In some setups it's useful for authentication handling to know if the connection is SSL/TLS secured. The patch below should tell this to Dovecot. It compiles, but other than that I haven't yet tested it.
It anyway looks like sending the SSL/TLS state requires an additional
parameter to xsasl_server_create(). Wietse, how do you think the API
should be changed to support this functionality? I guess the choices
are:
- int tls parameter as in the patch
- a more generic int flags bitmask
- secprops-like string
- replace all the existing parameters with a pointer to struct
xsasl_parameters so more stuff can easily be added to it later.
I guess I'd prefer the last one, especially because other people also
want to tell the local/remote IP addresses to SASL.
diff -ru postfix-2.5.6/src/smtpd/smtpd_sasl_glue.c
postfix-2.5.6-dovecot/src/smtpd/smtpd_sasl_glue.c
--- postfix-2.5.6/src/smtpd/smtpd_sasl_glue.c 2007-10-05 18:56:34.000000000
-0400
+++ postfix-2.5.6-dovecot/src/smtpd/smtpd_sasl_glue.c 2009-02-23
13:59:28.000000000 -0500
@@ -151,6 +151,7 @@
const char *sasl_opts_val)
{
const char *mechanism_list;
+ int tls;
/*
* Initialize SASL-specific state variables. Use long-lived storage for
@@ -169,11 +170,16 @@
*/
#define SMTPD_SASL_SERVICE "smtp"
+#ifdef USE_TLS
+ tls = state->tls_context != 0;
+#else
+ tls = 0;
+#endif
if ((state->sasl_server =
xsasl_server_create(smtpd_sasl_impl, state->client,
SMTPD_SASL_SERVICE, *var_smtpd_sasl_realm ?
var_smtpd_sasl_realm : (char *) 0,
- sasl_opts_val)) == 0)
+ sasl_opts_val, tls)) == 0)
msg_fatal("SASL per-connection initialization failed");
/*
diff -ru postfix-2.5.6/src/xsasl/xsasl_cyrus_server.c
postfix-2.5.6-dovecot/src/xsasl/xsasl_cyrus_server.c
--- postfix-2.5.6/src/xsasl/xsasl_cyrus_server.c 2007-05-25
12:42:17.000000000 -0400
+++ postfix-2.5.6-dovecot/src/xsasl/xsasl_cyrus_server.c 2009-02-23
14:03:21.000000000 -0500
@@ -157,7 +157,8 @@
VSTREAM *,
const char *,
const char *,
- const char *);
+ const char *,
+ int);
static void xsasl_cyrus_server_free(XSASL_SERVER *);
static int xsasl_cyrus_server_first(XSASL_SERVER *, const char *,
const char *, VSTRING *);
@@ -262,7 +263,8 @@
VSTREAM *stream,
const char *service,
const char *realm,
- const char *sec_props)
+ const char *sec_props,
+ int unused_tls)
{
const char *myname = "xsasl_cyrus_server_create";
char *server_address;
diff -ru postfix-2.5.6/src/xsasl/xsasl_dovecot_server.c
postfix-2.5.6-dovecot/src/xsasl/xsasl_dovecot_server.c
--- postfix-2.5.6/src/xsasl/xsasl_dovecot_server.c 2008-03-16
19:09:04.000000000 -0400
+++ postfix-2.5.6-dovecot/src/xsasl/xsasl_dovecot_server.c 2009-02-23
14:02:49.000000000 -0500
@@ -160,6 +160,7 @@
char *username; /* authenticated user */
VSTRING *sasl_line;
unsigned int sec_props; /* Postfix mechanism filter */
+ int tls; /* TLS enabled in this session */
char *mechanism_list; /* filtered mechanism list */
ARGV *mechanism_argv; /* ditto */
} XSASL_DOVECOT_SERVER;
@@ -172,7 +173,8 @@
VSTREAM *,
const char *,
const char *,
- const char *);
+ const char *,
+ int);
static void xsasl_dovecot_server_free(XSASL_SERVER *);
static int xsasl_dovecot_server_first(XSASL_SERVER *, const char *,
const char *, VSTRING *);
@@ -382,7 +384,8 @@
VSTREAM *unused_stream,
const char *service,
const char *realm,
- const char *sec_props)
+ const char *sec_props,
+ int tls)
{
const char *myname = "xsasl_dovecot_server_create";
XSASL_DOVECOT_SERVER *server;
@@ -409,6 +412,7 @@
server->last_request_id = 0;
server->mechanism_list = 0;
server->mechanism_argv = 0;
+ server->tls = tls;
server->sec_props =
name_mask_opt(myname, xsasl_dovecot_conf_sec_props,
sec_props, NAME_MASK_ANY_CASE | NAME_MASK_FATAL);
@@ -608,6 +612,8 @@
"AUTH\t%u\t%s\tservice=%s\tnologin",
server->last_request_id, sasl_method,
server->service);
+ if (server->tls)
+ vstream_fputs("\tsecured", server->impl->sasl_stream);
if (init_response) {
/*
diff -ru postfix-2.5.6/src/xsasl/xsasl.h postfix-2.5.6-dovecot/src/xsasl/xsasl.h
--- postfix-2.5.6/src/xsasl/xsasl.h 2005-12-19 16:34:20.000000000 -0500
+++ postfix-2.5.6-dovecot/src/xsasl/xsasl.h 2009-02-23 13:58:00.000000000
-0500
@@ -45,15 +45,15 @@
* own private data.
*/
typedef struct XSASL_SERVER_IMPL {
- XSASL_SERVER *(*create) (struct XSASL_SERVER_IMPL *, VSTREAM *, const char
*, const char *, const char *);
+ XSASL_SERVER *(*create) (struct XSASL_SERVER_IMPL *, VSTREAM *, const char
*, const char *, const char *, int);
void (*done) (struct XSASL_SERVER_IMPL *);
} XSASL_SERVER_IMPL;
extern XSASL_SERVER_IMPL *xsasl_server_init(const char *, const char *);
extern ARGV *xsasl_server_types(void);
-#define xsasl_server_create(impl, stream, service, realm, sec_props) \
- (impl)->create((impl), (stream), (service), (realm), (sec_props))
+#define xsasl_server_create(impl, stream, service, realm, sec_props, tls) \
+ (impl)->create((impl), (stream), (service), (realm), (sec_props), (tls))
#define xsasl_server_done(impl) (impl)->done((impl));
/*
signature.asc
Description: This is a digitally signed message part
