On Sat, 22 Aug 2009 10:48:42 -0400 Alex <alex...@gmail.com> wrote: > See attached diff.
Of course, it would help if I actually attached the diff. :p -- Alex
diff -ur work/postfix-2.7-20090712/src/smtpd/smtpd_sasl_glue.c work.modified/postfix-2.7-20090712/src/smtpd/smtpd_sasl_glue.c
--- work/postfix-2.7-20090712/src/smtpd/smtpd_sasl_glue.c 2009-04-18 19:38:23.000000000 -0400
+++ work.modified/postfix-2.7-20090712/src/smtpd/smtpd_sasl_glue.c 2009-08-22 10:20:50.000000000 -0400
@@ -165,7 +165,7 @@
{
const char *mechanism_list;
XSASL_SERVER_CREATE_ARGS create_args;
- int tls_flag;
+ int tls_flag, tls_valid;
/*
* Sanity check.
@@ -191,8 +191,10 @@
#define SMTPD_SASL_SERVICE "smtp"
#ifdef USE_TLS
tls_flag = state->tls_context != 0;
+ tls_valid = TLS_CERT_IS_TRUSTED(state->tls_context);
#else
tls_flag = 0;
+ tls_valid = 0;
#endif
#define ADDR_OR_EMPTY(addr, unknown) (strcmp(addr, unknown) ? addr : "")
#define REALM_OR_NULL(realm) (*(realm) ? (realm) : (char *) 0)
@@ -206,7 +208,8 @@
service = SMTPD_SASL_SERVICE,
user_realm = REALM_OR_NULL(var_smtpd_sasl_realm),
security_options = sasl_opts_val,
- tls_flag = tls_flag)) == 0)
+ tls_flag = tls_flag,
+ tls_valid = tls_valid)) == 0)
msg_fatal("SASL per-connection initialization failed");
/*
diff -ur work/postfix-2.7-20090712/src/xsasl/xsasl.h work.modified/postfix-2.7-20090712/src/xsasl/xsasl.h
--- work/postfix-2.7-20090712/src/xsasl/xsasl.h 2009-04-18 19:39:16.000000000 -0400
+++ work.modified/postfix-2.7-20090712/src/xsasl/xsasl.h 2009-08-22 10:20:50.000000000 -0400
@@ -52,6 +52,7 @@
const char *user_realm;
const char *security_options;
int tls_flag;
+ int tls_valid;
} XSASL_SERVER_CREATE_ARGS;
typedef struct XSASL_SERVER_IMPL {
@@ -64,9 +65,9 @@
#define xsasl_server_create(impl, args) \
(impl)->create((impl), (args))
-#define XSASL_SERVER_CREATE(impl, args, a1, a2, a3, a4, a5, a6, a7) \
+#define XSASL_SERVER_CREATE(impl, args, a1, a2, a3, a4, a5, a6, a7, a8) \
xsasl_server_create((impl), (((args)->a1), ((args)->a2), ((args)->a3), \
- ((args)->a4), ((args)->a5), ((args)->a6), ((args)->a7), (args)))
+ ((args)->a4), ((args)->a5), ((args)->a6), ((args)->a7), ((args)->a8), (args)))
#define xsasl_server_done(impl) (impl)->done((impl));
/*
diff -ur work/postfix-2.7-20090712/src/xsasl/xsasl_dovecot_server.c work.modified/postfix-2.7-20090712/src/xsasl/xsasl_dovecot_server.c
--- work/postfix-2.7-20090712/src/xsasl/xsasl_dovecot_server.c 2009-05-19 14:02:35.000000000 -0400
+++ work.modified/postfix-2.7-20090712/src/xsasl/xsasl_dovecot_server.c 2009-08-22 10:20:50.000000000 -0400
@@ -162,6 +162,7 @@
VSTRING *sasl_line;
unsigned int sec_props; /* Postfix mechanism filter */
int tls_flag; /* TLS enabled in this session */
+ int tls_valid; /* Client presented valid certificate */
char *mechanism_list; /* filtered mechanism list */
ARGV *mechanism_argv; /* ditto */
char *client_addr; /* remote IP address */
@@ -432,6 +433,7 @@
server->mechanism_list = 0;
server->mechanism_argv = 0;
server->tls_flag = args->tls_flag;
+ server->tls_valid = args->tls_valid;
server->sec_props =
name_mask_opt(myname, xsasl_dovecot_conf_sec_props,
args->security_options,
@@ -654,6 +656,8 @@
if (server->tls_flag)
/* XXX Encapsulate for logging. */
vstream_fputs("\tsecured", server->impl->sasl_stream);
+ if (server->tls_valid)
+ vstream_fputs("\tvalid-client-cert", server->impl->sasl_stream);
if (init_response) {
/*
signature.asc
Description: PGP signature
