From: Timo Sirainen <tss@iki.fi>
Date: Thu, 15 Jan 2009 20:52:44 +0000 (-0500)
Subject: Renamed "ssl_disable" setting to "ssl". Added support for ssl=required.
X-Git-Tag: 1.2.beta1~111
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f4a00030e7536266abbc52a882475bbc96decc3c;p=thirdparty%2Fdovecot%2Fcore.git

Renamed "ssl_disable" setting to "ssl". Added support for ssl=required.

--HG--
branch : HEAD
---

diff --git a/dovecot-example.conf b/dovecot-example.conf
index 17ab57db63..bae624e1ad 100644
--- a/dovecot-example.conf
+++ b/dovecot-example.conf
@@ -84,8 +84,8 @@
 # setting if not specified.
 #ssl_listen =
 
-# Disable SSL/TLS support. <doc/wiki/SSL>
-#ssl_disable = no
+# SSL/TLS support: yes, no, required. <doc/wiki/SSL>
+#ssl = yes
 
 # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
 # dropping root privileges, so keep the key file unreadable by anyone but
diff --git a/src/imap-login/client-authenticate.c b/src/imap-login/client-authenticate.c
index c4b079a1ea..4a27d08588 100644
--- a/src/imap-login/client-authenticate.c
+++ b/src/imap-login/client-authenticate.c
@@ -347,6 +347,18 @@ int cmd_authenticate(struct imap_client *client, const struct imap_arg *args)
 		init_resp = IMAP_ARG_STR(&args[1]);
 	}
 
+	if (!client->common.secured && ssl_required) {
+		if (verbose_auth) {
+			client_syslog(&client->common, "Login failed: "
+				      "SSL required for authentication");
+		}
+		client->common.auth_attempts++;
+		client_send_tagline(client,
+			"NO ["IMAP_RESP_CODE_PRIVACYREQUIRED"] "
+			"Authentication not allowed until SSL/TLS is enabled.");
+		return 1;
+	}
+
 	mech_name = IMAP_ARG_STR(&args[0]);
 	if (*mech_name == '\0')
 		return -1;
diff --git a/src/login-common/common.h b/src/login-common/common.h
index efb8c13ef9..c55509d8a2 100644
--- a/src/login-common/common.h
+++ b/src/login-common/common.h
@@ -15,7 +15,7 @@ extern const char *login_protocol;
 
 extern bool disable_plaintext_auth, process_per_connection;
 extern bool verbose_proctitle, verbose_ssl, verbose_auth, auth_debug;
-extern bool ssl_require_client_cert;
+extern bool ssl_required, ssl_require_client_cert;
 extern const char *greeting, *log_format;
 extern const char *const *log_format_elements;
 extern const char *capability_string;
diff --git a/src/login-common/main.c b/src/login-common/main.c
index 7bfe419b1e..40ff0d5fd1 100644
--- a/src/login-common/main.c
+++ b/src/login-common/main.c
@@ -21,7 +21,7 @@
 
 bool disable_plaintext_auth, process_per_connection;
 bool verbose_proctitle, verbose_ssl, verbose_auth, auth_debug;
-bool ssl_require_client_cert;
+bool ssl_required, ssl_require_client_cert;
 const char *greeting, *log_format;
 const char *const *log_format_elements;
 const char *trusted_networks;
@@ -315,13 +315,15 @@ static void main_init(void)
         lib_signals_set_handler(SIGTERM, TRUE, sig_die, NULL);
         lib_signals_ignore(SIGPIPE, TRUE);
 
-	disable_plaintext_auth = getenv("DISABLE_PLAINTEXT_AUTH") != NULL;
 	process_per_connection = getenv("PROCESS_PER_CONNECTION") != NULL;
 	verbose_proctitle = getenv("VERBOSE_PROCTITLE") != NULL;
         verbose_ssl = getenv("VERBOSE_SSL") != NULL;
         verbose_auth = getenv("VERBOSE_AUTH") != NULL;
         auth_debug = getenv("AUTH_DEBUG") != NULL;
+	ssl_required = getenv("SSL_REQUIRED") != NULL;
 	ssl_require_client_cert = getenv("SSL_REQUIRE_CLIENT_CERT") != NULL;
+	disable_plaintext_auth = ssl_required ||
+		getenv("DISABLE_PLAINTEXT_AUTH") != NULL;
 
 	greeting = getenv("GREETING");
 	if (greeting == NULL)
diff --git a/src/master/listener.c b/src/master/listener.c
index 53f4d976f6..747df9b94f 100644
--- a/src/master/listener.c
+++ b/src/master/listener.c
@@ -217,14 +217,14 @@ static void listen_parse_and_close_unneeded(struct settings *set)
 				nonssl_listen = TRUE;
 		} else if (strcasecmp(*proto, "imaps") == 0) {
 			if (set->protocol == MAIL_PROTOCOL_IMAP &&
-			    !set->ssl_disable)
+			    strcmp(set->ssl, "no") != 0)
 				ssl_listen = TRUE;
 		} else if (strcasecmp(*proto, "pop3") == 0) {
 			if (set->protocol == MAIL_PROTOCOL_POP3)
 				nonssl_listen = TRUE;
 		} else if (strcasecmp(*proto, "pop3s") == 0) {
 			if (set->protocol == MAIL_PROTOCOL_POP3 &&
-			    !set->ssl_disable)
+			    strcmp(set->ssl, "no") != 0)
 				ssl_listen = TRUE;
 		}
 	}
diff --git a/src/master/login-process.c b/src/master/login-process.c
index cb6de9ce02..c6e88f1fac 100644
--- a/src/master/login-process.c
+++ b/src/master/login-process.c
@@ -549,7 +549,7 @@ static void login_process_init_env(struct login_group *group, pid_t pid)
 
 	env_put("DOVECOT_MASTER=1");
 
-	if (!set->ssl_disable) {
+	if (strcmp(set->ssl, "no") != 0) {
 		const char *ssl_key_password;
 
 		ssl_key_password = *set->ssl_key_password != '\0' ?
@@ -559,6 +559,8 @@ static void login_process_init_env(struct login_group *group, pid_t pid)
 			env_put(t_strconcat("SSL_CA_FILE=",
 					    set->ssl_ca_file, NULL));
 		}
+		if (strcmp(set->ssl, "required") == 0)
+			env_put("SSL_REQUIRED=1");
 		env_put(t_strconcat("SSL_CERT_FILE=",
 				    set->ssl_cert_file, NULL));
 		env_put(t_strconcat("SSL_KEY_FILE=",
diff --git a/src/master/master-settings-defs.c b/src/master/master-settings-defs.c
index 1e5e3a4f49..b29e68282c 100644
--- a/src/master/master-settings-defs.c
+++ b/src/master/master-settings-defs.c
@@ -20,7 +20,7 @@ static struct setting_def setting_defs[] = {
 	DEF_STR(listen),
 	DEF_STR(ssl_listen),
 
-	DEF_BOOL(ssl_disable),
+	DEF_STR(ssl),
 	DEF_STR(ssl_ca_file),
 	DEF_STR(ssl_cert_file),
 	DEF_STR(ssl_key_file),
diff --git a/src/master/master-settings.c b/src/master/master-settings.c
index ef43623093..d335fdedd1 100644
--- a/src/master/master-settings.c
+++ b/src/master/master-settings.c
@@ -182,7 +182,7 @@ struct settings default_settings = {
 	MEMBER(listen) "*",
 	MEMBER(ssl_listen) "",
 
-	MEMBER(ssl_disable) FALSE,
+	MEMBER(ssl) "yes",
 	MEMBER(ssl_ca_file) "",
 	MEMBER(ssl_cert_file) SSLDIR"/certs/dovecot.pem",
 	MEMBER(ssl_key_file) SSLDIR"/private/dovecot.pem",
@@ -846,8 +846,14 @@ static bool settings_verify(struct settings *set)
 		return FALSE;
 	}
 
+	if (strcmp(set->ssl, "no") != 0 &&
+	    strcmp(set->ssl, "yes") != 0 &&
+	    strcmp(set->ssl, "required") != 0) {
+		i_error("ssl setting: Invalid value: %s", set->ssl);
+		return FALSE;
+	}
 #ifdef HAVE_SSL
-	if (!set->ssl_disable) {
+	if (strcmp(set->ssl, "no") != 0) {
 		if (*set->ssl_ca_file != '\0' &&
 		    access(set->ssl_ca_file, R_OK) < 0) {
 			i_fatal("Can't use SSL CA file %s: %m",
@@ -867,16 +873,16 @@ static bool settings_verify(struct settings *set)
 		}
 	}
 #else
-	if (!set->ssl_disable) {
-		i_error("SSL support not compiled in but ssl_disable=no");
+	if (strcmp(set->ssl, "no") != 0) {
+		i_error("SSL support not compiled in but ssl=%s", set->ssl);
 		return FALSE;
 	}
 #endif
-	if (set->ssl_disable && set->disable_plaintext_auth &&
+	if (strcmp(set->ssl, "no") == 0 && set->disable_plaintext_auth &&
 	    strncmp(set->listen, "127.", 4) != 0 &&
 	    !settings_have_nonplaintext_auths(set)) {
 		i_warning("There is no way to login to this server: "
-			  "disable_plaintext_auth=yes, ssl_disable=yes, "
+			  "disable_plaintext_auth=yes, ssl=no, "
 			  "no non-plaintext auth mechanisms.");
 	}
 
diff --git a/src/master/master-settings.h b/src/master/master-settings.h
index 17fdba39e6..882a7abf35 100644
--- a/src/master/master-settings.h
+++ b/src/master/master-settings.h
@@ -34,7 +34,7 @@ struct settings {
 	const char *listen;
 	const char *ssl_listen;
 
-	bool ssl_disable;
+	const char *ssl;
 	const char *ssl_ca_file;
 	const char *ssl_cert_file;
 	const char *ssl_key_file;
diff --git a/src/master/ssl-init.c b/src/master/ssl-init.c
index 8f3a7e4358..53e8eed293 100644
--- a/src/master/ssl-init.c
+++ b/src/master/ssl-init.c
@@ -86,7 +86,7 @@ static bool check_parameters_file_set(struct settings *set)
 	struct stat st, st2;
 	time_t regen_time;
 
-	if (set->ssl_disable)
+	if (strcmp(set->ssl, "no") == 0)
 		return TRUE;
 
 	path = t_strconcat(set->login_dir, "/"SSL_PARAMETERS_FILENAME, NULL);
diff --git a/src/pop3-login/client-authenticate.c b/src/pop3-login/client-authenticate.c
index da5efac2fc..0d28740514 100644
--- a/src/pop3-login/client-authenticate.c
+++ b/src/pop3-login/client-authenticate.c
@@ -270,6 +270,17 @@ bool cmd_auth(struct pop3_client *client, const char *args)
 	const struct auth_mech_desc *mech;
 	const char *mech_name, *p;
 
+	if (!client->common.secured && ssl_required) {
+		if (verbose_auth) {
+			client_syslog(&client->common, "Login failed: "
+				      "SSL required for authentication");
+		}
+		client->common.auth_attempts++;
+		client_send_line(client, "-ERR Authentication not allowed "
+				 "until SSL/TLS is enabled.");
+		return TRUE;
+	}
+
 	if (*args == '\0') {
 		/* Old-style SASL discovery, used by MS Outlook */
 		unsigned int i, count;