From 9b0cc3d84ab929556624a4783416310d9bfed300 Mon Sep 17 00:00:00 2001
From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Mon, 14 Nov 2022 17:07:52 +0200
Subject: [PATCH] login-common: ssl=required now requires TLS also for
 non-TLS/localhost haproxy connections

---
 src/login-common/client-common.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/login-common/client-common.c b/src/login-common/client-common.c
index fc837a4999..48e7daf0d7 100644
--- a/src/login-common/client-common.c
+++ b/src/login-common/client-common.c
@@ -218,8 +218,13 @@ client_alloc(int fd, pool_t pool,
 
 	if (conn->haproxied) {
 		/* haproxy connections are always coming from
-		   haproxy_trusted_networks, so we consider them secured. */
-		client->connection_secured = TRUE;
+		   haproxy_trusted_networks, so we consider them secured.
+		   However, ssl=required implies that the client connection is
+		   expected to be secured either via TLS or because the client
+		   is coming from localhost.  */
+		client->connection_secured = conn->haproxy.ssl ||
+			net_ip_compare(&conn->remote_ip, &conn->local_ip) ||
+			strcmp(client->ssl_set->ssl, "required") != 0;
 		/* Assume that the connection is also TLS secured if client
 		   terminated TLS connections on haproxy. If haproxy isn't
 		   running on localhost, the haproxy-Dovecot connection isn't
-- 
2.47.3