pop3-proxy.c revision 5f5870385cff47efd2f58e7892f251cf13761528
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen/* Copyright (c) 2004-2012 Dovecot authors, see the included COPYING file */
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen#include "login-common.h"
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen#include "ioloop.h"
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen#include "istream.h"
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen#include "ostream.h"
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen#include "base64.h"
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen#include "safe-memset.h"
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen#include "str.h"
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen#include "str-sanitize.h"
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen#include "client.h"
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen#include "pop3-proxy.h"
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainenstatic void proxy_free_password(struct client *client)
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen{
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen if (client->proxy_password == NULL)
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen return;
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen safe_memset(client->proxy_password, 0, strlen(client->proxy_password));
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen i_free_and_null(client->proxy_password);
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen}
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainenstatic void get_plain_auth(struct client *client, string_t *dest)
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen{
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen string_t *str;
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen str = t_str_new(128);
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen str_append(str, client->proxy_user);
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen str_append_c(str, '\0');
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen str_append(str, client->proxy_master_user);
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen str_append_c(str, '\0');
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen str_append(str, client->proxy_password);
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen base64_encode(str_data(str), str_len(str), dest);
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen}
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainenstatic void proxy_send_login(struct pop3_client *client, struct ostream *output)
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen{
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen string_t *str;
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen str = t_str_new(128);
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen if (client->common.proxy_master_user == NULL) {
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen /* send USER command */
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen str_append(str, "USER ");
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen str_append(str, client->common.proxy_user);
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen str_append(str, "\r\n");
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen } else {
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen /* master user login - use AUTH PLAIN. */
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen str_append(str, "AUTH PLAIN\r\n");
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen }
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen (void)o_stream_send(output, str_data(str), str_len(str));
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen client->common.proxy_state = POP3_PROXY_LOGIN1;
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen}
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen
int pop3_proxy_parse_line(struct client *client, const char *line)
{
struct pop3_client *pop3_client = (struct pop3_client *)client;
struct ostream *output;
enum login_proxy_ssl_flags ssl_flags;
string_t *str;
i_assert(!client->destroyed);
output = login_proxy_get_ostream(client->login_proxy);
switch (client->proxy_state) {
case POP3_PROXY_BANNER:
/* this is a banner */
if (strncmp(line, "+OK", 3) != 0) {
client_log_err(client, t_strdup_printf(
"proxy: Remote returned invalid banner: %s",
str_sanitize(line, 160)));
client_proxy_failed(client, TRUE);
return -1;
}
ssl_flags = login_proxy_get_ssl_flags(client->login_proxy);
if ((ssl_flags & PROXY_SSL_FLAG_STARTTLS) == 0) {
proxy_send_login(pop3_client, output);
} else {
(void)o_stream_send_str(output, "STLS\r\n");
client->proxy_state = POP3_PROXY_STARTTLS;
}
return 0;
case POP3_PROXY_STARTTLS:
if (strncmp(line, "+OK", 3) != 0) {
client_log_err(client, t_strdup_printf(
"proxy: Remote STLS failed: %s",
str_sanitize(line, 160)));
client_proxy_failed(client, TRUE);
return -1;
}
if (login_proxy_starttls(client->login_proxy) < 0) {
client_proxy_failed(client, TRUE);
return -1;
}
/* i/ostreams changed. */
output = login_proxy_get_ostream(client->login_proxy);
proxy_send_login(pop3_client, output);
return 1;
case POP3_PROXY_LOGIN1:
str = t_str_new(128);
if (client->proxy_master_user == NULL) {
if (strncmp(line, "+OK", 3) != 0)
break;
/* USER successful, send PASS */
str_append(str, "PASS ");
str_append(str, client->proxy_password);
str_append(str, "\r\n");
} else {
if (*line != '+')
break;
/* AUTH successful, send the authentication data */
get_plain_auth(client, str);
str_append(str, "\r\n");
}
(void)o_stream_send(output, str_data(str), str_len(str));
proxy_free_password(client);
client->proxy_state = POP3_PROXY_LOGIN2;
return 0;
case POP3_PROXY_LOGIN2:
if (strncmp(line, "+OK", 3) != 0)
break;
/* Login successful. Send this line to client. */
line = t_strconcat(line, "\r\n", NULL);
(void)o_stream_send_str(client->output, line);
client_proxy_finish_destroy_client(client);
return 1;
}
/* Login failed. Pass through the error message to client.
If the backend server isn't Dovecot, the error message may
be different from Dovecot's "user doesn't exist" error. This
would allow an attacker to find out what users exist in the
system.
The optimal way to handle this would be to replace the
backend's "password failed" error message with Dovecot's
AUTH_FAILED_MSG, but this would require a new setting and
the sysadmin to actually bother setting it properly.
So for now we'll just forward the error message. This
shouldn't be a real problem since of course everyone will
be using only Dovecot as their backend :) */
if (strncmp(line, "-ERR ", 5) != 0) {
client_send_line(client, CLIENT_CMD_REPLY_AUTH_FAILED,
AUTH_FAILED_MSG);
} else {
client_send_raw(client, t_strconcat(line, "\r\n", NULL));
}
if (client->set->auth_verbose) {
if (strncmp(line, "-ERR ", 5) == 0)
line += 5;
client_proxy_log_failure(client, line);
}
client->proxy_auth_failed = TRUE;
client_proxy_failed(client, FALSE);
return -1;
}
void pop3_proxy_reset(struct client *client)
{
client->proxy_state = POP3_PROXY_BANNER;
}