From b5b1107ff044f916147495548dfb7bce1c7951ce Mon Sep 17 00:00:00 2001 From: John Denker Date: Fri, 1 Jan 2016 18:58:24 -0800 Subject: allow authentication over STARTTLS (not just SMTPS) --- qmail-smtpd.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/qmail-smtpd.c b/qmail-smtpd.c index 103d4b5..aaf65e8 100644 --- a/qmail-smtpd.c +++ b/qmail-smtpd.c @@ -39,6 +39,15 @@ int timeout = 1200; const char *protocol = "SMTP"; +/* + There is an inconsistency in the design that we have to work around. + When using stunnel to implement SMTPS, the password checker is runtime + configurable, since stunnel passes it to us as a cmdline argument. + However, STARTTLS has no idea how stunnel is configured (if it exists + at all), so we have to use a compiled-in pwchecker. + */ +char *pwchecker[] = {"/var/qmail/rbin/checkpassword", "-", 0}; + #ifdef TLS #include #include "tls.h" @@ -323,7 +332,7 @@ void smtp_ehlo(arg) char *arg; out("250-AUTH LOGIN PLAIN\r\n"); out("250-AUTH=LOGIN PLAIN\r\n"); #endif - } + } /* else auth not available; channel lacks privacy */ out("250-PIPELINING\r\n"); out("250 8BITMIME\r\n"); /* last one has a space, not a dash */ seenmail = 0; dohelo(arg); @@ -683,7 +692,7 @@ char *arg; if (!hostname || !childargs) { - out("503 auth not available (#5.3.3)\r\n"); + out("503 auth not available; channel lacks privacy (#5.3.3)\r\n"); return; } if (authd) { err_authd(); return; } @@ -940,6 +949,11 @@ void tls_init() ssl_free(myssl); tls_out("connection failed", err); die_read(); } ssl = myssl; +/* The following are a kludgey way of indicating that the channel is + sufficiently private to allow the sending of passwords: + */ + if (!hostname) hostname = "0"; + if (!childargs) childargs = pwchecker; /* populate the protocol string, used in Received */ if (!stralloc_copys(&proto, "ESMTPS (") -- cgit v1.2.3