main.c revision bcb4e51a409d94ae670de96afb8483a4f7855294
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen/* Copyright (c) 2002-2018 Dovecot authors, see the included COPYING file */
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen#define AUTH_CLIENT_IDLE_TIMEOUT_MSECS (1000*60)
16c89b1260c9d07c01c83a9219424d3727069b2eTimo Sirainenstruct login_module_register login_module_register;
bb10ebcf076c959c752f583746d83805d7686df8Timo Sirainenconst struct login_settings *global_login_settings;
bb10ebcf076c959c752f583746d83805d7686df8Timo Sirainenconst struct master_service_ssl_settings *global_ssl_settings;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainenunsigned int login_source_ips_idx, login_source_ips_count;
bb10ebcf076c959c752f583746d83805d7686df8Timo Sirainenstatic const char *post_login_socket;
bb10ebcf076c959c752f583746d83805d7686df8Timo Sirainenstatic void login_access_lookup_next(struct login_access_lookup *lookup);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainenstatic bool get_first_client(struct client **client_r)
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen client = login_proxies_get_first_detached_client();
8e7da21696c9f8a6d5e601243fb6172ec85d47b2Timo Sirainen if (!global_login_settings->verbose_proctitle)
287ba82a8da3eaa473b5735d4eeac2fb4c5d8117Timo Sirainen /* clients_get_count() includes all the clients being served.
024815ea2ffdda9ea79919f18e865663977f73eaTimo Sirainen Inside that there are 3 groups:
287ba82a8da3eaa473b5735d4eeac2fb4c5d8117Timo Sirainen 1. pre-login clients
5a07b37a9df398b5189c14872a600384208ab74bTimo Sirainen 2. post-login clients being proxied to remote hosts
bbf796c17f02538058d7559bfe96d677e5b55015Timo Sirainen 3. post-login clients being proxied to post-login processes
7797aa2479e99aeb71057b7a2584b2cb72e4d3f8Timo Sirainen Currently the post-login proxying is done only for SSL/TLS
bbf796c17f02538058d7559bfe96d677e5b55015Timo Sirainen connections, so we're assuming that they're the same. */
1175f27441385a7011629f295f42708f9a3a4ffcTimo Sirainen /* no clients */
c27f03fa8fd2ef4acd1db814fae7d90e0eb9d3aeTimo Sirainen } else if (clients_get_count() > 1 || !get_first_client(&client)) {
c27f03fa8fd2ef4acd1db814fae7d90e0eb9d3aeTimo Sirainen str_printfa(str, "[%u pre-login", clients_get_count() -
c27f03fa8fd2ef4acd1db814fae7d90e0eb9d3aeTimo Sirainen /* show detached proxies only if they exist, so
5a07b37a9df398b5189c14872a600384208ab74bTimo Sirainen non-proxy servers don't unnecessarily show them. */
6a19e109ee8c5a6f688da83a86a7f6abeb71abddTimo Sirainen /* show post-login proxies only if they exist, so
6a19e109ee8c5a6f688da83a86a7f6abeb71abddTimo Sirainen proxy-only servers don't unnecessarily show them. */
6a19e109ee8c5a6f688da83a86a7f6abeb71abddTimo Sirainenstatic void auth_client_idle_timeout(struct auth_client *auth_client)
6a19e109ee8c5a6f688da83a86a7f6abeb71abddTimo Sirainen auth_client_disconnect(auth_client, "idle disconnect");
c27f03fa8fd2ef4acd1db814fae7d90e0eb9d3aeTimo Sirainen if (clients == NULL && auth_client_to == NULL) {
c27f03fa8fd2ef4acd1db814fae7d90e0eb9d3aeTimo Sirainen auth_client_to = timeout_add(AUTH_CLIENT_IDLE_TIMEOUT_MSECS,
c27f03fa8fd2ef4acd1db814fae7d90e0eb9d3aeTimo Sirainenstatic void login_die(void)
c27f03fa8fd2ef4acd1db814fae7d90e0eb9d3aeTimo Sirainen /* we don't have auth client, and we might never get one */
287ba82a8da3eaa473b5735d4eeac2fb4c5d8117Timo Sirainenclient_connected_finish(const struct master_service_connection *conn)
519e0a461271843833a2b42626ad93f6e7ddc497Timo Sirainen const struct master_service_ssl_settings *ssl_set;
519e0a461271843833a2b42626ad93f6e7ddc497Timo Sirainen pool = pool_alloconly_create("login client", 8*1024);
519e0a461271843833a2b42626ad93f6e7ddc497Timo Sirainen set = login_settings_read(pool, &conn->local_ip,
519e0a461271843833a2b42626ad93f6e7ddc497Timo Sirainen &conn->remote_ip, NULL, &ssl_set, &other_sets);
519e0a461271843833a2b42626ad93f6e7ddc497Timo Sirainen client = client_alloc(conn->fd, pool, conn, set, ssl_set);
519e0a461271843833a2b42626ad93f6e7ddc497Timo Sirainen master_service_client_connection_destroyed(master_service);
367c05967091a2cbfce59b7f274f55b1a0f9e8c9Timo Sirainenstatic void login_access_lookup_free(struct login_access_lookup *lookup)
5a07b37a9df398b5189c14872a600384208ab74bTimo Sirainen master_service_client_connection_destroyed(master_service);
287ba82a8da3eaa473b5735d4eeac2fb4c5d8117Timo Sirainen p_strsplit_free(default_pool, lookup->sockets);
1175f27441385a7011629f295f42708f9a3a4ffcTimo Sirainenstatic void login_access_callback(bool success, void *context)
bbf796c17f02538058d7559bfe96d677e5b55015Timo Sirainenstatic void login_access_lookup_next(struct login_access_lookup *lookup)
bbf796c17f02538058d7559bfe96d677e5b55015Timo Sirainen /* last one */
287ba82a8da3eaa473b5735d4eeac2fb4c5d8117Timo Sirainen lookup->access = access_lookup(*lookup->next_socket, lookup->conn.fd,
1175f27441385a7011629f295f42708f9a3a4ffcTimo Sirainenstatic void client_input_error(struct login_access_lookup *lookup)
bbf796c17f02538058d7559bfe96d677e5b55015Timo Sirainen i_info("access(%s): Client disconnected during lookup (rip=%s)",
287ba82a8da3eaa473b5735d4eeac2fb4c5d8117Timo Sirainen /* actual input. stop listening until lookup is done. */
287ba82a8da3eaa473b5735d4eeac2fb4c5d8117Timo Sirainenstatic void client_connected(struct master_service_connection *conn)
bbf796c17f02538058d7559bfe96d677e5b55015Timo Sirainen master_service_client_connection_accept(conn);
bbf796c17f02538058d7559bfe96d677e5b55015Timo Sirainen /* log the connection's IP address in case we crash. it's of
bbf796c17f02538058d7559bfe96d677e5b55015Timo Sirainen course possible that another earlier client causes the
bbf796c17f02538058d7559bfe96d677e5b55015Timo Sirainen crash, but this is better than nothing. */
bbf796c17f02538058d7559bfe96d677e5b55015Timo Sirainen /* make sure we're connected (or attempting to connect) to auth */
bbf796c17f02538058d7559bfe96d677e5b55015Timo Sirainen /* no access checks */
7797aa2479e99aeb71057b7a2584b2cb72e4d3f8Timo Sirainen lookup = i_new(struct login_access_lookup, 1);
5a07b37a9df398b5189c14872a600384208ab74bTimo Sirainen lookup->io = io_add(conn->fd, IO_READ, client_input_error, lookup);
7797aa2479e99aeb71057b7a2584b2cb72e4d3f8Timo Sirainen lookup->sockets = p_strsplit_spaces(default_pool, access_sockets, " ");
1b3bb8d39686ed24730cbc31cc9a33dc62c8c6c3Timo Sirainenstatic void auth_connect_notify(struct auth_client *client ATTR_UNUSED,
7797aa2479e99aeb71057b7a2584b2cb72e4d3f8Timo Sirainen /* auth disconnected without having ever succeeded, so the
287ba82a8da3eaa473b5735d4eeac2fb4c5d8117Timo Sirainen auth process is probably misconfigured. no point in
5a07b37a9df398b5189c14872a600384208ab74bTimo Sirainen keeping the client connections hanging. */
1b3bb8d39686ed24730cbc31cc9a33dc62c8c6c3Timo Sirainen clients_destroy_all_reason("Disconnected: Auth process broken");
6a04c5112961c5f4fb2d2f25192b3dc424d62ad0Timo Sirainen /* we got disconnected from anvil. we can't reconnect to it since we're
6a04c5112961c5f4fb2d2f25192b3dc424d62ad0Timo Sirainen chrooted, so just die after we've finished handling the current
6a04c5112961c5f4fb2d2f25192b3dc424d62ad0Timo Sirainen connections. */
6a04c5112961c5f4fb2d2f25192b3dc424d62ad0Timo Sirainen master_service_stop_new_connections(master_service);
5a07b37a9df398b5189c14872a600384208ab74bTimo Sirainen anvil = anvil_client_init("anvil", anvil_reconnect_callback, 0);
bbf796c17f02538058d7559bfe96d677e5b55015Timo Sirainenstatic const struct ip_addr *
5a07b37a9df398b5189c14872a600384208ab74bTimo Sirainenparse_login_source_ips(const char *ips_str, unsigned int *count_r)
bbf796c17f02538058d7559bfe96d677e5b55015Timo Sirainen const char *const *tmp;
b79ec51bdeef6ef950eb5e890e65cc0491cf5fe9Timo Sirainen unsigned int i, tmp_ips_count;
b79ec51bdeef6ef950eb5e890e65cc0491cf5fe9Timo Sirainen /* try binding to the IP immediately. if it doesn't
b79ec51bdeef6ef950eb5e890e65cc0491cf5fe9Timo Sirainen work, skip it. (this allows using the same config file for
b79ec51bdeef6ef950eb5e890e65cc0491cf5fe9Timo Sirainen all the servers.) */
64541374b58e4c702b1926e87df421d180ffa006Timo Sirainen for (tmp = t_strsplit_spaces(ips_str, ", "); *tmp != NULL; tmp++) {
64541374b58e4c702b1926e87df421d180ffa006Timo Sirainen ret = net_gethostbyname(*tmp, &tmp_ips, &tmp_ips_count);
64541374b58e4c702b1926e87df421d180ffa006Timo Sirainen i_error("login_source_ips: net_gethostbyname(%s) failed: %s",
bbf796c17f02538058d7559bfe96d677e5b55015Timo Sirainen for (i = 0; i < tmp_ips_count; i++) {
bbf796c17f02538058d7559bfe96d677e5b55015Timo Sirainen if (skip_nonworking && net_try_bind(&tmp_ips[i]) < 0)
8e7da21696c9f8a6d5e601243fb6172ec85d47b2Timo Sirainenstatic void login_load_modules(void)
bb10ebcf076c959c752f583746d83805d7686df8Timo Sirainen if (global_login_settings->login_plugins[0] == '\0')
6a04c5112961c5f4fb2d2f25192b3dc424d62ad0Timo Sirainen mod_set.binary_name = login_binary->process_name;
bb10ebcf076c959c752f583746d83805d7686df8Timo Sirainen modules = module_dir_load(global_login_settings->login_plugin_dir,
bb10ebcf076c959c752f583746d83805d7686df8Timo Sirainenstatic void login_ssl_init(void)
bb10ebcf076c959c752f583746d83805d7686df8Timo Sirainen if (strcmp(global_ssl_settings->ssl, "no") == 0)
bb10ebcf076c959c752f583746d83805d7686df8Timo Sirainen master_service_ssl_settings_to_iostream_set(global_ssl_settings,
16c89b1260c9d07c01c83a9219424d3727069b2eTimo Sirainen MASTER_SERVICE_SSL_SETTINGS_TYPE_SERVER, &ssl_set);
16c89b1260c9d07c01c83a9219424d3727069b2eTimo Sirainen if (io_stream_ssl_global_init(&ssl_set, &error) < 0)
16c89b1260c9d07c01c83a9219424d3727069b2eTimo Sirainen i_fatal("Failed to initialize SSL library: %s", error);
bb10ebcf076c959c752f583746d83805d7686df8Timo Sirainenstatic void main_preinit(void)
16c89b1260c9d07c01c83a9219424d3727069b2eTimo Sirainen unsigned int max_fds;
16c89b1260c9d07c01c83a9219424d3727069b2eTimo Sirainen /* Initialize SSL proxy so it can read certificate and private
16c89b1260c9d07c01c83a9219424d3727069b2eTimo Sirainen /* set the number of fds we want to use. it may get increased or
287ba82a8da3eaa473b5735d4eeac2fb4c5d8117Timo Sirainen decreased. leave a couple of extra fds for auth sockets and such.
6a04c5112961c5f4fb2d2f25192b3dc424d62ad0Timo Sirainen worst case each connection can use:
6a04c5112961c5f4fb2d2f25192b3dc424d62ad0Timo Sirainen - 1 for client
6a04c5112961c5f4fb2d2f25192b3dc424d62ad0Timo Sirainen - 1 for login proxy
6a04c5112961c5f4fb2d2f25192b3dc424d62ad0Timo Sirainen - 2 for client-side ssl proxy
16c89b1260c9d07c01c83a9219424d3727069b2eTimo Sirainen - 2 for server-side ssl proxy (with login proxy)
16c89b1260c9d07c01c83a9219424d3727069b2eTimo Sirainen However, login process nowadays supports plugins, there are rawlogs
16c89b1260c9d07c01c83a9219424d3727069b2eTimo Sirainen and so on. Don't enforce the fd limit anymore, but use this value
bb10ebcf076c959c752f583746d83805d7686df8Timo Sirainen for optimizing the ioloop's fd table size.
6a04c5112961c5f4fb2d2f25192b3dc424d62ad0Timo Sirainen master_service_get_socket_count(master_service) +
6a04c5112961c5f4fb2d2f25192b3dc424d62ad0Timo Sirainen master_service_get_client_limit(master_service)*6;
bb10ebcf076c959c752f583746d83805d7686df8Timo Sirainen io_loop_set_max_fd_count(current_ioloop, max_fds);
bb10ebcf076c959c752f583746d83805d7686df8Timo Sirainen i_assert(strcmp(global_ssl_settings->ssl, "no") == 0 ||
bb10ebcf076c959c752f583746d83805d7686df8Timo Sirainen if (global_login_settings->mail_max_userip_connections > 0)
bb10ebcf076c959c752f583746d83805d7686df8Timo Sirainen /* read the login_source_ips before chrooting so it can access
bb10ebcf076c959c752f583746d83805d7686df8Timo Sirainen login_source_ips = parse_login_source_ips(global_login_settings->login_source_ips,
16c89b1260c9d07c01c83a9219424d3727069b2eTimo Sirainen /* randomize the initial index in case service_count=1
16c89b1260c9d07c01c83a9219424d3727069b2eTimo Sirainen (although in that case it's unlikely this setting is
16c89b1260c9d07c01c83a9219424d3727069b2eTimo Sirainen even used..) */
16c89b1260c9d07c01c83a9219424d3727069b2eTimo Sirainen login_source_ips_idx = i_rand_limit(login_source_ips_count);
16c89b1260c9d07c01c83a9219424d3727069b2eTimo Sirainen initial_service_count = master_service_get_service_count(master_service);
16c89b1260c9d07c01c83a9219424d3727069b2eTimo Sirainen if (restrict_access_get_current_chroot() == NULL) {
16c89b1260c9d07c01c83a9219424d3727069b2eTimo Sirainen i_error("access(%s, wx) failed: %m - disabling rawlog",
bb10ebcf076c959c752f583746d83805d7686df8Timo Sirainenstatic void main_init(const char *login_socket)
16c89b1260c9d07c01c83a9219424d3727069b2eTimo Sirainen /* make sure we can't fork() */
bb10ebcf076c959c752f583746d83805d7686df8Timo Sirainen master_service_set_avail_overflow_callback(master_service,
bb10ebcf076c959c752f583746d83805d7686df8Timo Sirainen master_service_set_die_callback(master_service, login_die);
bb10ebcf076c959c752f583746d83805d7686df8Timo Sirainen auth_client = auth_client_init(login_socket, (unsigned int)getpid(),
bb10ebcf076c959c752f583746d83805d7686df8Timo Sirainen auth_client_set_connect_notify(auth_client, auth_connect_notify, NULL);
bb10ebcf076c959c752f583746d83805d7686df8Timo Sirainen master_auth = master_auth_init(master_service, post_login_socket);
bb10ebcf076c959c752f583746d83805d7686df8Timo Sirainen login_proxy_init(global_login_settings->login_proxy_notify_path);
bb10ebcf076c959c752f583746d83805d7686df8Timo Sirainenstatic void main_deinit(void)
16c89b1260c9d07c01c83a9219424d3727069b2eTimo Sirainen array_foreach_modifiable(&global_alt_usernames, strp)
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainenint login_binary_run(const struct login_binary *binary,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen login_socket = binary->default_login_socket != NULL ?
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen binary->default_login_socket : LOGIN_DEFAULT_SOCKET;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen master_service = master_service_init(login_binary->process_name,
1b3bb8d39686ed24730cbc31cc9a33dc62c8c6c3Timo Sirainen master_service_init_log(master_service, t_strconcat(
b2105c78f0fd58281317e6d777ded860f33153a3Timo Sirainen while ((c = master_getopt(master_service)) > 0) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen set_pool = pool_alloconly_create("global login settings", 4096);
d482b35af87f5fd872bad007da0475813a401a49Timo Sirainen login_settings_read(set_pool, NULL, NULL, NULL,