static void imap_postcapability(struct backend *s)
{
if (CAPA(s, CAPA_SASL_IR)) {
/* server supports initial response in AUTHENTICATE command */
s->prot->u.std.sasl_cmd.maxlen = USHRT_MAX;
}
}
/* Match the response code to an expected return code defined in rock.
*
* Rock must be a zero-terminated string up to length 3 (excluding the
* NUL byte). Matching is performed by string matching the SMTP return
* code to the expected code, stopping at the zero byte.
*
* E.g. return code "250", "251" both would match a "2" or "25" rock.
*
* Also see Daniel Bernstein's site https://cr.yp.to/smtp/request.html:
* "I recommend that clients avoid looking past the first digit of the
* code, either 2, 3, 4, or 5. The other two digits and the text are
* primarily for human consumption. (Exception: See EHLO.)"
*
* Return IMAP_PROTOCOL_ERROR on mismatch, 0 on success.
*/
static int expect_code_cb(smtpclient_t *sm, void *rock)
{
size_t i;
const char *code = rock;
smtp_resp_t *resp = &sm->resp;
for (i = 0; i < 3 && code[i]; i++) {
if (code[i] != resp->code[i]) {
const char *text = buf_cstring(&resp->text);
syslog(LOG_ERR, "smtpclient: unexpected response: code=%c%c%c text=%s",
resp->code[0], resp->code[1], resp->code[2], text);
/* Try to glean specific error from response */
if (CAPA(sm->backend, SMTPCLIENT_CAPA_STATUS)) {
if (text[2] == '1' && text[4] >= '1' && text[4] <= '3')
return IMAP_MAILBOX_NONEXISTENT;
else if (text[2] == '3' && text[4] == '4')
return IMAP_MESSAGE_TOO_LARGE;
else if (text[2] == '5' && text[4] == '3')
return IMAP_MAILBOX_DISABLED;
else if (text[2] == '3' && text[4] == '0')
return IMAP_REMOTE_DENIED;
}
else {
switch (atoi(resp->code)) {
case 421:
case 451:
case 554:
return IMAP_REMOTE_DENIED;
case 450:
case 550:
return IMAP_MAILBOX_DISABLED;
case 452:
case 552:
return IMAP_MESSAGE_TOO_LARGE;
case 553:
return IMAP_MAILBOX_NONEXISTENT;
}
}
return IMAP_PROTOCOL_ERROR;
}
}
return 0;
}
static void replica_connect(const char *channel)
{
int wait;
struct protoent *proto;
sasl_callback_t *cb;
int timeout;
const char *port, *auth_status = NULL;
cb = mysasl_callbacks(NULL,
get_config(channel, "sync_authname"),
get_config(channel, "sync_realm"),
get_config(channel, "sync_password"));
/* get the right port */
port = get_config(channel, "sync_port");
if (port) {
imap_csync_protocol.service = port;
csync_protocol.service = port;
}
for (wait = 15;; wait *= 2) {
sync_backend = backend_connect(sync_backend, servername,
&imap_csync_protocol, "", cb, &auth_status,
(verbose > 1 ? fileno(stderr) : -1));
if (sync_backend) {
if (sync_backend->capability & CAPA_REPLICATION) {
/* attach our IMAP tag buffer to our protstreams as userdata */
sync_backend->in->userdata = sync_backend->out->userdata = &tagbuf;
break;
}
else {
backend_disconnect(sync_backend);
sync_backend = NULL;
}
}
sync_backend = backend_connect(sync_backend, servername,
&csync_protocol, "", cb, NULL,
(verbose > 1 ? fileno(stderr) : -1));
if (sync_backend || auth_status || connect_once || wait > 1000) break;
fprintf(stderr,
"Can not connect to server '%s', retrying in %d seconds\n",
servername, wait);
sleep(wait);
}
free_callbacks(cb);
cb = NULL;
if (!sync_backend) {
fprintf(stderr, "Can not connect to server '%s'\n",
servername);
syslog(LOG_ERR, "Can not connect to server '%s'", servername);
_exit(1);
}
/* Disable Nagle's Algorithm => increase throughput
*
* http://en.wikipedia.org/wiki/Nagle's_algorithm
*/
if (servername[0] != '/') {
if (sync_backend->sock >= 0 && (proto = getprotobyname("tcp")) != NULL) {
int on = 1;
if (setsockopt(sync_backend->sock, proto->p_proto, TCP_NODELAY,
(void *) &on, sizeof(on)) != 0) {
syslog(LOG_ERR, "unable to setsocketopt(TCP_NODELAY): %m");
}
/* turn on TCP keepalive if set */
if (config_getswitch(IMAPOPT_TCP_KEEPALIVE)) {
int r;
int optval = 1;
socklen_t optlen = sizeof(optval);
struct protoent *proto = getprotobyname("TCP");
r = setsockopt(sync_backend->sock, SOL_SOCKET, SO_KEEPALIVE, &optval, optlen);
if (r < 0) {
syslog(LOG_ERR, "unable to setsocketopt(SO_KEEPALIVE): %m");
}
#ifdef TCP_KEEPCNT
optval = config_getint(IMAPOPT_TCP_KEEPALIVE_CNT);
if (optval) {
r = setsockopt(sync_backend->sock, proto->p_proto, TCP_KEEPCNT, &optval, optlen);
if (r < 0) {
syslog(LOG_ERR, "unable to setsocketopt(TCP_KEEPCNT): %m");
}
}
#endif
#ifdef TCP_KEEPIDLE
optval = config_getint(IMAPOPT_TCP_KEEPALIVE_IDLE);
if (optval) {
r = setsockopt(sync_backend->sock, proto->p_proto, TCP_KEEPIDLE, &optval, optlen);
if (r < 0) {
syslog(LOG_ERR, "unable to setsocketopt(TCP_KEEPIDLE): %m");
}
}
#endif
#ifdef TCP_KEEPINTVL
optval = config_getint(IMAPOPT_TCP_KEEPALIVE_INTVL);
if (optval) {
r = setsockopt(sync_backend->sock, proto->p_proto, TCP_KEEPINTVL, &optval, optlen);
if (r < 0) {
syslog(LOG_ERR, "unable to setsocketopt(TCP_KEEPINTVL): %m");
}
}
#endif
}
} else {
syslog(LOG_ERR, "unable to getprotobyname(\"tcp\"): %m");
}
}
#ifdef HAVE_ZLIB
/* Does the backend support compression? */
if (CAPA(sync_backend, CAPA_COMPRESS)) {
prot_printf(sync_backend->out, "%s\r\n",
sync_backend->prot->u.std.compress_cmd.cmd);
prot_flush(sync_backend->out);
if (sync_parse_response("COMPRESS", sync_backend->in, NULL)) {
if (do_compress) fatal("Failed to enable compression, aborting", EC_SOFTWARE);
syslog(LOG_NOTICE, "Failed to enable compression, continuing uncompressed");
}
else {
prot_setcompress(sync_backend->in);
prot_setcompress(sync_backend->out);
}
}
else if (do_compress) fatal("Backend does not support compression, aborting", EC_SOFTWARE);
#endif
/* links to sockets */
sync_in = sync_backend->in;
sync_out = sync_backend->out;
if (verbose > 1) {
prot_setlog(sync_in, fileno(stderr));
prot_setlog(sync_out, fileno(stderr));
}
/* Set inactivity timer */
timeout = config_getint(IMAPOPT_SYNC_TIMEOUT);
if (timeout < 3) timeout = 3;
prot_settimeout(sync_in, timeout);
/* Force use of LITERAL+ so we don't need two way communications */
prot_setisclient(sync_in, 1);
prot_setisclient(sync_out, 1);
}
static void proxy_part_filldata(partlist_t *part_list, int idx)
{
char mytag[128];
struct backend *be;
partitem_t *item = &part_list->items[idx];
item->id = 0;
item->available = 0;
item->total = 0;
item->quota = 0.;
syslog(LOG_DEBUG, "checking free space on server '%s'", item->value);
/* connect to server */
be = proxy_findserver(item->value, &imap_protocol,
proxy_userid, &backend_cached,
&backend_current, &backend_inbox, imapd_in);
if (be) {
uint64_t server_available = 0;
uint64_t server_total = 0;
const char *annot =
(part_list->mode == PART_SELECT_MODE_FREESPACE_MOST) ?
"freespace/total" : "freespace/percent/most";
struct buf cmd = BUF_INITIALIZER;
int c;
/* fetch annotation from remote */
proxy_gentag(mytag, sizeof(mytag));
if (CAPA(be, CAPA_METADATA)) {
buf_printf(&cmd, "METADATA \"\" (\"/shared" IMAP_ANNOT_NS "%s\"",
annot);
}
else {
buf_printf(&cmd, "ANNOTATION \"\" \"" IMAP_ANNOT_NS "%s\" "
"(\"value.shared\"", annot);
}
prot_printf(be->out, "%s GET%s)\r\n", mytag, buf_cstring(&cmd));
prot_flush(be->out);
for (/* each annotation response */;;) {
/* read a line */
c = prot_getc(be->in);
if (c != '*') break;
c = prot_getc(be->in);
if (c != ' ') { /* protocol error */ c = EOF; break; }
c = chomp(be->in, buf_cstring(&cmd));
if (c == ' ') c = prot_getc(be->in);
if ((c == EOF) || (c != '\"')) {
/* we don't care about this response */
eatline(be->in, c);
continue;
}
/* read available */
c = getuint64(be->in, &server_available);
if (c != ';') { c = EOF; break; }
/* read total */
c = getuint64(be->in, &server_total);
if (c != '\"') { c = EOF; break; }
eatline(be->in, c); /* we don't care about the rest of the line */
}
buf_free(&cmd);
if (c != EOF) {
prot_ungetc(c, be->in);
/* we should be looking at the tag now */
eatline(be->in, c);
}
if (c == EOF) {
/* uh oh, we're not happy */
fatal("Lost connection to backend", EC_UNAVAILABLE);
}
/* unique id */
item->id = idx;
item->available = server_available;
item->total = server_total;
}
}
struct backend *backend_connect(struct backend *ret_backend, const char *server,
struct protocol_t *prot, const char *userid,
sasl_callback_t *cb, const char **auth_status)
{
/* need to (re)establish connection to server or create one */
int sock = -1;
int r;
int err = -1;
int ask = 1; /* should we explicitly ask for capabilities? */
struct addrinfo hints, *res0 = NULL, *res;
struct sockaddr_un sunsock;
char buf[2048];
struct sigaction action;
struct backend *ret;
char rsessionid[MAX_SESSIONID_SIZE];
if (!ret_backend) {
ret = xzmalloc(sizeof(struct backend));
strlcpy(ret->hostname, server, sizeof(ret->hostname));
ret->timeout = NULL;
}
else
ret = ret_backend;
if (server[0] == '/') { /* unix socket */
res0 = &hints;
memset(res0, 0, sizeof(struct addrinfo));
res0->ai_family = PF_UNIX;
res0->ai_socktype = SOCK_STREAM;
res0->ai_addr = (struct sockaddr *) &sunsock;
res0->ai_addrlen = sizeof(sunsock.sun_family) + strlen(server) + 1;
#ifdef SIN6_LEN
res0->ai_addrlen += sizeof(sunsock.sun_len);
sunsock.sun_len = res0->ai_addrlen;
#endif
sunsock.sun_family = AF_UNIX;
strlcpy(sunsock.sun_path, server, sizeof(sunsock.sun_path));
/* XXX set that we are preauthed */
/* change hostname to 'config_servername' */
strlcpy(ret->hostname, config_servername, sizeof(ret->hostname));
}
else { /* inet socket */
memset(&hints, 0, sizeof(hints));
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
err = getaddrinfo(server, prot->service, &hints, &res0);
if (err) {
syslog(LOG_ERR, "getaddrinfo(%s) failed: %s",
server, gai_strerror(err));
goto error;
}
}
/* Setup timeout */
timedout = 0;
action.sa_flags = 0;
action.sa_handler = timed_out;
sigemptyset(&action.sa_mask);
if(sigaction(SIGALRM, &action, NULL) < 0)
{
syslog(LOG_ERR, "Setting timeout in backend_connect failed: sigaction: %m");
/* continue anyway */
}
for (res = res0; res; res = res->ai_next) {
sock = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
if (sock < 0)
continue;
alarm(config_getint(IMAPOPT_CLIENT_TIMEOUT));
if (connect(sock, res->ai_addr, res->ai_addrlen) >= 0)
break;
if(errno == EINTR && timedout == 1)
errno = ETIMEDOUT;
close(sock);
sock = -1;
}
/* Remove timeout code */
alarm(0);
signal(SIGALRM, SIG_IGN);
if (sock < 0) {
if (res0 != &hints)
freeaddrinfo(res0);
syslog(LOG_ERR, "connect(%s) failed: %m", server);
goto error;
}
memcpy(&ret->addr, res->ai_addr, res->ai_addrlen);
if (res0 != &hints)
freeaddrinfo(res0);
ret->in = prot_new(sock, 0);
ret->out = prot_new(sock, 1);
ret->sock = sock;
prot_setflushonread(ret->in, ret->out);
ret->prot = prot;
/* use literal+ to send literals */
prot_setisclient(ret->in, 1);
prot_setisclient(ret->out, 1);
if (prot->banner.auto_capa) {
/* try to get the capabilities from the banner */
r = ask_capability(ret, /*dobanner*/1, AUTO_CAPA_BANNER);
if (r) {
/* found capabilities in banner -> don't ask */
ask = 0;
}
}
else {
do { /* read the initial greeting */
if (!prot_fgets(buf, sizeof(buf), ret->in)) {
syslog(LOG_ERR,
"backend_connect(): couldn't read initial greeting: %s",
ret->in->error ? ret->in->error : "(null)");
goto error;
}
} while (strncasecmp(buf, prot->banner.resp,
strlen(prot->banner.resp)));
strncpy(ret->banner, buf, 2048);
}
if (ask) {
/* get the capabilities */
ask_capability(ret, /*dobanner*/0, AUTO_CAPA_NO);
}
/* now need to authenticate to backend server,
unless we're doing LMTP/CSYNC on a UNIX socket (deliver/sync_client) */
if ((server[0] != '/') ||
(strcmp(prot->sasl_service, "lmtp") &&
strcmp(prot->sasl_service, "csync"))) {
char *old_mechlist = backend_get_cap_params(ret, CAPA_AUTH);
const char *my_status;
if ((r = backend_authenticate(ret, userid, cb, &my_status))) {
syslog(LOG_ERR, "couldn't authenticate to backend server: %s",
sasl_errstring(r, NULL, NULL));
free(old_mechlist);
goto error;
}
else {
const void *ssf;
sasl_getprop(ret->saslconn, SASL_SSF, &ssf);
if (*((sasl_ssf_t *) ssf)) {
/* if we have a SASL security layer, compare SASL mech lists
before/after AUTH to check for a MITM attack */
char *new_mechlist;
int auto_capa = (prot->sasl_cmd.auto_capa == AUTO_CAPA_AUTH_SSF);
if (!strcmp(prot->service, "sieve")) {
/* XXX Hack to handle ManageSieve servers.
* No way to tell from protocol if server will
* automatically send capabilities, so we treat it
* as optional.
*/
char ch;
/* wait and probe for possible auto-capability response */
usleep(250000);
prot_NONBLOCK(ret->in);
if ((ch = prot_getc(ret->in)) != EOF) {
prot_ungetc(ch, ret->in);
} else {
auto_capa = AUTO_CAPA_AUTH_NO;
}
prot_BLOCK(ret->in);
}
ask_capability(ret, /*dobanner*/0, auto_capa);
new_mechlist = backend_get_cap_params(ret, CAPA_AUTH);
if (new_mechlist &&
old_mechlist &&
strcmp(new_mechlist, old_mechlist)) {
syslog(LOG_ERR, "possible MITM attack:"
"list of available SASL mechanisms changed");
free(new_mechlist);
free(old_mechlist);
goto error;
}
free(new_mechlist);
}
else if (prot->sasl_cmd.auto_capa == AUTO_CAPA_AUTH_OK) {
/* try to get the capabilities from the AUTH success response */
forget_capabilities(ret);
parse_capability(ret, my_status);
post_parse_capability(ret);
}
if (!(strcmp(prot->service, "imap") &&
(strcmp(prot->service, "pop3")))) {
parse_sessionid(my_status, rsessionid);
syslog(LOG_NOTICE, "proxy %s sessionid=<%s> remote=<%s>", userid, session_id(), rsessionid);
}
}
if (auth_status) *auth_status = my_status;
free(old_mechlist);
}
/* start compression if requested and both client/server support it */
if (config_getswitch(IMAPOPT_PROXY_COMPRESS) && ret &&
CAPA(ret, CAPA_COMPRESS) &&
prot->compress_cmd.cmd &&
do_compress(ret, &prot->compress_cmd)) {
syslog(LOG_ERR, "couldn't enable compression on backend server");
goto error;
}
return ret;
error:
forget_capabilities(ret);
if (ret->in) {
prot_free(ret->in);
ret->in = NULL;
}
if (ret->out) {
prot_free(ret->out);
ret->out = NULL;
}
if (sock >= 0)
close(sock);
if (ret->saslconn) {
sasl_dispose(&ret->saslconn);
ret->saslconn = NULL;
}
if (!ret_backend)
free(ret);
return NULL;
}
static int backend_authenticate(struct backend *s, const char *userid,
sasl_callback_t *cb, const char **status)
{
struct protocol_t *prot = s->prot;
int r;
char *mechlist;
sasl_security_properties_t secprops =
{ 0, 0xFF, PROT_BUFSIZE, 0, NULL, NULL }; /* default secprops */
struct sockaddr_storage saddr_l, saddr_r;
char remoteip[60], localip[60];
socklen_t addrsize;
int local_cb = 0;
char buf[2048], optstr[128], *p;
const char *mech_conf, *pass;
/* set the IP addresses */
addrsize=sizeof(struct sockaddr_storage);
if (getpeername(s->sock, (struct sockaddr *)&saddr_r, &addrsize) != 0)
return SASL_FAIL;
if(iptostring((struct sockaddr *)&saddr_r, addrsize, remoteip, 60) != 0)
return SASL_FAIL;
addrsize=sizeof(struct sockaddr_storage);
if (getsockname(s->sock, (struct sockaddr *)&saddr_l, &addrsize)!=0)
return SASL_FAIL;
if(iptostring((struct sockaddr *)&saddr_l, addrsize, localip, 60) != 0)
return SASL_FAIL;
if (!cb) {
local_cb = 1;
strlcpy(optstr, s->hostname, sizeof(optstr));
p = strchr(optstr, '.');
if (p) *p = '\0';
strlcat(optstr, "_password", sizeof(optstr));
pass = config_getoverflowstring(optstr, NULL);
if(!pass) pass = config_getstring(IMAPOPT_PROXY_PASSWORD);
cb = mysasl_callbacks(userid,
config_getstring(IMAPOPT_PROXY_AUTHNAME),
config_getstring(IMAPOPT_PROXY_REALM),
pass);
}
/* Require proxying if we have an "interesting" userid (authzid) */
r = sasl_client_new(prot->sasl_service, s->hostname, localip, remoteip, cb,
(userid && *userid ? SASL_NEED_PROXY : 0) |
(prot->sasl_cmd.parse_success ? SASL_SUCCESS_DATA : 0),
&s->saslconn);
if (r != SASL_OK)
goto out;
r = sasl_setprop(s->saslconn, SASL_SEC_PROPS, &secprops);
if (r != SASL_OK)
goto out;
/* Get SASL mechanism list. We can force a particular
mechanism using a <shorthost>_mechs option */
strcpy(buf, s->hostname);
p = strchr(buf, '.');
if (p) *p = '\0';
strcat(buf, "_mechs");
mech_conf = config_getoverflowstring(buf, NULL);
if (!mech_conf) {
mech_conf = config_getstring(IMAPOPT_FORCE_SASL_CLIENT_MECH);
}
mechlist = backend_get_cap_params(s, CAPA_AUTH);
do {
/* If we have a mech_conf, use it */
if (mech_conf && mechlist) {
char *conf = xstrdup(mech_conf);
char *newmechlist = intersect_mechlists( conf, mechlist );
if ( newmechlist == NULL ) {
syslog( LOG_INFO, "%s did not offer %s", s->hostname,
mech_conf );
}
free(conf);
free(mechlist);
mechlist = newmechlist;
}
if (mechlist) {
/* we now do the actual SASL exchange */
saslclient(s->saslconn, &prot->sasl_cmd, mechlist,
s->in, s->out, &r, status);
/* garbage collect */
free(mechlist);
mechlist = NULL;
}
else r = SASL_NOMECH;
/* If we don't have a usable mech, do TLS and try again */
} while (r == SASL_NOMECH &&
CAPA(s, CAPA_STARTTLS) &&
do_starttls(s) != -1 &&
(mechlist = backend_get_cap_params(s, CAPA_AUTH)));
if (r == SASL_OK) {
prot_setsasl(s->in, s->saslconn);
prot_setsasl(s->out, s->saslconn);
}
if (mechlist) free(mechlist);
out:
/* r == SASL_OK on success */
if (local_cb) free_callbacks(cb);
return r;
}
static void replica_connect(const char *channel)
{
int wait;
sasl_callback_t *cb;
int timeout;
const char *port, *auth_status = NULL;
cb = mysasl_callbacks(NULL,
get_config(channel, "sync_authname"),
get_config(channel, "sync_realm"),
get_config(channel, "sync_password"));
/* get the right port */
port = get_config(channel, "sync_port");
if (port) {
imap_csync_protocol.service = port;
csync_protocol.service = port;
}
for (wait = 15;; wait *= 2) {
sync_backend = backend_connect(sync_backend, servername,
&imap_csync_protocol, "", cb, &auth_status,
(verbose > 1 ? fileno(stderr) : -1));
if (sync_backend) {
if (sync_backend->capability & CAPA_REPLICATION) {
/* attach our IMAP tag buffer to our protstreams as userdata */
sync_backend->in->userdata = sync_backend->out->userdata = &tagbuf;
break;
}
else {
backend_disconnect(sync_backend);
sync_backend = NULL;
}
}
sync_backend = backend_connect(sync_backend, servername,
&csync_protocol, "", cb, NULL,
(verbose > 1 ? fileno(stderr) : -1));
if (sync_backend || auth_status || connect_once || wait > 1000) break;
fprintf(stderr,
"Can not connect to server '%s', retrying in %d seconds\n",
servername, wait);
sleep(wait);
}
free_callbacks(cb);
cb = NULL;
if (!sync_backend) {
fprintf(stderr, "Can not connect to server '%s'\n",
servername);
syslog(LOG_ERR, "Can not connect to server '%s'", servername);
_exit(1);
}
if (servername[0] != '/' && sync_backend->sock >= 0) {
tcp_disable_nagle(sync_backend->sock);
tcp_enable_keepalive(sync_backend->sock);
}
#ifdef HAVE_ZLIB
/* Does the backend support compression? */
if (CAPA(sync_backend, CAPA_COMPRESS)) {
prot_printf(sync_backend->out, "%s\r\n",
sync_backend->prot->u.std.compress_cmd.cmd);
prot_flush(sync_backend->out);
if (sync_parse_response("COMPRESS", sync_backend->in, NULL)) {
if (do_compress) fatal("Failed to enable compression, aborting", EC_SOFTWARE);
syslog(LOG_NOTICE, "Failed to enable compression, continuing uncompressed");
}
else {
prot_setcompress(sync_backend->in);
prot_setcompress(sync_backend->out);
}
}
else if (do_compress) fatal("Backend does not support compression, aborting", EC_SOFTWARE);
#endif
/* links to sockets */
sync_in = sync_backend->in;
sync_out = sync_backend->out;
if (verbose > 1) {
prot_setlog(sync_in, fileno(stderr));
prot_setlog(sync_out, fileno(stderr));
}
/* Set inactivity timer */
timeout = config_getint(IMAPOPT_SYNC_TIMEOUT);
if (timeout < 3) timeout = 3;
prot_settimeout(sync_in, timeout);
/* Force use of LITERAL+ so we don't need two way communications */
prot_setisclient(sync_in, 1);
prot_setisclient(sync_out, 1);
}
static int backend_login(struct backend *ret, const char *userid,
sasl_callback_t *cb, const char **auth_status,
int noauth)
{
int r = 0;
int ask = 1; /* should we explicitly ask for capabilities? */
char buf[2048];
struct protocol_t *prot = ret->prot;
if (prot->type != TYPE_STD) return -1;
if (prot->u.std.banner.auto_capa) {
/* try to get the capabilities from the banner */
r = ask_capability(ret, /*dobanner*/1, AUTO_CAPA_BANNER);
if (r) {
/* found capabilities in banner -> don't ask */
ask = 0;
}
}
else {
do { /* read the initial greeting */
if (!prot_fgets(buf, sizeof(buf), ret->in)) {
syslog(LOG_ERR,
"backend_login(): couldn't read initial greeting: %s",
ret->in->error ? ret->in->error : "(null)");
return -1;
}
} while (strncasecmp(buf, prot->u.std.banner.resp,
strlen(prot->u.std.banner.resp)));
xstrncpy(ret->banner, buf, 2048);
}
if (ask) {
/* get the capabilities */
ask_capability(ret, /*dobanner*/0, AUTO_CAPA_NO);
}
/* now need to authenticate to backend server,
unless we're doing LMTP/CSYNC on a UNIX socket (deliver/sync_client) */
if (!noauth) {
char *old_mechlist = backend_get_cap_params(ret, CAPA_AUTH);
const char *my_status;
if ((r = backend_authenticate(ret, userid, cb, &my_status))) {
syslog(LOG_ERR, "couldn't authenticate to backend server: %s",
sasl_errstring(r, NULL, NULL));
free(old_mechlist);
return -1;
}
else {
const void *ssf;
sasl_getprop(ret->saslconn, SASL_SSF, &ssf);
if (*((sasl_ssf_t *) ssf)) {
/* if we have a SASL security layer, compare SASL mech lists
before/after AUTH to check for a MITM attack */
char *new_mechlist;
int auto_capa = (prot->u.std.sasl_cmd.auto_capa == AUTO_CAPA_AUTH_SSF);
if (!strcmp(prot->service, "sieve")) {
/* XXX Hack to handle ManageSieve servers.
* No way to tell from protocol if server will
* automatically send capabilities, so we treat it
* as optional.
*/
char ch;
/* wait and probe for possible auto-capability response */
usleep(250000);
prot_NONBLOCK(ret->in);
if ((ch = prot_getc(ret->in)) != EOF) {
prot_ungetc(ch, ret->in);
} else {
auto_capa = AUTO_CAPA_AUTH_NO;
}
prot_BLOCK(ret->in);
}
ask_capability(ret, /*dobanner*/0, auto_capa);
new_mechlist = backend_get_cap_params(ret, CAPA_AUTH);
if (new_mechlist &&
old_mechlist &&
strcmp(new_mechlist, old_mechlist)) {
syslog(LOG_ERR, "possible MITM attack:"
"list of available SASL mechanisms changed");
if (new_mechlist) free(new_mechlist);
if (old_mechlist) free(old_mechlist);
return -1;
}
free(new_mechlist);
}
else if (prot->u.std.sasl_cmd.auto_capa == AUTO_CAPA_AUTH_OK) {
/* try to get the capabilities from the AUTH success response */
forget_capabilities(ret);
parse_capability(ret, my_status);
post_parse_capability(ret);
}
if (!(strcmp(prot->service, "imap") &&
(strcmp(prot->service, "pop3")))) {
char rsessionid[MAX_SESSIONID_SIZE];
parse_sessionid(my_status, rsessionid);
syslog(LOG_NOTICE, "auditlog: proxy %s sessionid=<%s> remote=<%s>", userid, session_id(), rsessionid);
}
}
if (auth_status) *auth_status = my_status;
free(old_mechlist);
}
/* start compression if requested and both client/server support it */
if (config_getswitch(IMAPOPT_PROXY_COMPRESS) &&
CAPA(ret, CAPA_COMPRESS) &&
prot->u.std.compress_cmd.cmd) {
r = do_compress(ret, &prot->u.std.compress_cmd);
if (r) {
syslog(LOG_NOTICE, "couldn't enable compression on backend server: %s", error_message(r));
r = 0; /* not a fail-level error */
}
}
return 0;
}
static struct backend *restore_connect(const char *servername,
struct buf *tagbuf,
const struct restore_options *options)
{
struct backend *backend = NULL;
sasl_callback_t *cb;
int timeout;
const char *auth_status = NULL;
cb = mysasl_callbacks(NULL,
config_getstring(IMAPOPT_RESTORE_AUTHNAME),
config_getstring(IMAPOPT_RESTORE_REALM),
config_getstring(IMAPOPT_RESTORE_PASSWORD));
/* try to connect over IMAP */
backend = backend_connect(backend, servername,
&imap_csync_protocol, "", cb, &auth_status,
(options->verbose > 1 ? fileno(stderr) : -1));
if (backend) {
if (backend->capability & CAPA_REPLICATION) {
/* attach our IMAP tag buffer to our protstreams as userdata */
backend->in->userdata = backend->out->userdata = tagbuf;
}
else {
backend_disconnect(backend);
backend = NULL;
}
}
/* if that didn't work, fall back to csync */
if (!backend) {
backend = backend_connect(backend, servername,
&csync_protocol, "", cb, NULL,
(options->verbose > 1 ? fileno(stderr) : -1));
}
free_callbacks(cb);
cb = NULL;
if (!backend) {
fprintf(stderr, "Can not connect to server '%s'\n", servername);
syslog(LOG_ERR, "Can not connect to server '%s'", servername);
return NULL;
}
if (servername[0] != '/' && backend->sock >= 0) {
tcp_disable_nagle(backend->sock);
tcp_enable_keepalive(backend->sock);
}
#ifdef HAVE_ZLIB
/* Does the backend support compression? */
if (CAPA(backend, CAPA_COMPRESS)) {
prot_printf(backend->out, "%s\r\n",
backend->prot->u.std.compress_cmd.cmd);
prot_flush(backend->out);
if (sync_parse_response("COMPRESS", backend->in, NULL)) {
if (options->require_compression)
fatal("Failed to enable compression, aborting", EX_SOFTWARE);
syslog(LOG_NOTICE, "Failed to enable compression, continuing uncompressed");
}
else {
prot_setcompress(backend->in);
prot_setcompress(backend->out);
}
}
else if (options->require_compression) {
fatal("Backend does not support compression, aborting", EX_SOFTWARE);
}
#endif
if (options->verbose > 1) {
/* XXX did we do this during backend_connect already? */
prot_setlog(backend->in, fileno(stderr));
prot_setlog(backend->out, fileno(stderr));
}
/* Set inactivity timer */
timeout = config_getint(IMAPOPT_SYNC_TIMEOUT);
if (timeout < 3) timeout = 3;
prot_settimeout(backend->in, timeout);
/* Force use of LITERAL+ so we don't need two way communications */
prot_setisclient(backend->in, 1);
prot_setisclient(backend->out, 1);
return backend;
}
