diff options
author | Sergey Poznyakoff <gray@gnu.org.ua> | 2019-08-29 14:40:30 +0300 |
---|---|---|
committer | Sergey Poznyakoff <gray@gnu.org.ua> | 2019-08-29 15:09:27 +0300 |
commit | ddfa689bff19d877170add6fed3381f3d5b79a8e (patch) | |
tree | 9e2f3a0f53569afc9a67ee92bc3b885ec39e76cb | |
parent | 113e144dedbebb5bc659eadc7f329450bb374606 (diff) | |
download | mailutils-ddfa689bff19d877170add6fed3381f3d5b79a8e.tar.gz mailutils-ddfa689bff19d877170add6fed3381f3d5b79a8e.tar.bz2 |
pop3d: implement TLS in inetd mode
New global configuration statement "tls-mode" configures the TLS for
use in inetd mode.
The certificate and key files are configured by the global "tls"
compound statement.
Example configuration (pop3s server):
mode inetd;
tls-mode connection;
tls {
ssl-key-file /etc/ssl/key.pem;
ssl-certificate-file /etc/ssl/cert.pem;
}
In daemon mode, global "tls-mode" sets the type of TLS encryption to
use in all server blocks that lack the "tls-mode" statement.
* pop3d/cmd.c (global_tls_mode)
(global_conf_status): New globals.
(stls_server_check): New function.
(stls_preflight): Use stls_server_check.
* pop3d/pop3d.c (pop3d_cfg_param): New global statement: tls-mode
(main): Set up TLS connection in inetd mode, if requested.
* pop3d/pop3d.h (global_tls_mode): New global.
(stls_server_check): New proto.
* NEWS: Document changes.
* doc/texinfo/programs/pop3d.texi: Likewise.
-rw-r--r-- | NEWS | 20 | ||||
-rw-r--r-- | doc/texinfo/programs/pop3d.texi | 33 | ||||
-rw-r--r-- | pop3d/cmd.c | 116 | ||||
-rw-r--r-- | pop3d/pop3d.c | 31 | ||||
-rw-r--r-- | pop3d/pop3d.h | 2 |
5 files changed, 151 insertions, 51 deletions
@@ -1,10 +1,28 @@ | |||
1 | GNU mailutils NEWS -- history of user-visible changes. 2019-06-21 | 1 | GNU mailutils NEWS -- history of user-visible changes. 2019-08-29 |
2 | Copyright (C) 2002-2019 Free Software Foundation, Inc. | 2 | Copyright (C) 2002-2019 Free Software Foundation, Inc. |
3 | See the end of file for copying conditions. | 3 | See the end of file for copying conditions. |
4 | 4 | ||
5 | Please send mailutils bug reports to <bug-mailutils@gnu.org>. | 5 | Please send mailutils bug reports to <bug-mailutils@gnu.org>. |
6 | 6 | ||
7 | Version 3.7.90 (git) | 7 | Version 3.7.90 (git) |
8 | |||
9 | * Use of TLS in pop3d run from inetd | ||
10 | |||
11 | New global configuration statement "tls-mode" configures the TLS for | ||
12 | use in inetd mode. | ||
13 | |||
14 | The certificate and key files are configured by the global "tls" | ||
15 | compound statement. | ||
16 | |||
17 | Example configuration (pop3s server): | ||
18 | |||
19 | mode inetd; | ||
20 | tls-mode connection; | ||
21 | tls { | ||
22 | ssl-key-file /etc/ssl/key.pem; | ||
23 | ssl-certificate-file /etc/ssl/cert.pem; | ||
24 | } | ||
25 | |||
8 | 26 | ||
9 | Version 3.7 - 2019-06-21 | 27 | Version 3.7 - 2019-06-21 |
10 | 28 | ||
diff --git a/doc/texinfo/programs/pop3d.texi b/doc/texinfo/programs/pop3d.texi index 93ace2fff..b508bf534 100644 --- a/doc/texinfo/programs/pop3d.texi +++ b/doc/texinfo/programs/pop3d.texi | |||
@@ -213,6 +213,34 @@ The following configuration file statements affect the behavior of | |||
213 | @item tcp-wrappers @tab @xref{tcp-wrappers statement}. | 213 | @item tcp-wrappers @tab @xref{tcp-wrappers statement}. |
214 | @end multitable | 214 | @end multitable |
215 | 215 | ||
216 | @deffn {Pop3d Conf} tls-mode @var{mode} | ||
217 | Configure the use of TLS encryption for inetd mode. | ||
218 | |||
219 | In daemon mode, this statement sets the type of TLS encryption to | ||
220 | use in all server blocks that lack the @code{tls-mode} statement | ||
221 | (@pxref{Server Statement}). | ||
222 | |||
223 | Allowed values for @var{mode} are: | ||
224 | |||
225 | @table @asis | ||
226 | @item no | ||
227 | TLS is not used. The @command{STLS} command won't be available even if | ||
228 | the TLS configuration is otherwise complete. | ||
229 | |||
230 | @item ondemand | ||
231 | TLS is initiated when the user issues the appropriate command. | ||
232 | This is the default when TLS is configured. | ||
233 | |||
234 | @item required | ||
235 | Same as above, but the use of TLS is mandatory. The authentication | ||
236 | state is entered only after TLS negotiation has succeeded. | ||
237 | |||
238 | @item connection | ||
239 | TLS is always forced when the connection is established (POP3S | ||
240 | protocol). | ||
241 | @end table | ||
242 | @end deffn | ||
243 | |||
216 | @deffn {Pop3d Conf} undelete @var{bool} | 244 | @deffn {Pop3d Conf} undelete @var{bool} |
217 | On startup, clear deletion marks from all the messages. | 245 | On startup, clear deletion marks from all the messages. |
218 | @end deffn | 246 | @end deffn |
@@ -227,11 +255,6 @@ Delete expired messages upon closing the mailbox. @xref{Auto-expire}, | |||
227 | for a detailed description. | 255 | for a detailed description. |
228 | @end deffn | 256 | @end deffn |
229 | 257 | ||
230 | @deffn {Pop3d Conf} tls-required @var{bool} | ||
231 | Always require @code{STLS} command before entering authentication | ||
232 | phase. | ||
233 | @end deffn | ||
234 | |||
235 | @deffn {Pop3d Conf} login-delay @var{duration} | 258 | @deffn {Pop3d Conf} login-delay @var{duration} |
236 | Set the minimal allowed delay between two successive logins. | 259 | Set the minimal allowed delay between two successive logins. |
237 | @xref{Login delay}, for more information. | 260 | @xref{Login delay}, for more information. |
diff --git a/pop3d/cmd.c b/pop3d/cmd.c index 5ca7b7b86..1ed73c237 100644 --- a/pop3d/cmd.c +++ b/pop3d/cmd.c | |||
@@ -17,6 +17,8 @@ | |||
17 | #include "pop3d.h" | 17 | #include "pop3d.h" |
18 | 18 | ||
19 | struct mu_tls_config global_tls_conf; | 19 | struct mu_tls_config global_tls_conf; |
20 | int global_tls_mode; | ||
21 | int global_conf_status = -1; | ||
20 | 22 | ||
21 | static struct pop3d_command command_table[] = { | 23 | static struct pop3d_command command_table[] = { |
22 | { "STLS", pop3d_stls }, | 24 | { "STLS", pop3d_stls }, |
@@ -49,6 +51,70 @@ pop3d_find_command (const char *name) | |||
49 | } | 51 | } |
50 | 52 | ||
51 | int | 53 | int |
54 | stls_server_check (struct pop3d_srv_config *cfg, char const *srvid) | ||
55 | { | ||
56 | int result; | ||
57 | |||
58 | switch (cfg->tls_mode) | ||
59 | { | ||
60 | case tls_unspecified: | ||
61 | if (global_tls_mode != tls_unspecified) | ||
62 | cfg->tls_mode = global_tls_mode; | ||
63 | else if (cfg->tls_conf.cert_file) | ||
64 | cfg->tls_mode = tls_ondemand; | ||
65 | else | ||
66 | { | ||
67 | cfg->tls_mode = tls_no; | ||
68 | return MU_TLS_CONFIG_NULL; | ||
69 | } | ||
70 | break; | ||
71 | |||
72 | case tls_no: | ||
73 | return MU_TLS_CONFIG_NULL; | ||
74 | |||
75 | default: | ||
76 | break; | ||
77 | } | ||
78 | |||
79 | result = mu_tls_config_check (&cfg->tls_conf, 1); | ||
80 | switch (result) | ||
81 | { | ||
82 | case MU_TLS_CONFIG_OK: | ||
83 | if (!cfg->tls_conf.cert_file) | ||
84 | { | ||
85 | mu_error (_("server %s: no certificate set"), srvid); | ||
86 | result = MU_TLS_CONFIG_FAIL; | ||
87 | } | ||
88 | break; | ||
89 | |||
90 | case MU_TLS_CONFIG_NULL: | ||
91 | if (global_conf_status == -1) | ||
92 | { | ||
93 | if (global_tls_conf.cert_file) | ||
94 | global_conf_status = mu_tls_config_check (&global_tls_conf, 1); | ||
95 | else | ||
96 | global_conf_status = MU_TLS_CONFIG_NULL; | ||
97 | } | ||
98 | |||
99 | if (global_conf_status != MU_TLS_CONFIG_NULL) | ||
100 | { | ||
101 | cfg->tls_conf = global_tls_conf; | ||
102 | result = MU_TLS_CONFIG_OK; | ||
103 | } | ||
104 | else | ||
105 | { | ||
106 | mu_error (_("server %s: no certificate set"), srvid); | ||
107 | result = MU_TLS_CONFIG_FAIL; | ||
108 | } | ||
109 | break; | ||
110 | |||
111 | default: | ||
112 | mu_error (_("server %s: TLS configuration failed"), srvid); | ||
113 | } | ||
114 | return result; | ||
115 | } | ||
116 | |||
117 | int | ||
52 | stls_preflight (mu_m_server_t msrv) | 118 | stls_preflight (mu_m_server_t msrv) |
53 | { | 119 | { |
54 | mu_list_t srvlist; | 120 | mu_list_t srvlist; |
@@ -56,13 +122,7 @@ stls_preflight (mu_m_server_t msrv) | |||
56 | int errors = 0; | 122 | int errors = 0; |
57 | int tls_ok = mu_init_tls_libs (); | 123 | int tls_ok = mu_init_tls_libs (); |
58 | int tls_requested = 0; | 124 | int tls_requested = 0; |
59 | int global_conf_status = 0; | ||
60 | 125 | ||
61 | if (global_tls_conf.cert_file) | ||
62 | global_conf_status = mu_tls_config_check (&global_tls_conf, 1); | ||
63 | else | ||
64 | global_conf_status = MU_TLS_CONFIG_NULL; | ||
65 | |||
66 | mu_m_server_get_srvlist (msrv, &srvlist); | 126 | mu_m_server_get_srvlist (msrv, &srvlist); |
67 | mu_list_get_iterator (srvlist, &itr); | 127 | mu_list_get_iterator (srvlist, &itr); |
68 | for (mu_iterator_first (itr); !mu_iterator_is_done (itr); mu_iterator_next (itr)) | 128 | for (mu_iterator_first (itr); !mu_iterator_is_done (itr); mu_iterator_next (itr)) |
@@ -71,51 +131,16 @@ stls_preflight (mu_m_server_t msrv) | |||
71 | struct pop3d_srv_config *cfg; | 131 | struct pop3d_srv_config *cfg; |
72 | mu_iterator_current (itr, (void**) &ipsrv); | 132 | mu_iterator_current (itr, (void**) &ipsrv); |
73 | cfg = mu_ip_server_get_data (ipsrv); | 133 | cfg = mu_ip_server_get_data (ipsrv); |
74 | switch (cfg->tls_mode) | 134 | |
135 | switch (stls_server_check (cfg, mu_ip_server_addrstr (ipsrv))) | ||
75 | { | 136 | { |
76 | case tls_unspecified: | 137 | case MU_TLS_CONFIG_NULL: |
77 | if (cfg->tls_conf.cert_file) | ||
78 | { | ||
79 | cfg->tls_mode = tls_ondemand; | ||
80 | break; | ||
81 | } | ||
82 | else | ||
83 | cfg->tls_mode = tls_no; | ||
84 | /* fall through */ | ||
85 | case tls_no: | ||
86 | continue; | 138 | continue; |
87 | |||
88 | default: | ||
89 | break; | ||
90 | } | ||
91 | 139 | ||
92 | switch (mu_tls_config_check (&cfg->tls_conf, 1)) | ||
93 | { | ||
94 | case MU_TLS_CONFIG_OK: | 140 | case MU_TLS_CONFIG_OK: |
95 | if (!cfg->tls_conf.cert_file) | ||
96 | { | ||
97 | mu_error (_("server %s: no certificate set"), | ||
98 | mu_ip_server_addrstr (ipsrv)); | ||
99 | errors = 1; | ||
100 | } | ||
101 | break; | ||
102 | |||
103 | case |