global: start relying on ssl_iostream_destroy(NULL) being a no-op Cleanup performed with the following semantic patch: @@ expression E; @@ - if (E != NULL) { - ssl_iostream_destroy(&E); - } + ssl_iostream_destroy(&E);

global: start relying on iostream_proxy_unref(NULL) being a no-op Cleanup performed with the following semantic patch: @@ expression E; @@ - if (E != NULL) { - iostream_proxy_unref(&E); - } + iostream_proxy_unref(&E);

global: start relying on str_free(NULL) being a no-op Cleanup performed with the following semantic patch: @@ expression E; @@ - if (E != NULL) { - str_free(&E); - } + str_free(&E);

*-login: Fix clients linked list corruption with SSL connections This could have resulted in infinite loops or some of the clients being skipped for some operations.

Updated copyright notices to include the year 2018.

login-common: Indicate TLS encryption if haproxy says it was

*-login: Avoid unnecessary "OK Waiting for authentication process to respond" These happened with SSL connections when the process was starting up. The ssl-istream was triggering the IO callback, which was thinking that the client was sending a command. If this happened early on before auth process connection was finished, this caused several unnecessary notifications to the client.

login-common: Added flag to client that indicates whether connection is secured using SSL specifically.

login-common: Added client_disconnect(), which allows explicitly disconnecting the client before it is destroyed. This is sometimes needed to make sure the SSL layer is closed properly before destroying the underlying connection.

login-common: Added support for login services that handle their own input io.

global: Use t_buffer_create sed -i -e 's/buffer_create_dynamic(pool_datastack_create(), */t_buffer_create(/g'

*-login: Close SSL connections cleanly Don't close the socket before SSL "close notify" is sent.

login-common: Stop using ssl-proxy entirely

login-common: Use lib-ssl-iostream for incoming SSL/TLS connections

login-common: Change process title to show different connection types Separate pre-login connections, proxy connections and post-login TLS proxies.

login-common: Destroy all fd proxies at deinit.

login-common: Implement post-login proxying and use it with SSL connections Note: This temporarily breaks the SSL connections a bit. If post-login process disconnects the client, it's not noticed by the login process. Client connections are noticed by the post-login though.

login-common: client_alloc() - remove unnecessary ssl parameter

login-common: Extract SSL/TLS initialization into client_init_ssl()

login-common: Split client_create() to client_alloc() and client_init() client_unref() can be used to free an allocated client that hasn't been fully created.

login-proxy: Move client fd closing to client_unref()

login-common: Move code in client_destroy_internal_failure() to its only caller No need to have a function that has only a single caller.

login-common: Avoid using client_destroy_success() when mail_max_userip_connections is reached This was currently the only way how data != NULL here. This change destroys ssl_proxy on client_destroy() instead of client_unref(), but that doesn't make much of a practical difference. This new behavior is a bit more correct though.

login-common: client_unref() - always set client pointer to NULL This is the common coding practise elsewhere as well.

login-common: Remove unnecessary client_ref/unref from STARTTLS handling There used to be code between them that could have destroyed the connection, but that was removed long time ago.

global: start relying on [io]_stream_close(NULL) being a no-op Cleanup performed with the following semantic patch (and a bit of hand-editing): @@ expression E; @@ - if (E != NULL) { - i_stream_close(E); - } + i_stream_close(E); @@ expression E; @@ - if (E != NULL) { - o_stream_close(E); - } + o_stream_close(E);

login-common: Use HAproxy provided proxy.ssl information If the connection is proxied via system that can terminate ssl for us, such as HAproxy, use that information only.

global: start relying on pool_unref(NULL) being a no-op Cleanup performed with the following semantic patch: @@ expression E; @@ - if (E != NULL) { - pool_unref(&E); - } + pool_unref(&E);

global: start relying on [io]_stream_unref(NULL) being a no-op Cleanup performed with the following semantic patch: @@ expression E; @@ - if (E != NULL) { - i_stream_unref(&E); - } + i_stream_unref(&E); @@ expression E; @@ - if (E != NULL) { - o_stream_unref(&E); - } + o_stream_unref(&E);

global: start relying on timeout_remove(NULL) being a no-op Cleanup performed with the following semantic patch: @@ expression E; @@ - if (E != NULL) { - timeout_remove(&E); - } + timeout_remove(&E);

global: start relying on io_remove{,_closed}(NULL) being a no-op Cleanup performed with the following semantic patch: @@ expression E; @@ - if (E != NULL) { - io_remove(&E); - } + io_remove(&E); @@ expression E; @@ - if (E != NULL) { - io_remove_closed(&E); - } + io_remove_closed(&E);

*-login: Add client_vfuncs.free() that is called when client refcount=0 This can be useful for plugins that want to run something after proxying ends. Use an empty default function so plugins can call super.free() without having to check if it's NULL.

*-login: Require client_vfuncs.send_raw_data() to be set This removes backwards compatibility for managesieve-login.

*-login: Add client_vfuncs.send_raw_data() This allows login plugins to hook into seeing all the data that is sent to the imap/pop3 client.

*-login: Minor logging cleanup if client is disconnected before sending banner. Avoid unnecessarily adding "(no auth attempts in 0 secs)" when the reason string already makes it clear that the user didn't even have a chance to authenticate. This kind of disconnection currently happens only with some plugins.

imap-login: Move forward_fields updating code to login-common This allows using the new client_add_forward_field() in e.g. plugins.

login-common: Add preproxy pool preproxy pool can be used to do allocations that are released once proxying starts.

*-login: Change API for how login_plugins hook into client allocation. The previous API worked badly when there were more than one plugin. The current behavior works similarly to how mail_plugins work.

*-login: Add client.proxy_get_state() for providing human-readable proxy state If not implemented, it defaults to the old method of returning proxy_state number.

Updated copyright notices to include the year 2017.

global: Change string position/length from unsigned int to size_t Mainly to avoid truncating >4GB strings, which might potentially cause some security holes. Normally there are other limits, which prevent such excessive strings from being created in the first place. I'm sure this didn't find everything. Maybe everything could be found with compiler warnings. -Wconversion kind of does it, but it gives way too many unnecessary warnings. These were mainly found with: grep " = strlen" egrep "unsigned int.*(size|len)"

lib: API change - var_expand_func_table.func() can now return error. None of the existing functions were changed to return errors (yet).

lib: API change - var_expand*() now returns error string. This allows callers to fail properly if the format string is invalid.

auth,login-common: Added result code for invalid base64-encoded response data.

login-common: Added result codes for mechanism-related failures.

login-common: Added result code for a nologin code from the auth service.

auth: Added a code= field to the auth FAIL response that replaces the "authz", "temp", "pass_expired", and "user_disabled" fields.

global: Try to initialize var_expand_tab[] directly. This avoids accidents with the array numbering being wrong.

global: Use i_strchr_to_next() wherever useful.

login-common: Include local_name in login_var_expand_table This way it can be used in login_log_format

lib: remove autoclose parameter from [io]_stream_create_fd Use [io]_stream_create_fd_autoclose() for autoclose.

Remove t_malloc in favour of t_malloc_no0 Using either t_malloc_no0 or t_malloc0 makes it clear whether the allocated memory is zeroed or not.

Require IPv6 to build

*-login: Allow plugins to hook into client allocation and add module-specific contexts to client.

global: freshen copyright git ls-files | xargs perl -p -i -e 's/(\d+)-201[0-5]/$1-2016/g;s/ (201[0-5]) Dovecot/ $1-2016 Dovecot/'

*-login: Session ID generator wasn't encoding remote port number correctly to it. The upper 8bits of the port number were always written as 0. This could have lead to duplicate session ID strings in some rare cases. Found by Coverity.

Remove now-unnecessary direct stdlib.h #includes.

*-login: Added %{passdb:*} fields to login_log_format_elements

login_log_format_elements: Added %{listener} variable to expand to the listener socket name.

lmtp, *-login: Use ip/port values from struct master_service_connection instead of from the socket. This way, a proxy protocol like HAProxy can transparently override these addresses with what is seen by the proxy.

global: freshen copyright Robomatically: git ls-files | xargs perl -p -i -e 's/(\d+)-201[0-4]/$1-2015/g;s/ (201[0-4]) Dovecot/ $1-2015 Dovecot/' Happy 2015 everyone! Signed-off-by: Phil Carmody <phil@dovecot.fi>

login-common: Fixed potential crash at client disconnect. Broken by recent change

*-login: Flush SSL output when logging out. The BYE and LOGOUT replies weren't being sent when they were sent from imap-login process (before logging in).

treewide sparse cleanup - make single-unit-only data static Helps keep the global namespace clean. Not all the things suggested by sparse have been moved. All DOVECOT_ABI_VERSION strings, and anything replicated in all-settings.c by src/config/settings-get.pl has been left untouched. Some of the latter could be moved, but the script would need to be modified to replicate the 'static' (it outputs 'extern').

*-login: SSL connections didn't get closed when the client got destroyed.

Updated copyright notices to include year 2014.

*-login: Fix to previous commit: Default auth_user to original_user

auth, login, mail: Added %{auth_user}, %{auth_username} and %{auth_domain} They expand to the SASL authentication ID. So if master user login is done, it expands to the master user. If username changes during authentication, it expands to the original username. Otherwise %{user} and %{auth_user} are equal.

*-login: Added %{orig_user}, %{orig_username} and %{orig_domain} variables. The original username is what the client sent to server before any translations.

lib-sasl: Use dsasl_ prefix so we don't conflict with Cyrus SASL library.

imap/pop3-login: Use libsasl for authenticating to remote IMAP/POP3 server. Also passdb lookup can return "proxy_mech" extra field to specify which SASL mechanism to use.

auth: Added real_[lr]ip, real_[lr]port variables. The unreal ones differ when a trusted proxy overrides them.

Oops :) Update copyrights to 2013 without breaking all .c files.