[PATCH] require STARTTLS before AUTH

only allows AUTH after STARTTLS when compiled with TLS and TLS_BEFORE_AUTH defined auth-after-tls-only
author: manuel <manuel@mausz.at> 2013-02-04 02:56:32 +0100
committer: manuel <manuel@mausz.at> 2013-02-04 02:56:32 +0100
commit: 47ec2c1bec6a5d9d2d204ee0757b58b7f94c45d4 (patch)
tree: e66eb4c7875cad52a7eb12724ebcb311182cec9b
parent: fd404641357a4a3bc0a55cb31deb3d4bad4ec2ee (diff)
download: qmail-47ec2c1bec6a5d9d2d204ee0757b58b7f94c45d4.tar.gz
qmail-47ec2c1bec6a5d9d2d204ee0757b58b7f94c45d4.tar.bz2
qmail-47ec2c1bec6a5d9d2d204ee0757b58b7f94c45d4.zip
1 files changed, 22 insertions, 4 deletions
diff --git a/qmail-smtpd.c b/qmail-smtpd.c
index 4466168..c8ee61b 100644
--- a/qmail-smtpd.c
+++ b/qmail-smtpd.c
@@ -151,6 +151,7 @@ void err_authmail() { out("503 no auth during mail transaction (#5.5.0)\r\n"); }
 int err_noauth() { out("504 auth type unimplemented (#5.5.1)\r\n"); return -1; }
 int err_authabrt() { out("501 auth exchange canceled (#5.0.0)\r\n"); return -1; }
 int err_input() { out("501 malformed auth input (#5.5.4)\r\n"); return -1; }
+int err_wantstarttls() { out("530 Must issue a STARTTLS command first (#5.7.0)\r\n"); return -1; };
 void err_authfail() { out("535 authentication failed (#5.7.1)\r\n"); }
 stralloc greeting = {0};
@@ -508,6 +509,13 @@ void smtp_helo(arg) char *arg;
  seenmail = 0; dohelo(arg);
  if (bhelook) flagbarfbhelo = bmcheck(BMCHECK_BHELO);
 }
+void smtp_authout() {
+#ifdef CRAM_MD5
+  out("250-AUTH LOGIN PLAIN CRAM-MD5\r\n");
+#else
+  out("250-AUTH LOGIN PLAIN\r\n");
+#endif
+}
 /* ESMTP extensions are published here */
 void smtp_ehlo(arg) char *arg;
 {
@@ -522,12 +530,12 @@ void smtp_ehlo(arg) char *arg;
    out("\r\n250-STARTTLS");
 #endif
  out("\r\n250-PIPELINING\r\n250-8BITMIME\r\n");
-  out("250-SIZE "); out(size); out("\r\n");
+#if defined(TLS) && defined(TLS_BEFORE_AUTH)
-#ifdef CRAM_MD5
+  if(ssl) smtp_authout();
-  out("250 AUTH LOGIN PLAIN CRAM-MD5\r\n");
 #else
-  out("250 AUTH LOGIN PLAIN\r\n");
+  smtp_authout();
 #endif
+  out("250 SIZE "); out(size); out("\r\n");
  seenmail = 0; dohelo(arg);
  if (bhelook) flagbarfbhelo = bmcheck(BMCHECK_BHELO);
 }
@@ -826,6 +834,9 @@ int auth_login(arg) char *arg;
 {
  int r;
+#if defined(TLS) && defined(TLS_BEFORE_AUTH)
+  if (!ssl) return err_wantstarttls();
+#endif
  if (*arg) {
    if (r = b64decode(arg,str_len(arg),&user) == 1) return err_input();
  }
@@ -850,6 +861,9 @@ int auth_plain(arg) char *arg;
 {
  int r, id = 0;
+#if defined(TLS) && defined(TLS_BEFORE_AUTH)
+  if (!ssl) return err_wantstarttls();
+#endif
  if (*arg) {
    if (r = b64decode(arg,str_len(arg),&resp) == 1) return err_input();
  }
@@ -876,6 +890,10 @@ int auth_cram()
  int i, r;
  char *s;
+#if defined(TLS) && defined(TLS_BEFORE_AUTH)
+  if (!ssl) return err_wantstarttls();
+#endif
  s = unique;                                           /* generate challenge */
  s += fmt_uint(s,getpid());
  *s++ = '.';
author	manuel <manuel@mausz.at>	2013-02-04 02:56:32 +0100
committer	manuel <manuel@mausz.at>	2013-02-04 02:56:32 +0100
commit	47ec2c1bec6a5d9d2d204ee0757b58b7f94c45d4 (patch)
tree	e66eb4c7875cad52a7eb12724ebcb311182cec9b
parent	fd404641357a4a3bc0a55cb31deb3d4bad4ec2ee (diff)
download	qmail-47ec2c1bec6a5d9d2d204ee0757b58b7f94c45d4.tar.gz qmail-47ec2c1bec6a5d9d2d204ee0757b58b7f94c45d4.tar.bz2 qmail-47ec2c1bec6a5d9d2d204ee0757b58b7f94c45d4.zip