From: Aki Tuomi Date: Thu, 20 Oct 2022 11:02:09 +0000 (+0300) Subject: login-common: Check that ssl=required is not used with auth_allow_cleartext=yes X-Git-Tag: 2.4.0~3405 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a5d1b7683d1c74f578cd3d98acb0a66de53b550c;p=thirdparty%2Fdovecot%2Fcore.git login-common: Check that ssl=required is not used with auth_allow_cleartext=yes --- diff --git a/src/login-common/client-common-auth.c b/src/login-common/client-common-auth.c index 285cf3f195..6e003b74b1 100644 --- a/src/login-common/client-common-auth.c +++ b/src/login-common/client-common-auth.c @@ -1060,8 +1060,10 @@ bool client_check_plaintext_auth(struct client *client, bool pass_sent) { bool ssl_required = (strcmp(client->ssl_set->ssl, "required") == 0); - if (client->connection_secured || - (client->set->auth_allow_cleartext && !ssl_required)) + i_assert(!ssl_required || !client->set->auth_allow_cleartext); + + if (client->set->auth_allow_cleartext || + client->connection_secured) return TRUE; e_info(client->event_auth, "Login failed: " diff --git a/src/login-common/login-settings.c b/src/login-common/login-settings.c index cd5bea4dd1..b24f32c3f2 100644 --- a/src/login-common/login-settings.c +++ b/src/login-common/login-settings.c @@ -42,6 +42,8 @@ static const struct setting_define login_setting_defines[] = { DEF(BOOL, auth_debug), DEF(BOOL, verbose_proctitle), + DEF(ENUM, ssl), + DEF(UINT, mail_max_userip_connections), SETTING_DEFINE_LIST_END @@ -70,6 +72,8 @@ static const struct login_settings login_default_settings = { .auth_debug = FALSE, .verbose_proctitle = FALSE, + .ssl = "yes:no:required", + .mail_max_userip_connections = 10 }; @@ -97,13 +101,18 @@ static struct master_service_settings_cache *set_cache; /* */ static bool login_settings_check(void *_set, pool_t pool, - const char **error_r ATTR_UNUSED) + const char **error_r) { struct login_settings *set = _set; set->log_format_elements_split = p_strsplit(pool, set->login_log_format_elements, " "); + if (strcmp(set->ssl, "required") == 0 && set->auth_allow_cleartext) { + *error_r = "auth_allow_cleartext=yes has no effect with ssl=required"; + return FALSE; + } + return TRUE; } /* */ diff --git a/src/login-common/login-settings.h b/src/login-common/login-settings.h index 027065ead9..66711411b2 100644 --- a/src/login-common/login-settings.h +++ b/src/login-common/login-settings.h @@ -18,6 +18,7 @@ struct login_settings { unsigned int login_proxy_max_disconnect_delay; const char *login_proxy_rawlog_dir; const char *login_auth_socket_path; + const char *ssl; /* for settings check */ bool auth_ssl_require_client_cert; bool auth_ssl_username_from_cert;