Sending SSL/TLS state to Dovecot auth

From: Timo Sirainen (no email)
Date: Mon Feb 23 2009 - 14:18:01 EST

  • Next message: Victor Duchovni: "Re: Sending SSL/TLS state to Dovecot auth"

    In some setups it's useful for authentication handling to know if the
    connection is SSL/TLS secured. The patch below should tell this to
    Dovecot. It compiles, but other than that I haven't yet tested it.

    It anyway looks like sending the SSL/TLS state requires an additional
    parameter to xsasl_server_create(). Wietse, how do you think the API
    should be changed to support this functionality? I guess the choices
    are:

     - int tls parameter as in the patch
     - a more generic int flags bitmask
     - secprops-like string
     - replace all the existing parameters with a pointer to struct
    xsasl_parameters so more stuff can easily be added to it later.

    I guess I'd prefer the last one, especially because other people also
    want to tell the local/remote IP addresses to SASL.

    diff -ru postfix-2.5.6/src/smtpd/smtpd_sasl_glue.c postfix-2.5.6-dovecot/src/smtpd/smtpd_sasl_glue.c
    --- postfix-2.5.6/src/smtpd/smtpd_sasl_glue.c 2007-10-05 18:56:34.000000000 -0400
    +++ postfix-2.5.6-dovecot/src/smtpd/smtpd_sasl_glue.c 2009-02-23 13:59:28.000000000 -0500
    @@ -151,6 +151,7 @@
                                        const char *sasl_opts_val)
     {
         const char *mechanism_list;
    + int tls;
     
         /*
          * Initialize SASL-specific state variables. Use long-lived storage for
    @@ -169,11 +170,16 @@
          */
     #define SMTPD_SASL_SERVICE "smtp"
     
    +#ifdef USE_TLS
    + tls = state->tls_context != 0;
    +#else
    + tls = 0;
    +#endif
         if ((state->sasl_server =
              xsasl_server_create(smtpd_sasl_impl, state->client,
                                  SMTPD_SASL_SERVICE, *var_smtpd_sasl_realm ?
                                  var_smtpd_sasl_realm : (char *) 0,
    - sasl_opts_val)) == 0)
    + sasl_opts_val, tls)) == 0)
             msg_fatal("SASL per-connection initialization failed");
     
         /*
    diff -ru postfix-2.5.6/src/xsasl/xsasl_cyrus_server.c postfix-2.5.6-dovecot/src/xsasl/xsasl_cyrus_server.c
    --- postfix-2.5.6/src/xsasl/xsasl_cyrus_server.c 2007-05-25 12:42:17.000000000 -0400
    +++ postfix-2.5.6-dovecot/src/xsasl/xsasl_cyrus_server.c 2009-02-23 14:03:21.000000000 -0500
    @@ -157,7 +157,8 @@
                                                            VSTREAM *,
                                                            const char *,
                                                            const char *,
    - const char *);
    + const char *,
    + int);
     static void xsasl_cyrus_server_free(XSASL_SERVER *);
     static int xsasl_cyrus_server_first(XSASL_SERVER *, const char *,
                                                 const char *, VSTRING *);
    @@ -262,7 +263,8 @@
                                                            VSTREAM *stream,
                                                            const char *service,
                                                            const char *realm,
    - const char *sec_props)
    + const char *sec_props,
    + int unused_tls)
     {
         const char *myname = "xsasl_cyrus_server_create";
         char *server_address;
    diff -ru postfix-2.5.6/src/xsasl/xsasl_dovecot_server.c postfix-2.5.6-dovecot/src/xsasl/xsasl_dovecot_server.c
    --- postfix-2.5.6/src/xsasl/xsasl_dovecot_server.c 2008-03-16 19:09:04.000000000 -0400
    +++ postfix-2.5.6-dovecot/src/xsasl/xsasl_dovecot_server.c 2009-02-23 14:02:49.000000000 -0500
    @@ -160,6 +160,7 @@
         char *username; /* authenticated user */
         VSTRING *sasl_line;
         unsigned int sec_props; /* Postfix mechanism filter */
    + int tls; /* TLS enabled in this session */
         char *mechanism_list; /* filtered mechanism list */
         ARGV *mechanism_argv; /* ditto */
     } XSASL_DOVECOT_SERVER;
    @@ -172,7 +173,8 @@
                                                              VSTREAM *,
                                                              const char *,
                                                              const char *,
    - const char *);
    + const char *,
    + int);
     static void xsasl_dovecot_server_free(XSASL_SERVER *);
     static int xsasl_dovecot_server_first(XSASL_SERVER *, const char *,
                                                   const char *, VSTRING *);
    @@ -382,7 +384,8 @@
                                                          VSTREAM *unused_stream,
                                                              const char *service,
                                                              const char *realm,
    - const char *sec_props)
    + const char *sec_props,
    + int tls)
     {
         const char *myname = "xsasl_dovecot_server_create";
         XSASL_DOVECOT_SERVER *server;
    @@ -409,6 +412,7 @@
         server->last_request_id = 0;
         server->mechanism_list = 0;
         server->mechanism_argv = 0;
    + server->tls = tls;
         server->sec_props =
             name_mask_opt(myname, xsasl_dovecot_conf_sec_props,
                           sec_props, NAME_MASK_ANY_CASE | NAME_MASK_FATAL);
    @@ -608,6 +612,8 @@
                             "AUTH\t%u\t%s\tservice=%s\tnologin",
                             server->last_request_id, sasl_method,
                             server->service);
    + if (server->tls)
    + vstream_fputs("\tsecured", server->impl->sasl_stream);
             if (init_response) {
     
                 /*
    diff -ru postfix-2.5.6/src/xsasl/xsasl.h postfix-2.5.6-dovecot/src/xsasl/xsasl.h
    --- postfix-2.5.6/src/xsasl/xsasl.h 2005-12-19 16:34:20.000000000 -0500
    +++ postfix-2.5.6-dovecot/src/xsasl/xsasl.h 2009-02-23 13:58:00.000000000 -0500
    @@ -45,15 +45,15 @@
       * own private data.
       */
     typedef struct XSASL_SERVER_IMPL {
    - XSASL_SERVER *(*create) (struct XSASL_SERVER_IMPL *, VSTREAM *, const char *, const char *, const char *);
    + XSASL_SERVER *(*create) (struct XSASL_SERVER_IMPL *, VSTREAM *, const char *, const char *, const char *, int);
         void (*done) (struct XSASL_SERVER_IMPL *);
     } XSASL_SERVER_IMPL;
     
     extern XSASL_SERVER_IMPL *xsasl_server_init(const char *, const char *);
     extern ARGV *xsasl_server_types(void);
     
    -#define xsasl_server_create(impl, stream, service, realm, sec_props) \
    - (impl)->create((impl), (stream), (service), (realm), (sec_props))
    +#define xsasl_server_create(impl, stream, service, realm, sec_props, tls) \
    + (impl)->create((impl), (stream), (service), (realm), (sec_props), (tls))
     #define xsasl_server_done(impl) (impl)->done((impl));
     
      /*




  • Next message: Victor Duchovni: "Re: Sending SSL/TLS state to Dovecot auth"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD