summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSergey Poznyakoff <gray@gnu.org.ua>2019-08-29 14:40:30 +0300
committerSergey Poznyakoff <gray@gnu.org.ua>2019-08-29 15:09:27 +0300
commitddfa689bff19d877170add6fed3381f3d5b79a8e (patch)
tree9e2f3a0f53569afc9a67ee92bc3b885ec39e76cb
parent113e144dedbebb5bc659eadc7f329450bb374606 (diff)
downloadmailutils-ddfa689bff19d877170add6fed3381f3d5b79a8e.tar.gz
mailutils-ddfa689bff19d877170add6fed3381f3d5b79a8e.tar.bz2
pop3d: implement TLS in inetd mode
New global configuration statement "tls-mode" configures the TLS for use in inetd mode. The certificate and key files are configured by the global "tls" compound statement. Example configuration (pop3s server): mode inetd; tls-mode connection; tls { ssl-key-file /etc/ssl/key.pem; ssl-certificate-file /etc/ssl/cert.pem; } In daemon mode, global "tls-mode" sets the type of TLS encryption to use in all server blocks that lack the "tls-mode" statement. * pop3d/cmd.c (global_tls_mode) (global_conf_status): New globals. (stls_server_check): New function. (stls_preflight): Use stls_server_check. * pop3d/pop3d.c (pop3d_cfg_param): New global statement: tls-mode (main): Set up TLS connection in inetd mode, if requested. * pop3d/pop3d.h (global_tls_mode): New global. (stls_server_check): New proto. * NEWS: Document changes. * doc/texinfo/programs/pop3d.texi: Likewise.
-rw-r--r--NEWS20
-rw-r--r--doc/texinfo/programs/pop3d.texi33
-rw-r--r--pop3d/cmd.c98
-rw-r--r--pop3d/pop3d.c31
-rw-r--r--pop3d/pop3d.h2
5 files changed, 142 insertions, 42 deletions
diff --git a/NEWS b/NEWS
index 6b16f1706..251f5a80b 100644
--- a/NEWS
+++ b/NEWS
@@ -1,2 +1,2 @@
-GNU mailutils NEWS -- history of user-visible changes. 2019-06-21
+GNU mailutils NEWS -- history of user-visible changes. 2019-08-29
Copyright (C) 2002-2019 Free Software Foundation, Inc.
@@ -8,2 +8,20 @@ Version 3.7.90 (git)
+* Use of TLS in pop3d run from inetd
+
+New global configuration statement "tls-mode" configures the TLS for
+use in inetd mode.
+
+The certificate and key files are configured by the global "tls"
+compound statement.
+
+Example configuration (pop3s server):
+
+ mode inetd;
+ tls-mode connection;
+ tls {
+ ssl-key-file /etc/ssl/key.pem;
+ ssl-certificate-file /etc/ssl/cert.pem;
+ }
+
+
Version 3.7 - 2019-06-21
diff --git a/doc/texinfo/programs/pop3d.texi b/doc/texinfo/programs/pop3d.texi
index 93ace2fff..b508bf534 100644
--- a/doc/texinfo/programs/pop3d.texi
+++ b/doc/texinfo/programs/pop3d.texi
@@ -215,2 +215,30 @@ The following configuration file statements affect the behavior of
+@deffn {Pop3d Conf} tls-mode @var{mode}
+Configure the use of TLS encryption for inetd mode.
+
+In daemon mode, this statement sets the type of TLS encryption to
+use in all server blocks that lack the @code{tls-mode} statement
+(@pxref{Server Statement}).
+
+Allowed values for @var{mode} are:
+
+@table @asis
+@item no
+TLS is not used. The @command{STLS} command won't be available even if
+the TLS configuration is otherwise complete.
+
+@item ondemand
+TLS is initiated when the user issues the appropriate command.
+This is the default when TLS is configured.
+
+@item required
+Same as above, but the use of TLS is mandatory. The authentication
+state is entered only after TLS negotiation has succeeded.
+
+@item connection
+TLS is always forced when the connection is established (POP3S
+protocol).
+@end table
+@end deffn
+
@deffn {Pop3d Conf} undelete @var{bool}
@@ -229,7 +257,2 @@ for a detailed description.
-@deffn {Pop3d Conf} tls-required @var{bool}
-Always require @code{STLS} command before entering authentication
-phase.
-@end deffn
-
@deffn {Pop3d Conf} login-delay @var{duration}
diff --git a/pop3d/cmd.c b/pop3d/cmd.c
index 5ca7b7b86..1ed73c237 100644
--- a/pop3d/cmd.c
+++ b/pop3d/cmd.c
@@ -19,2 +19,4 @@
struct mu_tls_config global_tls_conf;
+int global_tls_mode;
+int global_conf_status = -1;
@@ -51,24 +53,6 @@ pop3d_find_command (const char *name)
int
-stls_preflight (mu_m_server_t msrv)
+stls_server_check (struct pop3d_srv_config *cfg, char const *srvid)
{
- mu_list_t srvlist;
- mu_iterator_t itr;
- int errors = 0;
- int tls_ok = mu_init_tls_libs ();
- int tls_requested = 0;
- int global_conf_status = 0;
+ int result;
- if (global_tls_conf.cert_file)
- global_conf_status = mu_tls_config_check (&global_tls_conf, 1);
- else
- global_conf_status = MU_TLS_CONFIG_NULL;
-
- mu_m_server_get_srvlist (msrv, &srvlist);
- mu_list_get_iterator (srvlist, &itr);
- for (mu_iterator_first (itr); !mu_iterator_is_done (itr); mu_iterator_next (itr))
- {
- mu_ip_server_t ipsrv;
- struct pop3d_srv_config *cfg;
- mu_iterator_current (itr, (void**) &ipsrv);
- cfg = mu_ip_server_get_data (ipsrv);
switch (cfg->tls_mode)
@@ -76,12 +60,15 @@ stls_preflight (mu_m_server_t msrv)
case tls_unspecified:
- if (cfg->tls_conf.cert_file)
- {
+ if (global_tls_mode != tls_unspecified)
+ cfg->tls_mode = global_tls_mode;
+ else if (cfg->tls_conf.cert_file)
cfg->tls_mode = tls_ondemand;
- break;
- }
else
+ {
cfg->tls_mode = tls_no;
- /* fall through */
+ return MU_TLS_CONFIG_NULL;
+ }
+ break;
+
case tls_no:
- continue;
+ return MU_TLS_CONFIG_NULL;
@@ -91,3 +78,4 @@ stls_preflight (mu_m_server_t msrv)
- switch (mu_tls_config_check (&cfg->tls_conf, 1))
+ result = mu_tls_config_check (&cfg->tls_conf, 1);
+ switch (result)
{
@@ -96,5 +84,4 @@ stls_preflight (mu_m_server_t msrv)
{
- mu_error (_("server %s: no certificate set"),
- mu_ip_server_addrstr (ipsrv));
- errors = 1;
+ mu_error (_("server %s: no certificate set"), srvid);
+ result = MU_TLS_CONFIG_FAIL;
}
@@ -103,2 +90,10 @@ stls_preflight (mu_m_server_t msrv)
case MU_TLS_CONFIG_NULL:
+ if (global_conf_status == -1)
+ {
+ if (global_tls_conf.cert_file)
+ global_conf_status = mu_tls_config_check (&global_tls_conf, 1);
+ else
+ global_conf_status = MU_TLS_CONFIG_NULL;
+ }
+
if (global_conf_status != MU_TLS_CONFIG_NULL)
@@ -106,2 +101,3 @@ stls_preflight (mu_m_server_t msrv)
cfg->tls_conf = global_tls_conf;
+ result = MU_TLS_CONFIG_OK;
}
@@ -109,5 +105,4 @@ stls_preflight (mu_m_server_t msrv)
{
- mu_error (_("server %s: no certificate set"),
- mu_ip_server_addrstr (ipsrv));
- errors = 1;
+ mu_error (_("server %s: no certificate set"), srvid);
+ result = MU_TLS_CONFIG_FAIL;
}
@@ -116,4 +111,34 @@ stls_preflight (mu_m_server_t msrv)
default:
- mu_error (_("server %s: TLS configuration failed"),
- mu_ip_server_addrstr (ipsrv));
+ mu_error (_("server %s: TLS configuration failed"), srvid);
+ }
+ return result;
+}
+
+int
+stls_preflight (mu_m_server_t msrv)
+{
+ mu_list_t srvlist;
+ mu_iterator_t itr;
+ int errors = 0;
+ int tls_ok = mu_init_tls_libs ();
+ int tls_requested = 0;
+
+ mu_m_server_get_srvlist (msrv, &srvlist);
+ mu_list_get_iterator (srvlist, &itr);
+ for (mu_iterator_first (itr); !mu_iterator_is_done (itr); mu_iterator_next (itr))
+ {
+ mu_ip_server_t ipsrv;
+ struct pop3d_srv_config *cfg;
+ mu_iterator_current (itr, (void**) &ipsrv);
+ cfg = mu_ip_server_get_data (ipsrv);
+
+ switch (stls_server_check (cfg, mu_ip_server_addrstr (ipsrv)))
+ {
+ case MU_TLS_CONFIG_NULL:
+ continue;
+
+ case MU_TLS_CONFIG_OK:
+ break;
+
+ default:
errors = 1;
@@ -125,2 +150,5 @@ stls_preflight (mu_m_server_t msrv)
+ if (global_tls_mode == tls_unspecified)
+ global_tls_mode = tls_no;
+
if (tls_requested && !tls_ok)
diff --git a/pop3d/pop3d.c b/pop3d/pop3d.c
index a993b9dc2..f400f2b26 100644
--- a/pop3d/pop3d.c
+++ b/pop3d/pop3d.c
@@ -233,2 +233,8 @@ static struct mu_cfg_param pop3d_cfg_param[] = {
{ "tls", mu_cfg_section, &global_tls_conf },
+ { "tls-mode", mu_cfg_callback,
+ &global_tls_mode, 0, cb_tls,
+ N_("Kind of TLS encryption to use for the inetd server"
+ " and all server blocks that lack the tls-mode statement."),
+ /* TRANSLATORS: words to the right of : are keywords - do not translate */
+ N_("arg: false|true|ondemand|stls|requred|connection") },
@@ -532,3 +538,26 @@ main (int argc, char **argv)
memset (&cfg, 0, sizeof cfg);
- cfg.tls_mode = tls_no;
+
+ switch (stls_server_check (&cfg, "<inetd>"))
+ {
+ case MU_TLS_CONFIG_OK:
+ if (mu_init_tls_libs ())
+ status = EX_OK;
+ else
+ {
+ mu_error (_("TLS is not configured, but requested in the "
+ "configuration"));
+ exit (EX_CONFIG);
+ }
+ break;
+
+ case MU_TLS_CONFIG_NULL:
+ break;
+
+ case MU_TLS_CONFIG_UNSAFE:
+ exit (EX_CONFIG);
+
+ default:
+ exit (EX_UNAVAILABLE);
+ }
+
/* Make sure we are in the root directory. */
diff --git a/pop3d/pop3d.h b/pop3d/pop3d.h
index c040a02bd..efd115644 100644
--- a/pop3d/pop3d.h
+++ b/pop3d/pop3d.h
@@ -250,2 +250,3 @@ extern int apop_database_owner_set;
extern struct mu_tls_config global_tls_conf;
+extern int global_tls_mode;
@@ -293,2 +294,3 @@ extern int pop3d_stls (char *, struct pop3d_session *);
int stls_preflight (mu_m_server_t msrv);
+int stls_server_check (struct pop3d_srv_config *cfg, char const *srvid);

Return to:

Send suggestions and report system problems to the System administrator.