From a5d1b7683d1c74f578cd3d98acb0a66de53b550c Mon Sep 17 00:00:00 2001
From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Thu, 20 Oct 2022 14:02:09 +0300
Subject: [PATCH] login-common: Check that ssl=required is not used with
 auth_allow_cleartext=yes

---
 src/login-common/client-common-auth.c |  6 ++++--
 src/login-common/login-settings.c     | 11 ++++++++++-
 src/login-common/login-settings.h     |  1 +
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/src/login-common/client-common-auth.c b/src/login-common/client-common-auth.c
index 285cf3f195..6e003b74b1 100644
--- a/src/login-common/client-common-auth.c
+++ b/src/login-common/client-common-auth.c
@@ -1060,8 +1060,10 @@ bool client_check_plaintext_auth(struct client *client, bool pass_sent)
 {
 	bool ssl_required = (strcmp(client->ssl_set->ssl, "required") == 0);
 
-	if (client->connection_secured ||
-	    (client->set->auth_allow_cleartext && !ssl_required))
+	i_assert(!ssl_required || !client->set->auth_allow_cleartext);
+
+	if (client->set->auth_allow_cleartext ||
+	    client->connection_secured)
 		return TRUE;
 
 	e_info(client->event_auth, "Login failed: "
diff --git a/src/login-common/login-settings.c b/src/login-common/login-settings.c
index cd5bea4dd1..b24f32c3f2 100644
--- a/src/login-common/login-settings.c
+++ b/src/login-common/login-settings.c
@@ -42,6 +42,8 @@ static const struct setting_define login_setting_defines[] = {
 	DEF(BOOL, auth_debug),
 	DEF(BOOL, verbose_proctitle),
 
+	DEF(ENUM, ssl),
+
 	DEF(UINT, mail_max_userip_connections),
 
 	SETTING_DEFINE_LIST_END
@@ -70,6 +72,8 @@ static const struct login_settings login_default_settings = {
 	.auth_debug = FALSE,
 	.verbose_proctitle = FALSE,
 
+	.ssl = "yes:no:required",
+
 	.mail_max_userip_connections = 10
 };
 
@@ -97,13 +101,18 @@ static struct master_service_settings_cache *set_cache;
 
 /* <settings checks> */
 static bool login_settings_check(void *_set, pool_t pool,
-				 const char **error_r ATTR_UNUSED)
+				 const char **error_r)
 {
 	struct login_settings *set = _set;
 
 	set->log_format_elements_split =
 		p_strsplit(pool, set->login_log_format_elements, " ");
 
+	if (strcmp(set->ssl, "required") == 0 && set->auth_allow_cleartext) {
+		*error_r = "auth_allow_cleartext=yes has no effect with ssl=required";
+		return FALSE;
+	}
+
 	return TRUE;
 }
 /* </settings checks> */
diff --git a/src/login-common/login-settings.h b/src/login-common/login-settings.h
index 027065ead9..66711411b2 100644
--- a/src/login-common/login-settings.h
+++ b/src/login-common/login-settings.h
@@ -18,6 +18,7 @@ struct login_settings {
 	unsigned int login_proxy_max_disconnect_delay;
 	const char *login_proxy_rawlog_dir;
 	const char *login_auth_socket_path;
+	const char *ssl; /* for settings check */
 
 	bool auth_ssl_require_client_cert;
 	bool auth_ssl_username_from_cert;
-- 
2.47.3