src/login-common/login-settings.c

	login-settings.c revision 6c2ce1d5bf17b21e804a079eb0f973b7ab83e0d8
02c335c23bf5fa225a467c19f2c063fb0dc7b8c3Timo Sirainen/* Copyright (c) 2005-2009 Dovecot authors, see the included COPYING file */
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen#include "lib.h"
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen#include "settings-parser.h"
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen#include "master-service-settings.h"
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen#include "login-settings.h"
c5f932968281763df360b9c97cef60f5f80d5e3dTimo Sirainen
bdd36cfdba3ff66d25570a9ff568d69e1eb543cfTimo Sirainen#include <stddef.h>
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen#include <unistd.h>
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainenstatic bool login_settings_check(void *_set, pool_t pool, const char **error_r);
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen#undef DEF
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen#define DEF(type, name) \
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    { type, #name, offsetof(struct login_settings, name), NULL }
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainenstatic struct setting_define login_setting_defines[] = {
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    DEF(SET_BOOL, login_chroot),
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    DEF(SET_STR, login_trusted_networks),
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    DEF(SET_STR, login_greeting),
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    DEF(SET_STR, login_log_format_elements),
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    DEF(SET_STR, login_log_format),
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    DEF(SET_BOOL, login_process_per_connection),
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    DEF(SET_STR, capability_string),
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    DEF(SET_ENUM, ssl),
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    DEF(SET_STR, ssl_ca_file),
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    DEF(SET_STR, ssl_cert_file),
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    DEF(SET_STR, ssl_key_file),
091a2dea9d89734a7c1225eed511b3851693a757Timo Sirainen    DEF(SET_STR, ssl_key_password),
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    DEF(SET_STR, ssl_parameters_file),
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    DEF(SET_STR, ssl_cipher_list),
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    DEF(SET_STR, ssl_cert_username_field),
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    DEF(SET_BOOL, ssl_verify_client_cert),
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    DEF(SET_BOOL, ssl_require_client_cert),
a21f618de284dc22a480af1371d5f5cea50a39dfTimo Sirainen    DEF(SET_BOOL, ssl_username_from_cert),
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    DEF(SET_BOOL, verbose_ssl),
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    DEF(SET_BOOL, disable_plaintext_auth),
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    DEF(SET_BOOL, verbose_auth),
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    DEF(SET_BOOL, auth_debug),
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    DEF(SET_BOOL, verbose_proctitle),
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen
091a2dea9d89734a7c1225eed511b3851693a757Timo Sirainen    DEF(SET_UINT, login_max_connections),
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    DEF(SET_UINT, mail_max_userip_connections),
091a2dea9d89734a7c1225eed511b3851693a757Timo Sirainen
091a2dea9d89734a7c1225eed511b3851693a757Timo Sirainen    SETTING_DEFINE_LIST_END
091a2dea9d89734a7c1225eed511b3851693a757Timo Sirainen};
091a2dea9d89734a7c1225eed511b3851693a757Timo Sirainen
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainenstatic struct login_settings login_default_settings = {
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    MEMBER(login_chroot) TRUE,
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    MEMBER(login_trusted_networks) "",
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    MEMBER(login_greeting) PACKAGE" ready.",
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    MEMBER(login_log_format_elements) "user=<%u> method=%m rip=%r lip=%l %c",
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    MEMBER(login_log_format) "%$: %s",
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen
091a2dea9d89734a7c1225eed511b3851693a757Timo Sirainen    MEMBER(login_process_per_connection) TRUE,
091a2dea9d89734a7c1225eed511b3851693a757Timo Sirainen    MEMBER(capability_string) NULL,
091a2dea9d89734a7c1225eed511b3851693a757Timo Sirainen
091a2dea9d89734a7c1225eed511b3851693a757Timo Sirainen    MEMBER(ssl) "yes:no:required",
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    MEMBER(ssl_ca_file) "",
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    MEMBER(ssl_cert_file) SSLDIR"/certs/dovecot.pem",
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    MEMBER(ssl_key_file) SSLDIR"/private/dovecot.pem",
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    MEMBER(ssl_key_password) "",
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    MEMBER(ssl_parameters_file) "ssl-parameters.dat",
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    MEMBER(ssl_cipher_list) "ALL:!LOW:!SSLv2",
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    MEMBER(ssl_cert_username_field) "commonName",
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    MEMBER(ssl_verify_client_cert) FALSE,
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    MEMBER(ssl_require_client_cert) FALSE,
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    MEMBER(ssl_username_from_cert) FALSE,
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    MEMBER(verbose_ssl) FALSE,
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    MEMBER(disable_plaintext_auth) TRUE,
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    MEMBER(verbose_auth) FALSE,
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    MEMBER(auth_debug) FALSE,
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    MEMBER(verbose_proctitle) FALSE,
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    MEMBER(login_max_connections) 256,
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    MEMBER(mail_max_userip_connections) 10
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen};
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainenstruct setting_parser_info login_setting_parser_info = {
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    MEMBER(defines) login_setting_defines,
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    MEMBER(defaults) &login_default_settings,
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    MEMBER(parent) NULL,
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    MEMBER(dynamic_parsers) NULL,
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    MEMBER(parent_offset) (size_t)-1,
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    MEMBER(type_offset) (size_t)-1,
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    MEMBER(struct_size) sizeof(struct login_settings),
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    MEMBER(check_func) login_settings_check
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen};
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen/* <settings checks> */
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainenstatic int ssl_settings_check(void *_set ATTR_UNUSED, const char **error_r)
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen{
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    struct login_settings *set = _set;
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen#ifndef HAVE_SSL
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    *error_r = t_strdup_printf("SSL support not compiled in but ssl=%s",
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen                   set->ssl);
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    return FALSE;
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen#else
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    if (*set->ssl_cert_file == '\0') {
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen        *error_r = "ssl_cert_file not set";
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen        return FALSE;
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    }
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    if (*set->ssl_key_file == '\0') {
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen        *error_r = "ssl_key_file not set";
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen        return FALSE;
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    }
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    if (set->ssl_verify_client_cert && *set->ssl_ca_file == '\0') {
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen        *error_r = "ssl_verify_client_cert set, but ssl_ca_file not";
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen        return FALSE;
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    }
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen#ifndef CONFIG_BINARY
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    if (access(set->ssl_cert_file, R_OK) < 0) {
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen        *error_r = t_strdup_printf("ssl_cert_file: access(%s) failed: %m",
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen                       set->ssl_cert_file);
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen        return FALSE;
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    }
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    if (access(set->ssl_key_file, R_OK) < 0) {
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen        *error_r = t_strdup_printf("ssl_key_file: access(%s) failed: %m",
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen                       set->ssl_key_file);
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen        return FALSE;
e93184a9055c2530366dfe617e07199603c399ddMartti Rannanjärvi    }
d48e40d6c77d673ad402d96571198d1cce4da225Timo Sirainen    if (*set->ssl_ca_file != '\0' && access(set->ssl_ca_file, R_OK) < 0) {
b78d8dbe4179aabcbf9fda41d282673558dae4d6Timo Sirainen        *error_r = t_strdup_printf("ssl_ca_file: access(%s) failed: %m",
b78d8dbe4179aabcbf9fda41d282673558dae4d6Timo Sirainen                       set->ssl_ca_file);
b78d8dbe4179aabcbf9fda41d282673558dae4d6Timo Sirainen        return FALSE;
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    }
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen#endif
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    return TRUE;
e93184a9055c2530366dfe617e07199603c399ddMartti Rannanjärvi#endif
a327d9301f593433c228c4cc8cca05c95b37f6fbTimo Sirainen}
d48e40d6c77d673ad402d96571198d1cce4da225Timo Sirainen
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainenstatic bool login_settings_check(void *_set, pool_t pool ATTR_UNUSED,
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen                 const char **error_r)
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen{
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    struct login_settings *set = _set;
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    set->log_format_elements_split =
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen        t_strsplit(set->login_log_format_elements, " ");
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    if (set->ssl_require_client_cert || set->ssl_username_from_cert) {
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen        /* if we require valid cert, make sure we also ask for it */
7db7fbea5d8a07463b625f93d69166d56018dadfTimo Sirainen        set->ssl_verify_client_cert = TRUE;
7db7fbea5d8a07463b625f93d69166d56018dadfTimo Sirainen    }
7db7fbea5d8a07463b625f93d69166d56018dadfTimo Sirainen    if (set->login_max_connections < 1) {
7db7fbea5d8a07463b625f93d69166d56018dadfTimo Sirainen        *error_r = "login_max_connections must be at least 1";
7db7fbea5d8a07463b625f93d69166d56018dadfTimo Sirainen        return FALSE;
7db7fbea5d8a07463b625f93d69166d56018dadfTimo Sirainen    }
2c5c70e12365d7910848259f88eb237ce3a15947Timo Sirainen
7db7fbea5d8a07463b625f93d69166d56018dadfTimo Sirainen    if (strcmp(set->ssl, "no") == 0) {
7db7fbea5d8a07463b625f93d69166d56018dadfTimo Sirainen        /* disabled */
7db7fbea5d8a07463b625f93d69166d56018dadfTimo Sirainen    } else if (strcmp(set->ssl, "yes") == 0) {
7db7fbea5d8a07463b625f93d69166d56018dadfTimo Sirainen        if (!ssl_settings_check(set, error_r))
7db7fbea5d8a07463b625f93d69166d56018dadfTimo Sirainen            return FALSE;
7db7fbea5d8a07463b625f93d69166d56018dadfTimo Sirainen    } else if (strcmp(set->ssl, "required") == 0) {
7db7fbea5d8a07463b625f93d69166d56018dadfTimo Sirainen        if (!ssl_settings_check(set, error_r))
7db7fbea5d8a07463b625f93d69166d56018dadfTimo Sirainen            return FALSE;
7db7fbea5d8a07463b625f93d69166d56018dadfTimo Sirainen        set->disable_plaintext_auth = TRUE;
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    } else {
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen        *error_r = t_strdup_printf("Unknown ssl setting value: %s",
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen                       set->ssl);
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen        return FALSE;
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    }
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    return TRUE;
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen}
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen/* </settings checks> */
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainenstruct login_settings *login_settings_read(struct master_service *service)
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen{
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    static const struct setting_parser_info *set_roots[] = {
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen        &login_setting_parser_info,
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen        NULL
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    };
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    const char *error;
a618726eb3eb09a3866fe93208baf923d593f4d3Timo Sirainen    void **sets;
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    if (master_service_settings_read(service, set_roots, NULL, FALSE,
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen                     &error) < 0)
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen        i_fatal("Error reading configuration: %s", error);
009217abb57a24a4076092e8e4e165545747839eStephan Bosch
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    sets = master_service_settings_get_others(service);
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen    return sets[0];
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen}
96f89d51e8315f644f46804a9f0fc4f685ac48bfTimo Sirainen