develooper Front page | perl.qpsmtpd | Postings from June 2006

[PATCH] Require TLS/SSL before offering AUTH

Thread Next
From:
Robin H. Johnson
Date:
June 19, 2006 23:50
Subject:
[PATCH] Require TLS/SSL before offering AUTH
Message ID:
20060620065004.GB11711@curie-int.vc.shawcable.net
This patch adds a new configuration option 'tls_before_auth', that when set,
does not offer AUTH until the connection has been secured. This helps to
prevent password disclosures with SASL LOGIN/PLAIN mechanisms.

Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>

Index: README
===================================================================
--- README	(revision 642)
+++ README	(working copy)
@@ -176,6 +176,11 @@ smtpd uses during the data transactions.
 will default to use $ENV{HOME}/tmp/. This directory should be set with
 a mode of 700 and owned by the smtpd user.
 
+=item tls_before_auth
+
+If this file contains anything except a 0 on the first line, then AUTH will not
+be offered unless TLS/SSL are in place, either with STARTTLS, or SMTP-SSL on
+port 465.
 
 =item everything (?) that qmail-smtpd supports. 
 
Index: lib/Qpsmtpd/SMTP.pm
===================================================================
--- lib/Qpsmtpd/SMTP.pm	(revision 642)
+++ lib/Qpsmtpd/SMTP.pm	(working copy)
@@ -219,7 +219,9 @@ HOOK: foreach my $hook ( keys %{$self->{
         }
     }
 
-    if ( %auth_mechanisms ) {
+    # Check if we should only offer AUTH after TLS is completed
+    my $tls_before_auth = ($self->config('tls_before_auth') ? ($self->config('tls_before_auth'))[0] && $self->transaction->notes('tls_enabled') : 0); 
+    if ( %auth_mechanisms && !$tls_before_auth) {
         push @capabilities, 'AUTH '.join(" ",keys(%auth_mechanisms));    
         $self->{_commands}->{'auth'} = "";
     }
@@ -248,6 +250,9 @@ sub auth {
         and $self->{_auth} == OK );
     return $self->respond( 503, "AUTH not defined for HELO" )
       if ( $self->connection->hello eq "helo" );
+    return $self->respond( 503, "SSL/TLS required before AUTH" )
+      if ( ($self->config('tls_before_auth'))[0] 
+      	and $self->transaction->notes('tls_enabled') );
 
     return $self->{_auth} = Qpsmtpd::Auth::SASL( $self, $arg, @stuff );
 }

-- 
Robin Hugh Johnson
E-Mail     : robbat2@orbis-terrarum.net
Home Page  : http://www.orbis-terrarum.net/?l=people.robbat2
ICQ#       : 30269588 or 41961639
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85
Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About