static bool vpopmail_is_disabled(struct auth_request *request,
const struct vqpasswd *vpw)
{
struct passdb_module *_module = request->passdb->passdb;
struct vpopmail_passdb_module *module =
(struct vpopmail_passdb_module *)_module;
if (strcasecmp(request->service, "IMAP") == 0) {
if ((vpw->pw_flags & NO_IMAP) != 0) {
/* IMAP from webmail IP may still be allowed */
if (!net_ip_compare(&module->webmail_ip,
&request->remote_ip))
return TRUE;
}
if ((vpw->pw_flags & NO_WEBMAIL) != 0) {
if (net_ip_compare(&module->webmail_ip,
&request->remote_ip))
return TRUE;
}
}
if ((vpw->pw_flags & NO_POP) != 0 &&
strcasecmp(request->service, "POP3") == 0)
return TRUE;
return FALSE;
}
static int login_proxy_record_cmp(struct login_proxy_record *rec1,
struct login_proxy_record *rec2)
{
if (!net_ip_compare(&rec1->ip, &rec2->ip))
return 1;
return (int)rec1->port - (int)rec2->port;
}
static bool login_host_request_is_self(struct login_host_request *request,
const struct ip_addr *dest_ip)
{
if (!net_ip_compare(dest_ip, &request->local_ip))
return FALSE;
if (request->dest_port != 0 && request->local_port != 0 &&
request->dest_port != request->local_port)
return FALSE;
return TRUE;
}
static void
login_proxy_cmd_kick_director_hash(struct ipc_cmd *cmd, const char *const *args)
{
struct login_proxy *proxy, *next;
struct ip_addr except_ip;
unsigned int hash, proxy_hash, count = 0;
if (args[0] == NULL || str_to_uint(args[0], &hash) < 0) {
ipc_cmd_fail(&cmd, "Invalid parameters");
return;
}
/* optional except_ip parameter specifies that we're not killing the
connections that are proxying to the except_ip backend */
except_ip.family = 0;
if (args[1] != NULL && args[1][0] != '\0' &&
net_addr2ip(args[1], &except_ip) < 0) {
ipc_cmd_fail(&cmd, "Invalid except_ip parameter");
return;
}
for (proxy = login_proxies; proxy != NULL; proxy = next) {
next = proxy->next;
if (director_username_hash(proxy->client, &proxy_hash) &&
proxy_hash == hash &&
!net_ip_compare(&proxy->ip, &except_ip)) {
login_proxy_free_delayed(&proxy, KILLED_BY_DIRECTOR_REASON);
count++;
}
}
for (proxy = login_proxies_pending; proxy != NULL; proxy = next) {
next = proxy->next;
if (director_username_hash(proxy->client, &proxy_hash) &&
proxy_hash == hash &&
!net_ip_compare(&proxy->ip, &except_ip)) {
client_destroy(proxy->client, "Connection kicked");
count++;
}
}
ipc_cmd_success_reply(&cmd, t_strdup_printf("%u", count));
}
struct client *
client_create(int fd, bool ssl, pool_t pool,
const struct login_settings *set,
const struct master_service_ssl_settings *ssl_set,
void **other_sets,
const struct ip_addr *local_ip, const struct ip_addr *remote_ip)
{
struct client *client;
i_assert(fd != -1);
client = login_binary->client_vfuncs->alloc(pool);
client->v = *login_binary->client_vfuncs;
if (client->v.auth_send_challenge == NULL)
client->v.auth_send_challenge = client_auth_send_challenge;
if (client->v.auth_parse_response == NULL)
client->v.auth_parse_response = client_auth_parse_response;
client->created = ioloop_time;
client->refcount = 1;
client->pool = pool;
client->set = set;
client->ssl_set = ssl_set;
client->real_local_ip = client->local_ip = *local_ip;
client->real_remote_ip = client->ip = *remote_ip;
client->fd = fd;
client->tls = ssl;
client->trusted = client_is_trusted(client);
client->secured = ssl || client->trusted ||
net_ip_compare(remote_ip, local_ip);
client->proxy_ttl = LOGIN_PROXY_TTL;
if (last_client == NULL)
last_client = client;
DLLIST_PREPEND(&clients, client);
clients_count++;
client->to_disconnect =
timeout_add(CLIENT_LOGIN_TIMEOUT_MSECS,
client_idle_disconnect_timeout, client);
client_open_streams(client);
client->v.create(client, other_sets);
if (auth_client_is_connected(auth_client))
client_notify_auth_ready(client);
else
client_set_auth_waiting(client);
login_refresh_proctitle();
return client;
}
bool config_filters_equal(const struct config_filter *f1,
const struct config_filter *f2)
{
if (null_strcmp(f1->service, f2->service) != 0)
return FALSE;
if (f1->remote_bits != f2->remote_bits)
return FALSE;
if (!net_ip_compare(&f1->remote_net, &f2->remote_net))
return FALSE;
if (f1->local_bits != f2->local_bits)
return FALSE;
if (!net_ip_compare(&f1->local_net, &f2->local_net))
return FALSE;
if (null_strcmp(f1->local_name, f2->local_name) != 0)
return FALSE;
return TRUE;
}
bool login_proxy_is_ourself(const struct client *client, const char *host,
in_port_t port, const char *destuser)
{
struct ip_addr ip;
if (port != client->local_port)
return FALSE;
if (net_addr2ip(host, &ip) < 0)
return FALSE;
if (!net_ip_compare(&ip, &client->local_ip))
return FALSE;
return strcmp(client->virtual_user, destuser) == 0;
}
static bool
client_proxy_is_ourself(const struct client *client,
const struct lmtp_proxy_rcpt_settings *set)
{
struct ip_addr ip;
if (set->port != client->local_port)
return FALSE;
if (net_addr2ip(set->host, &ip) < 0)
return FALSE;
if (!net_ip_compare(&ip, &client->local_ip))
return FALSE;
return TRUE;
}
static void auth_server_send_new_request(struct auth_server_connection *conn,
struct auth_client_request *request)
{
struct auth_request_info *info = &request->request_info;
string_t *str;
str = t_str_new(512);
str_printfa(str, "AUTH\t%u\t", request->id);
str_append_tabescaped(str, info->mech);
str_append(str, "\tservice=");
str_append_tabescaped(str, info->service);
if ((info->flags & AUTH_REQUEST_FLAG_SUPPORT_FINAL_RESP) != 0)
str_append(str, "\tfinal-resp-ok");
if ((info->flags & AUTH_REQUEST_FLAG_SECURED) != 0)
str_append(str, "\tsecured");
if ((info->flags & AUTH_REQUEST_FLAG_NO_PENALTY) != 0)
str_append(str, "\tno-penalty");
if ((info->flags & AUTH_REQUEST_FLAG_VALID_CLIENT_CERT) != 0)
str_append(str, "\tvalid-client-cert");
if (info->session_id != NULL) {
str_append(str, "\tsession=");
str_append_tabescaped(str, info->session_id);
}
if (info->cert_username != NULL) {
str_append(str, "\tcert_username="******"\tlip=%s", net_ip2addr(&info->local_ip));
if (info->remote_ip.family != 0)
str_printfa(str, "\trip=%s", net_ip2addr(&info->remote_ip));
if (info->local_port != 0)
str_printfa(str, "\tlport=%u", info->local_port);
if (info->remote_port != 0)
str_printfa(str, "\trport=%u", info->remote_port);
/* send the real_* variants only when they differ from the unreal
ones */
if (info->real_local_ip.family != 0 &&
!net_ip_compare(&info->real_local_ip, &info->local_ip)) {
str_printfa(str, "\treal_lip=%s",
net_ip2addr(&info->real_local_ip));
}
if (info->real_remote_ip.family != 0 &&
!net_ip_compare(&info->real_remote_ip, &info->remote_ip)) {
str_printfa(str, "\treal_rip=%s",
net_ip2addr(&info->real_remote_ip));
}
if (info->real_local_port != 0 &&
info->real_local_port != info->local_port)
str_printfa(str, "\treal_lport=%u", info->real_local_port);
if (info->real_remote_port != 0 &&
info->real_remote_port != info->remote_port)
str_printfa(str, "\treal_rport=%u", info->real_remote_port);
if (info->initial_resp_base64 != NULL) {
str_append(str, "\tresp=");
str_append_tabescaped(str, info->initial_resp_base64);
}
str_append_c(str, '\n');
if (o_stream_send(conn->output, str_data(str), str_len(str)) < 0)
i_error("Error sending request to auth server: %m");
}
