void client_proxy_failed(struct client *client, bool send_line)
{
if (send_line) {
client_proxy_error(client, PROXY_FAILURE_MSG);
}
login_proxy_free(&client->login_proxy);
proxy_free_password(client);
i_free_and_null(client->proxy_user);
i_free_and_null(client->proxy_master_user);
/* call this last - it may destroy the client */
client_auth_failed(client);
}
static int proxy_write_login(struct imap_client *client, string_t *str)
{
struct dsasl_client_settings sasl_set;
const unsigned char *output;
unsigned int len;
const char *mech_name, *error;
/* Send CAPABILITY command if we don't know the capabilities yet.
Also as kind of a Dovecot-backend workaround if the client insisted
on sending CAPABILITY command (even though our banner already sent
it), send the (unnecessary) CAPABILITY command to backend as well
to avoid sending the CAPABILITY reply twice (untagged and OK resp
code). */
if (!client->proxy_capability_request_sent &&
(client->proxy_backend_capability == NULL ||
client->client_ignores_capability_resp_code)) {
client->proxy_capability_request_sent = TRUE;
str_append(str, "C CAPABILITY\r\n");
if (client->common.proxy_nopipelining) {
/* authenticate only after receiving C OK reply. */
return 0;
}
}
if (client->common.proxy_mech == NULL) {
/* logging in normally - use LOGIN command */
if (client->proxy_logindisabled &&
login_proxy_get_ssl_flags(client->common.login_proxy) == 0) {
client_log_err(&client->common,
"proxy: Remote advertised LOGINDISABLED and SSL/TLS not enabled");
return -1;
}
str_append(str, "L LOGIN ");
imap_append_string(str, client->common.proxy_user);
str_append_c(str, ' ');
imap_append_string(str, client->common.proxy_password);
str_append(str, "\r\n");
proxy_free_password(&client->common);
return 0;
}
i_assert(client->common.proxy_sasl_client == NULL);
memset(&sasl_set, 0, sizeof(sasl_set));
sasl_set.authid = client->common.proxy_master_user != NULL ?
client->common.proxy_master_user : client->common.proxy_user;
sasl_set.authzid = client->common.proxy_user;
sasl_set.password = client->common.proxy_password;
client->common.proxy_sasl_client =
dsasl_client_new(client->common.proxy_mech, &sasl_set);
mech_name = dsasl_client_mech_get_name(client->common.proxy_mech);
str_append(str, "L AUTHENTICATE ");
str_append(str, mech_name);
if (client->proxy_sasl_ir) {
if (dsasl_client_output(client->common.proxy_sasl_client,
&output, &len, &error) < 0) {
client_log_err(&client->common, t_strdup_printf(
"proxy: SASL mechanism %s init failed: %s",
mech_name, error));
return -1;
}
str_append_c(str, ' ');
if (len == 0)
str_append_c(str, '=');
else
base64_encode(output, len, str);
}
str_append(str, "\r\n");
proxy_free_password(&client->common);
return 0;
}
int pop3_proxy_parse_line(struct client *client, const char *line)
{
struct pop3_client *pop3_client = (struct pop3_client *)client;
struct ostream *output;
enum login_proxy_ssl_flags ssl_flags;
string_t *str;
i_assert(!client->destroyed);
output = login_proxy_get_ostream(client->login_proxy);
switch (client->proxy_state) {
case POP3_PROXY_BANNER:
/* this is a banner */
if (strncmp(line, "+OK", 3) != 0) {
client_log_err(client, t_strdup_printf(
"proxy: Remote returned invalid banner: %s",
str_sanitize(line, 160)));
client_proxy_failed(client, TRUE);
return -1;
}
ssl_flags = login_proxy_get_ssl_flags(client->login_proxy);
if ((ssl_flags & PROXY_SSL_FLAG_STARTTLS) == 0) {
proxy_send_login(pop3_client, output);
} else {
(void)o_stream_send_str(output, "STLS\r\n");
client->proxy_state = POP3_PROXY_STARTTLS;
}
return 0;
case POP3_PROXY_STARTTLS:
if (strncmp(line, "+OK", 3) != 0) {
client_log_err(client, t_strdup_printf(
"proxy: Remote STLS failed: %s",
str_sanitize(line, 160)));
client_proxy_failed(client, TRUE);
return -1;
}
if (login_proxy_starttls(client->login_proxy) < 0) {
client_proxy_failed(client, TRUE);
return -1;
}
/* i/ostreams changed. */
output = login_proxy_get_ostream(client->login_proxy);
proxy_send_login(pop3_client, output);
return 1;
case POP3_PROXY_LOGIN1:
str = t_str_new(128);
if (client->proxy_master_user == NULL) {
if (strncmp(line, "+OK", 3) != 0)
break;
/* USER successful, send PASS */
str_append(str, "PASS ");
str_append(str, client->proxy_password);
str_append(str, "\r\n");
} else {
if (*line != '+')
break;
/* AUTH successful, send the authentication data */
get_plain_auth(client, str);
str_append(str, "\r\n");
}
(void)o_stream_send(output, str_data(str), str_len(str));
proxy_free_password(client);
client->proxy_state = POP3_PROXY_LOGIN2;
return 0;
case POP3_PROXY_LOGIN2:
if (strncmp(line, "+OK", 3) != 0)
break;
/* Login successful. Send this line to client. */
line = t_strconcat(line, "\r\n", NULL);
(void)o_stream_send_str(client->output, line);
client_proxy_finish_destroy_client(client);
return 1;
}
/* Login failed. Pass through the error message to client.
If the backend server isn't Dovecot, the error message may
be different from Dovecot's "user doesn't exist" error. This
would allow an attacker to find out what users exist in the
system.
The optimal way to handle this would be to replace the
backend's "password failed" error message with Dovecot's
AUTH_FAILED_MSG, but this would require a new setting and
the sysadmin to actually bother setting it properly.
So for now we'll just forward the error message. This
shouldn't be a real problem since of course everyone will
be using only Dovecot as their backend :) */
if (strncmp(line, "-ERR ", 5) != 0) {
client_send_line(client, CLIENT_CMD_REPLY_AUTH_FAILED,
AUTH_FAILED_MSG);
} else {
client_send_raw(client, t_strconcat(line, "\r\n", NULL));
}
if (client->set->verbose_auth) {
if (strncmp(line, "-ERR ", 5) == 0)
line += 5;
client_proxy_log_failure(client, line);
}
client_proxy_failed(client, FALSE);
return -1;
}
static int proxy_send_login(struct pop3_client *client, struct ostream *output)
{
struct dsasl_client_settings sasl_set;
const unsigned char *sasl_output;
size_t len;
const char *mech_name, *error;
string_t *str = t_str_new(128);
i_assert(client->common.proxy_ttl > 1);
if (client->proxy_xclient &&
!client->common.proxy_not_trusted) {
string_t *fwd = t_str_new(128);
for(const char *const *ptr = client->common.auth_passdb_args;*ptr != NULL; ptr++) {
if (strncasecmp(*ptr, "forward_", 8) == 0) {
if (str_len(fwd) > 0)
str_append_c(fwd, '\t');
str_append_tabescaped(fwd, (*ptr)+8);
}
}
str_printfa(str, "XCLIENT ADDR=%s PORT=%u SESSION=%s TTL=%u",
net_ip2addr(&client->common.ip),
client->common.remote_port,
client_get_session_id(&client->common),
client->common.proxy_ttl - 1);
if (str_len(fwd) > 0) {
str_append(str, " FORWARD=");
base64_encode(str_data(fwd), str_len(fwd), str);
}
str_append(str, "\r\n");
/* remote supports XCLIENT, send it */
o_stream_nsend(output, str_data(str), str_len(str));
client->proxy_state = POP3_PROXY_XCLIENT;
} else {
client->proxy_state = POP3_PROXY_LOGIN1;
}
str_truncate(str, 0);
if (client->common.proxy_mech == NULL) {
/* send USER command */
str_append(str, "USER ");
str_append(str, client->common.proxy_user);
str_append(str, "\r\n");
o_stream_nsend(output, str_data(str), str_len(str));
return 0;
}
i_assert(client->common.proxy_sasl_client == NULL);
i_zero(&sasl_set);
sasl_set.authid = client->common.proxy_master_user != NULL ?
client->common.proxy_master_user : client->common.proxy_user;
sasl_set.authzid = client->common.proxy_user;
sasl_set.password = client->common.proxy_password;
client->common.proxy_sasl_client =
dsasl_client_new(client->common.proxy_mech, &sasl_set);
mech_name = dsasl_client_mech_get_name(client->common.proxy_mech);
str_printfa(str, "AUTH %s ", mech_name);
if (dsasl_client_output(client->common.proxy_sasl_client,
&sasl_output, &len, &error) < 0) {
client_log_err(&client->common, t_strdup_printf(
"proxy: SASL mechanism %s init failed: %s",
mech_name, error));
return -1;
}
if (len == 0)
str_append_c(str, '=');
else
base64_encode(sasl_output, len, str);
str_append(str, "\r\n");
o_stream_nsend(output, str_data(str), str_len(str));
proxy_free_password(&client->common);
if (client->proxy_state != POP3_PROXY_XCLIENT)
client->proxy_state = POP3_PROXY_LOGIN2;
return 0;
}
int pop3_proxy_parse_line(struct client *client, const char *line)
{
struct pop3_client *pop3_client = (struct pop3_client *)client;
struct ostream *output;
enum login_proxy_ssl_flags ssl_flags;
i_assert(!client->destroyed);
output = login_proxy_get_ostream(client->login_proxy);
switch (pop3_client->proxy_state) {
case POP3_PROXY_BANNER:
/* this is a banner */
if (strncmp(line, "+OK", 3) != 0) {
client_log_err(client, t_strdup_printf(
"proxy: Remote returned invalid banner: %s",
str_sanitize(line, 160)));
client_proxy_failed(client, TRUE);
return -1;
}
pop3_client->proxy_xclient =
strncmp(line+3, " [XCLIENT]", 10) == 0;
ssl_flags = login_proxy_get_ssl_flags(client->login_proxy);
if ((ssl_flags & PROXY_SSL_FLAG_STARTTLS) == 0) {
if (proxy_send_login(pop3_client, output) < 0) {
client_proxy_failed(client, TRUE);
return -1;
}
} else {
o_stream_nsend_str(output, "STLS\r\n");
pop3_client->proxy_state = POP3_PROXY_STARTTLS;
}
return 0;
case POP3_PROXY_STARTTLS:
if (strncmp(line, "+OK", 3) != 0) {
client_log_err(client, t_strdup_printf(
"proxy: Remote STLS failed: %s",
str_sanitize(line, 160)));
client_proxy_failed(client, TRUE);
return -1;
}
if (login_proxy_starttls(client->login_proxy) < 0) {
client_proxy_failed(client, TRUE);
return -1;
}
/* i/ostreams changed. */
output = login_proxy_get_ostream(client->login_proxy);
if (proxy_send_login(pop3_client, output) < 0) {
client_proxy_failed(client, TRUE);
return -1;
}
return 1;
case POP3_PROXY_XCLIENT:
if (strncmp(line, "+OK", 3) != 0) {
client_log_err(client, t_strdup_printf(
"proxy: Remote XCLIENT failed: %s",
str_sanitize(line, 160)));
client_proxy_failed(client, TRUE);
return -1;
}
pop3_client->proxy_state = client->proxy_sasl_client == NULL ?
POP3_PROXY_LOGIN1 : POP3_PROXY_LOGIN2;
return 0;
case POP3_PROXY_LOGIN1:
i_assert(client->proxy_sasl_client == NULL);
if (strncmp(line, "+OK", 3) != 0)
break;
/* USER successful, send PASS */
o_stream_nsend_str(output, t_strdup_printf(
"PASS %s\r\n", client->proxy_password));
proxy_free_password(client);
pop3_client->proxy_state = POP3_PROXY_LOGIN2;
return 0;
case POP3_PROXY_LOGIN2:
if (strncmp(line, "+ ", 2) == 0 &&
client->proxy_sasl_client != NULL) {
/* continue SASL authentication */
if (pop3_proxy_continue_sasl_auth(client, output,
line+2) < 0) {
client_proxy_failed(client, TRUE);
return -1;
}
return 0;
}
if (strncmp(line, "+OK", 3) != 0)
break;
/* Login successful. Send this line to client. */
line = t_strconcat(line, "\r\n", NULL);
o_stream_nsend_str(client->output, line);
client_proxy_finish_destroy_client(client);
return 1;
case POP3_PROXY_STATE_COUNT:
i_unreached();
}
/* Login failed. Pass through the error message to client.
If the backend server isn't Dovecot, the error message may
be different from Dovecot's "user doesn't exist" error. This
would allow an attacker to find out what users exist in the
system.
The optimal way to handle this would be to replace the
backend's "password failed" error message with Dovecot's
AUTH_FAILED_MSG, but this would require a new setting and
the sysadmin to actually bother setting it properly.
So for now we'll just forward the error message. This
shouldn't be a real problem since of course everyone will
be using only Dovecot as their backend :) */
if (strncmp(line, "-ERR ", 5) != 0) {
client_send_reply(client, POP3_CMD_REPLY_ERROR,
AUTH_FAILED_MSG);
} else {
client_send_raw(client, t_strconcat(line, "\r\n", NULL));
}
if (client->set->auth_verbose) {
if (strncmp(line, "-ERR ", 5) == 0)
line += 5;
client_proxy_log_failure(client, line);
}
client->proxy_auth_failed = TRUE;
client_proxy_failed(client, FALSE);
return -1;
}
static int proxy_send_login(struct pop3_client *client, struct ostream *output)
{
struct dsasl_client_settings sasl_set;
const unsigned char *sasl_output;
unsigned int len;
const char *mech_name, *error;
string_t *str;
i_assert(client->common.proxy_ttl > 1);
if (client->proxy_xclient &&
!client->common.proxy_not_trusted) {
/* remote supports XCLIENT, send it */
o_stream_nsend_str(output, t_strdup_printf(
"XCLIENT ADDR=%s PORT=%u SESSION=%s TTL=%u\r\n",
net_ip2addr(&client->common.ip),
client->common.remote_port,
client_get_session_id(&client->common),
client->common.proxy_ttl - 1));
client->common.proxy_state = POP3_PROXY_XCLIENT;
} else {
client->common.proxy_state = POP3_PROXY_LOGIN1;
}
str = t_str_new(128);
if (client->common.proxy_mech == NULL) {
/* send USER command */
str_append(str, "USER ");
str_append(str, client->common.proxy_user);
str_append(str, "\r\n");
o_stream_nsend(output, str_data(str), str_len(str));
return 0;
}
i_assert(client->common.proxy_sasl_client == NULL);
memset(&sasl_set, 0, sizeof(sasl_set));
sasl_set.authid = client->common.proxy_master_user != NULL ?
client->common.proxy_master_user : client->common.proxy_user;
sasl_set.authzid = client->common.proxy_user;
sasl_set.password = client->common.proxy_password;
client->common.proxy_sasl_client =
dsasl_client_new(client->common.proxy_mech, &sasl_set);
mech_name = dsasl_client_mech_get_name(client->common.proxy_mech);
str_printfa(str, "AUTH %s ", mech_name);
if (dsasl_client_output(client->common.proxy_sasl_client,
&sasl_output, &len, &error) < 0) {
client_log_err(&client->common, t_strdup_printf(
"proxy: SASL mechanism %s init failed: %s",
mech_name, error));
return -1;
}
if (len == 0)
str_append_c(str, '=');
else
base64_encode(sasl_output, len, str);
str_append(str, "\r\n");
o_stream_nsend(output, str_data(str), str_len(str));
proxy_free_password(&client->common);
if (client->common.proxy_state != POP3_PROXY_XCLIENT)
client->common.proxy_state = POP3_PROXY_LOGIN2;
return 0;
}
