From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Fri, 4 Nov 2022 21:00:58 +0000 (+0200)
Subject: lmtp: Forward end_client_tls_secured state through proxies
X-Git-Tag: 2.4.0~3411
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fec9db45591818d2c29f97687822c551202dd9b0;p=thirdparty%2Fdovecot%2Fcore.git

lmtp: Forward end_client_tls_secured state through proxies
---

diff --git a/src/lmtp/lmtp-client.c b/src/lmtp/lmtp-client.c
index 95e13a8679..985f59df50 100644
--- a/src/lmtp/lmtp-client.c
+++ b/src/lmtp/lmtp-client.c
@@ -347,6 +347,12 @@ client_connection_proxy_data_updated(void *context,
 
 	client->remote_ip = data->source_ip;
 	client->remote_port = data->source_port;
+	if (data->client_transport != NULL) {
+		client->end_client_tls_secured = TRUE;
+		client->end_client_tls_secured =
+			str_begins_with(data->client_transport,
+					CLIENT_TRANSPORT_TLS);
+	}
 
 	if (clients_count == 1)
 		refresh_proctitle();
diff --git a/src/lmtp/lmtp-client.h b/src/lmtp/lmtp-client.h
index 9442f21b2d..43e592c7a7 100644
--- a/src/lmtp/lmtp-client.h
+++ b/src/lmtp/lmtp-client.h
@@ -98,6 +98,8 @@ struct client {
 
 	bool disconnected:1;
 	bool destroyed:1;
+	bool end_client_tls_secured:1;
+	bool end_client_tls_secured_set:1;
 };
 
 struct lmtp_module_register {
diff --git a/src/lmtp/lmtp-local.c b/src/lmtp/lmtp-local.c
index a39b63e82c..35f16e3ae7 100644
--- a/src/lmtp/lmtp-local.c
+++ b/src/lmtp/lmtp-local.c
@@ -306,6 +306,8 @@ int lmtp_local_rcpt(struct client *client,
 	input.remote_port = client->remote_port;
 	input.session_id = lrcpt->session_id;
 	input.conn_ssl_secured =
+		client->end_client_tls_secured_set ?
+		client->end_client_tls_secured :
 		smtp_server_connection_is_ssl_secured(client->conn);
 	input.forward_fields = lrcpt->forward_fields;
 	input.event_parent = rcpt->event;
diff --git a/src/lmtp/lmtp-proxy.c b/src/lmtp/lmtp-proxy.c
index 11e218e8f4..76276848dd 100644
--- a/src/lmtp/lmtp-proxy.c
+++ b/src/lmtp/lmtp-proxy.c
@@ -125,6 +125,12 @@ lmtp_proxy_init(struct client *client,
 					      &lmtp_set.proxy_data);
 	lmtp_set.proxy_data.source_ip = client->remote_ip;
 	lmtp_set.proxy_data.source_port = client->remote_port;
+	bool end_client_tls_secured =
+		client->end_client_tls_secured_set ?
+		client->end_client_tls_secured :
+		smtp_server_connection_is_ssl_secured(client->conn);
+	lmtp_set.proxy_data.client_transport = end_client_tls_secured ?
+		CLIENT_TRANSPORT_TLS : CLIENT_TRANSPORT_INSECURE;
 	/* This initial session_id is used only locally by lib-smtp. Each LMTP
 	   proxy connection gets a more specific updated session_id. */
 	lmtp_set.proxy_data.session = trans->id;
diff --git a/src/lmtp/lmtp-proxy.h b/src/lmtp/lmtp-proxy.h
index 5ef71c4c7d..e0e8e9cf60 100644
--- a/src/lmtp/lmtp-proxy.h
+++ b/src/lmtp/lmtp-proxy.h
@@ -10,6 +10,9 @@
 #define LMTP_PROXY_DEFAULT_TTL 5
 #define LMTP_PROXY_DEFAULT_PORT 24
 
+#define CLIENT_TRANSPORT_TLS "TLS"
+#define CLIENT_TRANSPORT_INSECURE "insecure"
+
 struct smtp_server_cmd_ctx;
 struct smtp_server_cmd_rcpt;
 struct lmtp_proxy;