summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSergey Poznyakoff <gray@gnu.org.ua>2019-08-29 14:40:30 +0300
committerSergey Poznyakoff <gray@gnu.org.ua>2019-08-29 15:09:27 +0300
commitddfa689bff19d877170add6fed3381f3d5b79a8e (patch)
tree9e2f3a0f53569afc9a67ee92bc3b885ec39e76cb
parent113e144dedbebb5bc659eadc7f329450bb374606 (diff)
downloadmailutils-ddfa689bff19d877170add6fed3381f3d5b79a8e.tar.gz
mailutils-ddfa689bff19d877170add6fed3381f3d5b79a8e.tar.bz2
pop3d: implement TLS in inetd mode
New global configuration statement "tls-mode" configures the TLS for use in inetd mode. The certificate and key files are configured by the global "tls" compound statement. Example configuration (pop3s server): mode inetd; tls-mode connection; tls { ssl-key-file /etc/ssl/key.pem; ssl-certificate-file /etc/ssl/cert.pem; } In daemon mode, global "tls-mode" sets the type of TLS encryption to use in all server blocks that lack the "tls-mode" statement. * pop3d/cmd.c (global_tls_mode) (global_conf_status): New globals. (stls_server_check): New function. (stls_preflight): Use stls_server_check. * pop3d/pop3d.c (pop3d_cfg_param): New global statement: tls-mode (main): Set up TLS connection in inetd mode, if requested. * pop3d/pop3d.h (global_tls_mode): New global. (stls_server_check): New proto. * NEWS: Document changes. * doc/texinfo/programs/pop3d.texi: Likewise.
-rw-r--r--NEWS20
-rw-r--r--doc/texinfo/programs/pop3d.texi33
-rw-r--r--pop3d/cmd.c116
-rw-r--r--pop3d/pop3d.c31
-rw-r--r--pop3d/pop3d.h2
5 files changed, 151 insertions, 51 deletions
diff --git a/NEWS b/NEWS
index 6b16f1706..251f5a80b 100644
--- a/NEWS
+++ b/NEWS
@@ -1,10 +1,28 @@
1GNU mailutils NEWS -- history of user-visible changes. 2019-06-21 1GNU mailutils NEWS -- history of user-visible changes. 2019-08-29
2Copyright (C) 2002-2019 Free Software Foundation, Inc. 2Copyright (C) 2002-2019 Free Software Foundation, Inc.
3See the end of file for copying conditions. 3See the end of file for copying conditions.
4 4
5Please send mailutils bug reports to <bug-mailutils@gnu.org>. 5Please send mailutils bug reports to <bug-mailutils@gnu.org>.
6 6
7Version 3.7.90 (git) 7Version 3.7.90 (git)
8
9* Use of TLS in pop3d run from inetd
10
11New global configuration statement "tls-mode" configures the TLS for
12use in inetd mode.
13
14The certificate and key files are configured by the global "tls"
15compound statement.
16
17Example configuration (pop3s server):
18
19 mode inetd;
20 tls-mode connection;
21 tls {
22 ssl-key-file /etc/ssl/key.pem;
23 ssl-certificate-file /etc/ssl/cert.pem;
24 }
25
8 26
9Version 3.7 - 2019-06-21 27Version 3.7 - 2019-06-21
10 28
diff --git a/doc/texinfo/programs/pop3d.texi b/doc/texinfo/programs/pop3d.texi
index 93ace2fff..b508bf534 100644
--- a/doc/texinfo/programs/pop3d.texi
+++ b/doc/texinfo/programs/pop3d.texi
@@ -213,6 +213,34 @@ The following configuration file statements affect the behavior of
213@item tcp-wrappers @tab @xref{tcp-wrappers statement}. 213@item tcp-wrappers @tab @xref{tcp-wrappers statement}.
214@end multitable 214@end multitable
215 215
216@deffn {Pop3d Conf} tls-mode @var{mode}
217Configure the use of TLS encryption for inetd mode.
218
219In daemon mode, this statement sets the type of TLS encryption to
220use in all server blocks that lack the @code{tls-mode} statement
221(@pxref{Server Statement}).
222
223Allowed values for @var{mode} are:
224
225@table @asis
226@item no
227TLS is not used. The @command{STLS} command won't be available even if
228the TLS configuration is otherwise complete.
229
230@item ondemand
231TLS is initiated when the user issues the appropriate command.
232This is the default when TLS is configured.
233
234@item required
235Same as above, but the use of TLS is mandatory. The authentication
236state is entered only after TLS negotiation has succeeded.
237
238@item connection
239TLS is always forced when the connection is established (POP3S
240protocol).
241@end table
242@end deffn
243
216@deffn {Pop3d Conf} undelete @var{bool} 244@deffn {Pop3d Conf} undelete @var{bool}
217On startup, clear deletion marks from all the messages. 245On startup, clear deletion marks from all the messages.
218@end deffn 246@end deffn
@@ -227,11 +255,6 @@ Delete expired messages upon closing the mailbox. @xref{Auto-expire},
227for a detailed description. 255for a detailed description.
228@end deffn 256@end deffn
229 257
230@deffn {Pop3d Conf} tls-required @var{bool}
231Always require @code{STLS} command before entering authentication
232phase.
233@end deffn
234
235@deffn {Pop3d Conf} login-delay @var{duration} 258@deffn {Pop3d Conf} login-delay @var{duration}
236Set the minimal allowed delay between two successive logins. 259Set the minimal allowed delay between two successive logins.
237@xref{Login delay}, for more information. 260@xref{Login delay}, for more information.
diff --git a/pop3d/cmd.c b/pop3d/cmd.c
index 5ca7b7b86..1ed73c237 100644
--- a/pop3d/cmd.c
+++ b/pop3d/cmd.c
@@ -17,6 +17,8 @@
17#include "pop3d.h" 17#include "pop3d.h"
18 18
19struct mu_tls_config global_tls_conf; 19struct mu_tls_config global_tls_conf;
20int global_tls_mode;
21int global_conf_status = -1;
20 22
21static struct pop3d_command command_table[] = { 23static struct pop3d_command command_table[] = {
22 { "STLS", pop3d_stls }, 24 { "STLS", pop3d_stls },
@@ -49,6 +51,70 @@ pop3d_find_command (const char *name)
49} 51}
50 52
51int 53int
54stls_server_check (struct pop3d_srv_config *cfg, char const *srvid)
55{
56 int result;
57
58 switch (cfg->tls_mode)
59 {
60 case tls_unspecified:
61 if (global_tls_mode != tls_unspecified)
62 cfg->tls_mode = global_tls_mode;
63 else if (cfg->tls_conf.cert_file)
64 cfg->tls_mode = tls_ondemand;
65 else
66 {
67 cfg->tls_mode = tls_no;
68 return MU_TLS_CONFIG_NULL;
69 }
70 break;
71
72 case tls_no:
73 return MU_TLS_CONFIG_NULL;
74
75 default:
76 break;
77 }
78
79 result = mu_tls_config_check (&cfg->tls_conf, 1);
80 switch (result)
81 {
82 case MU_TLS_CONFIG_OK:
83 if (!cfg->tls_conf.cert_file)
84 {
85 mu_error (_("server %s: no certificate set"), srvid);
86 result = MU_TLS_CONFIG_FAIL;
87 }
88 break;
89
90 case MU_TLS_CONFIG_NULL:
91 if (global_conf_status == -1)
92 {
93 if (global_tls_conf.cert_file)
94 global_conf_status = mu_tls_config_check (&global_tls_conf, 1);
95 else
96 global_conf_status = MU_TLS_CONFIG_NULL;
97 }
98
99 if (global_conf_status != MU_TLS_CONFIG_NULL)
100 {
101 cfg->tls_conf = global_tls_conf;
102 result = MU_TLS_CONFIG_OK;
103 }
104 else
105 {
106 mu_error (_("server %s: no certificate set"), srvid);
107 result = MU_TLS_CONFIG_FAIL;
108 }
109 break;
110
111 default:
112 mu_error (_("server %s: TLS configuration failed"), srvid);
113 }
114 return result;
115}
116
117int
52stls_preflight (mu_m_server_t msrv) 118stls_preflight (mu_m_server_t msrv)
53{ 119{
54 mu_list_t srvlist; 120 mu_list_t srvlist;
@@ -56,13 +122,7 @@ stls_preflight (mu_m_server_t msrv)
56 int errors = 0; 122 int errors = 0;
57 int tls_ok = mu_init_tls_libs (); 123 int tls_ok = mu_init_tls_libs ();
58 int tls_requested = 0; 124 int tls_requested = 0;
59 int global_conf_status = 0;
60 125
61 if (global_tls_conf.cert_file)
62 global_conf_status = mu_tls_config_check (&global_tls_conf, 1);
63 else
64 global_conf_status = MU_TLS_CONFIG_NULL;
65
66 mu_m_server_get_srvlist (msrv, &srvlist); 126 mu_m_server_get_srvlist (msrv, &srvlist);
67 mu_list_get_iterator (srvlist, &itr); 127 mu_list_get_iterator (srvlist, &itr);
68 for (mu_iterator_first (itr); !mu_iterator_is_done (itr); mu_iterator_next (itr)) 128 for (mu_iterator_first (itr); !mu_iterator_is_done (itr); mu_iterator_next (itr))
@@ -71,51 +131,16 @@ stls_preflight (mu_m_server_t msrv)
71 struct pop3d_srv_config *cfg; 131 struct pop3d_srv_config *cfg;
72 mu_iterator_current (itr, (void**) &ipsrv); 132 mu_iterator_current (itr, (void**) &ipsrv);
73 cfg = mu_ip_server_get_data (ipsrv); 133 cfg = mu_ip_server_get_data (ipsrv);
74 switch (cfg->tls_mode) 134
135 switch (stls_server_check (cfg, mu_ip_server_addrstr (ipsrv)))
75 { 136 {
76 case tls_unspecified: 137 case MU_TLS_CONFIG_NULL:
77 if (cfg->tls_conf.cert_file)
78 {
79 cfg->tls_mode = tls_ondemand;
80 break;
81 }
82 else
83 cfg->tls_mode = tls_no;
84 /* fall through */
85 case tls_no:
86 continue; 138 continue;
87
88 default:
89 break;
90 }
91 139
92 switch (mu_tls_config_check (&cfg->tls_conf, 1))
93 {
94 case MU_TLS_CONFIG_OK: 140 case MU_TLS_CONFIG_OK:
95 if (!cfg->tls_conf.cert_file)
96 {
97 mu_error (_("server %s: no certificate set"),
98 mu_ip_server_addrstr (ipsrv));
99 errors = 1;
100 }
101 break;
102
103 case