From 47ec2c1bec6a5d9d2d204ee0757b58b7f94c45d4 Mon Sep 17 00:00:00 2001
From: manuel <manuel@mausz.at>
Date: Mon, 4 Feb 2013 02:56:32 +0100
Subject: [PATCH] require STARTTLS before AUTH

only allows AUTH after STARTTLS when compiled with TLS and
TLS_BEFORE_AUTH defined

auth-after-tls-only
---
 qmail-smtpd.c | 26 ++++++++++++++++++++++----
 1 file changed, 22 insertions(+), 4 deletions(-)

diff --git a/qmail-smtpd.c b/qmail-smtpd.c
index 4466168..c8ee61b 100644
--- a/qmail-smtpd.c
+++ b/qmail-smtpd.c
@@ -151,6 +151,7 @@ void err_authmail() { out("503 no auth during mail transaction (#5.5.0)\r\n"); }
 int err_noauth() { out("504 auth type unimplemented (#5.5.1)\r\n"); return -1; }
 int err_authabrt() { out("501 auth exchange canceled (#5.0.0)\r\n"); return -1; }
 int err_input() { out("501 malformed auth input (#5.5.4)\r\n"); return -1; }
+int err_wantstarttls() { out("530 Must issue a STARTTLS command first (#5.7.0)\r\n"); return -1; };
 void err_authfail() { out("535 authentication failed (#5.7.1)\r\n"); }
 
 stralloc greeting = {0};
@@ -508,6 +509,13 @@ void smtp_helo(arg) char *arg;
   seenmail = 0; dohelo(arg);
   if (bhelook) flagbarfbhelo = bmcheck(BMCHECK_BHELO);
 }
+void smtp_authout() {
+#ifdef CRAM_MD5
+  out("250-AUTH LOGIN PLAIN CRAM-MD5\r\n");
+#else
+  out("250-AUTH LOGIN PLAIN\r\n");
+#endif
+}
 /* ESMTP extensions are published here */
 void smtp_ehlo(arg) char *arg;
 {
@@ -522,12 +530,12 @@ void smtp_ehlo(arg) char *arg;
     out("\r\n250-STARTTLS");
 #endif
   out("\r\n250-PIPELINING\r\n250-8BITMIME\r\n");
-  out("250-SIZE "); out(size); out("\r\n");
-#ifdef CRAM_MD5
-  out("250 AUTH LOGIN PLAIN CRAM-MD5\r\n");
+#if defined(TLS) && defined(TLS_BEFORE_AUTH)
+  if(ssl) smtp_authout();
 #else
-  out("250 AUTH LOGIN PLAIN\r\n");
+  smtp_authout();
 #endif
+  out("250 SIZE "); out(size); out("\r\n");
   seenmail = 0; dohelo(arg);
   if (bhelook) flagbarfbhelo = bmcheck(BMCHECK_BHELO);
 }
@@ -826,6 +834,9 @@ int auth_login(arg) char *arg;
 {
   int r;
 
+#if defined(TLS) && defined(TLS_BEFORE_AUTH)
+  if (!ssl) return err_wantstarttls();
+#endif
   if (*arg) {
     if (r = b64decode(arg,str_len(arg),&user) == 1) return err_input();
   }
@@ -850,6 +861,9 @@ int auth_plain(arg) char *arg;
 {
   int r, id = 0;
 
+#if defined(TLS) && defined(TLS_BEFORE_AUTH)
+  if (!ssl) return err_wantstarttls();
+#endif
   if (*arg) {
     if (r = b64decode(arg,str_len(arg),&resp) == 1) return err_input();
   }
@@ -876,6 +890,10 @@ int auth_cram()
   int i, r;
   char *s;
 
+#if defined(TLS) && defined(TLS_BEFORE_AUTH)
+  if (!ssl) return err_wantstarttls();
+#endif
+
   s = unique;                                           /* generate challenge */
   s += fmt_uint(s,getpid());
   *s++ = '.';
-- 
cgit v1.2.3