.c
index 0ba12b3684..64cf662ab3 100644
--- a/src/pop3-login/client-authenticate.c
+++ b/src/pop3-login/client-authenticate.c
@@ -32,7 +32,8 @@ bool cmd_capa(struct pop3_client *client, const char *args ATTR_UNUSED)
 	str_append(str, capability_string);
 
 	if (client_is_tls_enabled(&client->common) &&
-	    !client->common.connection_tls_secured)
+	    !client->common.connection_tls_secured &&
+	    !client->common.haproxy_terminated_tls)
 		str_append(str, "STLS\r\n");
 	if (client->common.set->auth_allow_cleartext ||
 	    client->common.connection_secured)
diff --git a/src/submission-login/client-authenticate.c b/src/submission-login/client-authenticate.c
index a2f6b9e7fe..5fd1f4874c 100644
--- a/src/submission-login/client-authenticate.c
+++ b/src/submission-login/client-authenticate.c
@@ -81,7 +81,8 @@ static void cmd_helo_reply(struct submission_client *subm_client,
 		}
 
 		if (client_is_tls_enabled(client) &&
-		    !client->connection_tls_secured)
+		    !client->connection_tls_secured &&
+		    !client->haproxy_terminated_tls)
 			smtp_server_reply_ehlo_add(reply, "STARTTLS");
 		if (!exotic_backend ||
 		    (backend_caps & SMTP_CAPABILITY_PIPELINING) != 0)