# setting if not specified.
#ssl_listen =
-# Disable SSL/TLS support. <doc/wiki/SSL>
-#ssl_disable = no
+# SSL/TLS support: yes, no, required. <doc/wiki/SSL>
+#ssl = yes
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
init_resp = IMAP_ARG_STR(&args[1]);
}
+ if (!client->common.secured && ssl_required) {
+ if (verbose_auth) {
+ client_syslog(&client->common, "Login failed: "
+ "SSL required for authentication");
+ }
+ client->common.auth_attempts++;
+ client_send_tagline(client,
+ "NO ["IMAP_RESP_CODE_PRIVACYREQUIRED"] "
+ "Authentication not allowed until SSL/TLS is enabled.");
+ return 1;
+ }
+
mech_name = IMAP_ARG_STR(&args[0]);
if (*mech_name == '\0')
return -1;
extern bool disable_plaintext_auth, process_per_connection;
extern bool verbose_proctitle, verbose_ssl, verbose_auth, auth_debug;
-extern bool ssl_require_client_cert;
+extern bool ssl_required, ssl_require_client_cert;
extern const char *greeting, *log_format;
extern const char *const *log_format_elements;
extern const char *capability_string;
bool disable_plaintext_auth, process_per_connection;
bool verbose_proctitle, verbose_ssl, verbose_auth, auth_debug;
-bool ssl_require_client_cert;
+bool ssl_required, ssl_require_client_cert;
const char *greeting, *log_format;
const char *const *log_format_elements;
const char *trusted_networks;
lib_signals_set_handler(SIGTERM, TRUE, sig_die, NULL);
lib_signals_ignore(SIGPIPE, TRUE);
- disable_plaintext_auth = getenv("DISABLE_PLAINTEXT_AUTH") != NULL;
process_per_connection = getenv("PROCESS_PER_CONNECTION") != NULL;
verbose_proctitle = getenv("VERBOSE_PROCTITLE") != NULL;
verbose_ssl = getenv("VERBOSE_SSL") != NULL;
verbose_auth = getenv("VERBOSE_AUTH") != NULL;
auth_debug = getenv("AUTH_DEBUG") != NULL;
+ ssl_required = getenv("SSL_REQUIRED") != NULL;
ssl_require_client_cert = getenv("SSL_REQUIRE_CLIENT_CERT") != NULL;
+ disable_plaintext_auth = ssl_required ||
+ getenv("DISABLE_PLAINTEXT_AUTH") != NULL;
greeting = getenv("GREETING");
if (greeting == NULL)
nonssl_listen = TRUE;
} else if (strcasecmp(*proto, "imaps") == 0) {
if (set->protocol == MAIL_PROTOCOL_IMAP &&
- !set->ssl_disable)
+ strcmp(set->ssl, "no") != 0)
ssl_listen = TRUE;
} else if (strcasecmp(*proto, "pop3") == 0) {
if (set->protocol == MAIL_PROTOCOL_POP3)
nonssl_listen = TRUE;
} else if (strcasecmp(*proto, "pop3s") == 0) {
if (set->protocol == MAIL_PROTOCOL_POP3 &&
- !set->ssl_disable)
+ strcmp(set->ssl, "no") != 0)
ssl_listen = TRUE;
}
}
env_put("DOVECOT_MASTER=1");
- if (!set->ssl_disable) {
+ if (strcmp(set->ssl, "no") != 0) {
const char *ssl_key_password;
ssl_key_password = *set->ssl_key_password != '\0' ?
env_put(t_strconcat("SSL_CA_FILE=",
set->ssl_ca_file, NULL));
}
+ if (strcmp(set->ssl, "required") == 0)
+ env_put("SSL_REQUIRED=1");
env_put(t_strconcat("SSL_CERT_FILE=",
set->ssl_cert_file, NULL));
env_put(t_strconcat("SSL_KEY_FILE=",
DEF_STR(listen),
DEF_STR(ssl_listen),
- DEF_BOOL(ssl_disable),
+ DEF_STR(ssl),
DEF_STR(ssl_ca_file),
DEF_STR(ssl_cert_file),
DEF_STR(ssl_key_file),
MEMBER(listen) "*",
MEMBER(ssl_listen) "",
- MEMBER(ssl_disable) FALSE,
+ MEMBER(ssl) "yes",
MEMBER(ssl_ca_file) "",
MEMBER(ssl_cert_file) SSLDIR"/certs/dovecot.pem",
MEMBER(ssl_key_file) SSLDIR"/private/dovecot.pem",
return FALSE;
}
+ if (strcmp(set->ssl, "no") != 0 &&
+ strcmp(set->ssl, "yes") != 0 &&
+ strcmp(set->ssl, "required") != 0) {
+ i_error("ssl setting: Invalid value: %s", set->ssl);
+ return FALSE;
+ }
#ifdef HAVE_SSL
- if (!set->ssl_disable) {
+ if (strcmp(set->ssl, "no") != 0) {
if (*set->ssl_ca_file != '\0' &&
access(set->ssl_ca_file, R_OK) < 0) {
i_fatal("Can't use SSL CA file %s: %m",
}
}
#else
- if (!set->ssl_disable) {
- i_error("SSL support not compiled in but ssl_disable=no");
+ if (strcmp(set->ssl, "no") != 0) {
+ i_error("SSL support not compiled in but ssl=%s", set->ssl);
return FALSE;
}
#endif
- if (set->ssl_disable && set->disable_plaintext_auth &&
+ if (strcmp(set->ssl, "no") == 0 && set->disable_plaintext_auth &&
strncmp(set->listen, "127.", 4) != 0 &&
!settings_have_nonplaintext_auths(set)) {
i_warning("There is no way to login to this server: "
- "disable_plaintext_auth=yes, ssl_disable=yes, "
+ "disable_plaintext_auth=yes, ssl=no, "
"no non-plaintext auth mechanisms.");
}
const char *listen;
const char *ssl_listen;
- bool ssl_disable;
+ const char *ssl;
const char *ssl_ca_file;
const char *ssl_cert_file;
const char *ssl_key_file;
struct stat st, st2;
time_t regen_time;
- if (set->ssl_disable)
+ if (strcmp(set->ssl, "no") == 0)
return TRUE;
path = t_strconcat(set->login_dir, "/"SSL_PARAMETERS_FILENAME, NULL);
const struct auth_mech_desc *mech;
const char *mech_name, *p;
+ if (!client->common.secured && ssl_required) {
+ if (verbose_auth) {
+ client_syslog(&client->common, "Login failed: "
+ "SSL required for authentication");
+ }
+ client->common.auth_attempts++;
+ client_send_line(client, "-ERR Authentication not allowed "
+ "until SSL/TLS is enabled.");
+ return TRUE;
+ }
+
if (*args == '\0') {
/* Old-style SASL discovery, used by MS Outlook */
unsigned int i, count;
projects / thirdparty / dovecot / core.git / commitdiff
