src/pop3-login/pop3-proxy.c

	pop3-proxy.c revision 67ac9e1493601933d3d4eb2d30893e0d84d2a5b5
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen/* Copyright (c) 2004-2017 Dovecot authors, see the included COPYING file */
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen#include "login-common.h"
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen#include "ioloop.h"
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen#include "istream.h"
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen#include "ostream.h"
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen#include "base64.h"
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen#include "safe-memset.h"
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen#include "str.h"
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen#include "str-sanitize.h"
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen#include "strescape.h"
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen#include "dsasl-client.h"
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen#include "client.h"
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen#include "pop3-proxy.h"
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainenstatic const char *pop3_proxy_state_names[POP3_PROXY_STATE_COUNT] = {
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    "banner", "starttls", "xclient", "login1", "login2"
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen};
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainenstatic void proxy_free_password(struct client *client)
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen{
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    if (client->proxy_password == NULL)
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        return;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    safe_memset(client->proxy_password, 0, strlen(client->proxy_password));
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    i_free_and_null(client->proxy_password);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen}
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainenstatic int proxy_send_login(struct pop3_client *client, struct ostream *output)
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen{
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    struct dsasl_client_settings sasl_set;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    const unsigned char *sasl_output;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    size_t len;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    const char *mech_name, *error;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    string_t *str = t_str_new(128);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    i_assert(client->common.proxy_ttl > 1);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    if (client->proxy_xclient &&
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        !client->common.proxy_not_trusted) {
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        string_t *fwd = t_str_new(128);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen                for(const char *const *ptr = client->common.auth_passdb_args;*ptr != NULL; ptr++) {
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen                        if (strncasecmp(*ptr, "forward_", 8) == 0) {
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen                                if (str_len(fwd) > 0)
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen                                        str_append_c(fwd, '\t');
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen                                str_append_tabescaped(fwd, (*ptr)+8);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen                        }
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        }
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        str_printfa(str, "XCLIENT ADDR=%s PORT=%u SESSION=%s TTL=%u",
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen                net_ip2addr(&client->common.ip),
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen                client->common.remote_port,
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen                client_get_session_id(&client->common),
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen                client->common.proxy_ttl - 1);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        if (str_len(fwd) > 0) {
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            str_append(str, " FORWARD=");
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            base64_encode(str_data(fwd), str_len(fwd), str);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        }
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        str_append(str, "\r\n");
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        /* remote supports XCLIENT, send it */
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        o_stream_nsend(output, str_data(str), str_len(str));
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        client->proxy_state = POP3_PROXY_XCLIENT;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    } else {
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        client->proxy_state = POP3_PROXY_LOGIN1;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    }
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    str_truncate(str, 0);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    if (client->common.proxy_mech == NULL) {
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        /* send USER command */
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        str_append(str, "USER ");
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        str_append(str, client->common.proxy_user);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        str_append(str, "\r\n");
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        o_stream_nsend(output, str_data(str), str_len(str));
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        return 0;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    }
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    i_assert(client->common.proxy_sasl_client == NULL);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    i_zero(&sasl_set);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    sasl_set.authid = client->common.proxy_master_user != NULL ?
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        client->common.proxy_master_user : client->common.proxy_user;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    sasl_set.authzid = client->common.proxy_user;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    sasl_set.password = client->common.proxy_password;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    client->common.proxy_sasl_client =
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        dsasl_client_new(client->common.proxy_mech, &sasl_set);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    mech_name = dsasl_client_mech_get_name(client->common.proxy_mech);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    str_printfa(str, "AUTH %s ", mech_name);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    if (dsasl_client_output(client->common.proxy_sasl_client,
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen                &sasl_output, &len, &error) < 0) {
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        client_log_err(&client->common, t_strdup_printf(
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            "proxy: SASL mechanism %s init failed: %s",
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            mech_name, error));
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        return -1;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    }
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    if (len == 0)
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        str_append_c(str, '=');
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    else
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        base64_encode(sasl_output, len, str);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    str_append(str, "\r\n");
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    o_stream_nsend(output, str_data(str), str_len(str));
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    proxy_free_password(&client->common);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    if (client->proxy_state != POP3_PROXY_XCLIENT)
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        client->proxy_state = POP3_PROXY_LOGIN2;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    return 0;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen}
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainenstatic int
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainenpop3_proxy_continue_sasl_auth(struct client *client, struct ostream *output,
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen                  const char *line)
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen{
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    string_t *str;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    const unsigned char *data;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    size_t data_len;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    const char *error;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    int ret;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    str = t_str_new(128);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    if (base64_decode(line, strlen(line), NULL, str) < 0) {
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        client_log_err(client, "proxy: Server sent invalid base64 data in AUTH response");
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        return -1;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    }
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    ret = dsasl_client_input(client->proxy_sasl_client,
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen                 str_data(str), str_len(str), &error);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    if (ret == 0) {
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        ret = dsasl_client_output(client->proxy_sasl_client,
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen                      &data, &data_len, &error);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    }
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    if (ret < 0) {
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        client_log_err(client, t_strdup_printf(
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            "proxy: Server sent invalid authentication data: %s",
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            error));
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        return -1;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    }
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    i_assert(ret == 0);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    str_truncate(str, 0);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    base64_encode(data, data_len, str);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    str_append(str, "\r\n");
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    o_stream_nsend(output, str_data(str), str_len(str));
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    return 0;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen}
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainenint pop3_proxy_parse_line(struct client *client, const char *line)
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen{
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    struct pop3_client *pop3_client = (struct pop3_client *)client;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    struct ostream *output;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    enum login_proxy_ssl_flags ssl_flags;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    i_assert(!client->destroyed);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    output = login_proxy_get_ostream(client->login_proxy);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    switch (pop3_client->proxy_state) {
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    case POP3_PROXY_BANNER:
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        /* this is a banner */
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        if (strncmp(line, "+OK", 3) != 0) {
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            client_log_err(client, t_strdup_printf(
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen                "proxy: Remote returned invalid banner: %s",
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen                str_sanitize(line, 160)));
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            client_proxy_failed(client, TRUE);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            return -1;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        }
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        pop3_client->proxy_xclient =
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            strncmp(line+3, " [XCLIENT]", 10) == 0;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        ssl_flags = login_proxy_get_ssl_flags(client->login_proxy);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        if ((ssl_flags & PROXY_SSL_FLAG_STARTTLS) == 0) {
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            if (proxy_send_login(pop3_client, output) < 0) {
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen                client_proxy_failed(client, TRUE);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen                return -1;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            }
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        } else {
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            o_stream_nsend_str(output, "STLS\r\n");
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            pop3_client->proxy_state = POP3_PROXY_STARTTLS;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        }
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        return 0;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    case POP3_PROXY_STARTTLS:
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        if (strncmp(line, "+OK", 3) != 0) {
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            client_log_err(client, t_strdup_printf(
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen                "proxy: Remote STLS failed: %s",
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen                str_sanitize(line, 160)));
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            client_proxy_failed(client, TRUE);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            return -1;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        }
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        if (login_proxy_starttls(client->login_proxy) < 0) {
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            client_proxy_failed(client, TRUE);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            return -1;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        }
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        /* i/ostreams changed. */
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        output = login_proxy_get_ostream(client->login_proxy);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        if (proxy_send_login(pop3_client, output) < 0) {
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            client_proxy_failed(client, TRUE);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            return -1;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        }
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        return 1;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    case POP3_PROXY_XCLIENT:
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        if (strncmp(line, "+OK", 3) != 0) {
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            client_log_err(client, t_strdup_printf(
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen                "proxy: Remote XCLIENT failed: %s",
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen                str_sanitize(line, 160)));
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            client_proxy_failed(client, TRUE);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            return -1;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        }
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        pop3_client->proxy_state = client->proxy_sasl_client == NULL ?
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            POP3_PROXY_LOGIN1 : POP3_PROXY_LOGIN2;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        return 0;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    case POP3_PROXY_LOGIN1:
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        i_assert(client->proxy_sasl_client == NULL);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        if (strncmp(line, "+OK", 3) != 0)
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            break;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        /* USER successful, send PASS */
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        o_stream_nsend_str(output, t_strdup_printf(
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            "PASS %s\r\n", client->proxy_password));
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        proxy_free_password(client);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        pop3_client->proxy_state = POP3_PROXY_LOGIN2;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        return 0;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    case POP3_PROXY_LOGIN2:
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        if (strncmp(line, "+ ", 2) == 0 &&
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            client->proxy_sasl_client != NULL) {
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            /* continue SASL authentication */
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            if (pop3_proxy_continue_sasl_auth(client, output,
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen                              line+2) < 0) {
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen                client_proxy_failed(client, TRUE);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen                return -1;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            }
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            return 0;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        }
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        if (strncmp(line, "+OK", 3) != 0)
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            break;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        /* Login successful. Send this line to client. */
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        line = t_strconcat(line, "\r\n", NULL);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        o_stream_nsend_str(client->output, line);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        client_proxy_finish_destroy_client(client);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        return 1;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    case POP3_PROXY_STATE_COUNT:
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        i_unreached();
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    }
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    /* Login failed. Pass through the error message to client.
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen       If the backend server isn't Dovecot, the error message may
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen       be different from Dovecot's "user doesn't exist" error. This
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen       would allow an attacker to find out what users exist in the
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen       system.
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen       The optimal way to handle this would be to replace the
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen       backend's "password failed" error message with Dovecot's
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen       AUTH_FAILED_MSG, but this would require a new setting and
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen       the sysadmin to actually bother setting it properly.
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen       So for now we'll just forward the error message. This
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen       shouldn't be a real problem since of course everyone will
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen       be using only Dovecot as their backend :) */
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    if (strncmp(line, "-ERR ", 5) != 0) {
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        client_send_reply(client, POP3_CMD_REPLY_ERROR,
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen                  AUTH_FAILED_MSG);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    } else {
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        client_send_raw(client, t_strconcat(line, "\r\n", NULL));
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    }
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    if (client->set->auth_verbose) {
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        if (strncmp(line, "-ERR ", 5) == 0)
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen            line += 5;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen        client_proxy_log_failure(client, line);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    }
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    client->proxy_auth_failed = TRUE;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    client_proxy_failed(client, FALSE);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    return -1;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen}
d646a63462a696824b1facd73e00732d4ac0f3dcTimo Sirainen
d646a63462a696824b1facd73e00732d4ac0f3dcTimo Sirainenvoid pop3_proxy_reset(struct client *client)
d646a63462a696824b1facd73e00732d4ac0f3dcTimo Sirainen{
d646a63462a696824b1facd73e00732d4ac0f3dcTimo Sirainen    struct pop3_client *pop3_client = (struct pop3_client *)client;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    pop3_client->proxy_state = POP3_PROXY_BANNER;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen}
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainenvoid pop3_proxy_error(struct client *client, const char *text)
d646a63462a696824b1facd73e00732d4ac0f3dcTimo Sirainen{
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    client_send_reply(client, POP3_CMD_REPLY_ERROR, text);
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen}
d646a63462a696824b1facd73e00732d4ac0f3dcTimo Sirainen
d646a63462a696824b1facd73e00732d4ac0f3dcTimo Sirainenconst char *pop3_proxy_get_state(struct client *client)
d646a63462a696824b1facd73e00732d4ac0f3dcTimo Sirainen{
d646a63462a696824b1facd73e00732d4ac0f3dcTimo Sirainen    struct pop3_client *pop3_client = (struct pop3_client *)client;
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen    return pop3_proxy_state_names[pop3_client->proxy_state];
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen}
5fb3f13537dffd15a31e997da133a721c0728af8Timo Sirainen