From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Fri, 15 Jul 2022 05:47:28 +0000 (+0300)
Subject: login-common: Send BAD alert about cleartext login attempt with AUTHENTICATE too
X-Git-Tag: 2.4.0~3743
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bcec461b00da729ee5145c5ecf1f8b201e87f113;p=thirdparty%2Fdovecot%2Fcore.git

login-common: Send BAD alert about cleartext login attempt with AUTHENTICATE too
---

diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c
index 711b6ed195..bfb0b7cc12 100644
--- a/src/login-common/sasl-server.c
+++ b/src/login-common/sasl-server.c
@@ -521,6 +521,10 @@ void sasl_server_auth_begin(struct client *client, const char *mech_name,
 
 	if (!client->secured && !client->set->auth_allow_cleartext &&
 	    (mech->flags & MECH_SEC_PLAINTEXT) != 0) {
+		client_notify_status(client, TRUE,
+			 "cleartext authentication not allowed "
+			 "without SSL/TLS, but your client did it anyway. "
+			 "If anyone was listening, the password was exposed.");
 		sasl_server_auth_failed(client,
 			"Cleartext authentication disabled.",
 			 AUTH_CLIENT_FAIL_CODE_MECH_SSL_REQUIRED);