|
|
07cc786 |
Patch by Robert Scheck <robert@fedoraproject.org> for Zarafa <= 7.1.11 which enhances my earlier
|
|
|
07cc786 |
this year implemented "disable_plaintext_auth" feature (new option in Zarafa >= 7.1.10 to disable
|
|
|
07cc786 |
all plaintext authentications unless SSL/TLS is used), https://jira.zarafa.com/browse/ZCP-12142
|
|
|
07cc786 |
contains the initial implementation and a more verbose feature description.
|
|
|
07cc786 |
|
|
|
07cc786 |
Given that there are unfortunately still Zarafa systems around using saslauthd without pam_mapi
|
|
|
07cc786 |
but rimap instead the "disable_plaintext_auth" feature prevents them from enabling this option as
|
|
|
07cc786 |
rimap doesn't support SSL/TLS; https://jira.zarafa.com/browse/ZCP-12473 contains an example report
|
|
|
07cc786 |
by a Zarafa customer. Thus this patch adds an exception if the source IPv4 address is "127.0.0.1"
|
|
|
07cc786 |
and allows even if "disable_plaintext_auth" is enabled a cleartext authentication. It was a design
|
|
|
07cc786 |
decision to check only for 127.0.0.1/32 rather 127.0.0.0/8 because there seem to be systems where
|
|
|
07cc786 |
the loopback network except 127.0.0.1/32 is routable?!
|
|
|
07cc786 |
|
|
|
07cc786 |
Important: The technical implementation of this patch might be not perfect as I am not really a C/
|
|
|
07cc786 |
C++ developer. There should be a code review by an experienced C/C++ developer before merging into
|
|
|
07cc786 |
Zarafa core.
|
|
|
07cc786 |
|
|
|
ce0e017 |
Proposed to upstream via e-mail on Thu, 16 Oct 2014 00:00:05 +0200, patch was put into the upstream
|
|
|
ce0e017 |
ticket https://jira.zarafa.com/browse/ZCP-12473.
|
|
|
ce0e017 |
|
|
|
07cc786 |
--- zarafa-7.1.11/gateway/IMAP.cpp 2014-09-03 10:45:06.000000000 +0200
|
|
|
07cc786 |
+++ zarafa-7.1.11/gateway/IMAP.cpp.plaintext_auth_localhost 2014-09-24 01:29:10.000000000 +0200
|
|
|
07cc786 |
@@ -757,7 +757,7 @@
|
|
|
07cc786 |
if (!lpChannel->UsingSsl() && lpChannel->sslctx())
|
|
|
07cc786 |
strCapabilities += " STARTTLS";
|
|
|
07cc786 |
|
|
|
07cc786 |
- if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0)
|
|
|
07cc786 |
+ if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && strcmp(lpChannel->GetIPAddress().c_str(), "127.0.0.1") != 0)
|
|
|
07cc786 |
strCapabilities += " LOGINDISABLED";
|
|
|
07cc786 |
else
|
|
|
07cc786 |
strCapabilities += " AUTH=PLAIN";
|
|
|
07cc786 |
@@ -923,7 +923,7 @@
|
|
|
07cc786 |
char *plain = lpConfig->GetSetting("disable_plaintext_auth");
|
|
|
07cc786 |
|
|
|
07cc786 |
// If plaintext authentication was disabled any authentication attempt must be refused very soon
|
|
|
07cc786 |
- if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0) {
|
|
|
07cc786 |
+ if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && strcmp(lpChannel->GetIPAddress().c_str(), "127.0.0.1") != 0) {
|
|
|
07cc786 |
hr2 = HrResponse(RESP_TAGGED_NO, strTag, "[PRIVACYREQUIRED] Plaintext authentication disallowed on non-secure "
|
|
|
07cc786 |
"(SSL/TLS) connections.");
|
|
|
07cc786 |
if (hr2 != hrSuccess)
|
|
|
07cc786 |
@@ -1002,7 +1002,7 @@
|
|
|
07cc786 |
}
|
|
|
07cc786 |
|
|
|
07cc786 |
// If plaintext authentication was disabled any login attempt must be refused very soon
|
|
|
07cc786 |
- if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0) {
|
|
|
07cc786 |
+ if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && strcmp(lpChannel->GetIPAddress().c_str(), "127.0.0.1") != 0) {
|
|
|
07cc786 |
hr2 = HrResponse(RESP_UNTAGGED, "BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your client "
|
|
|
07cc786 |
"did it anyway. If anyone was listening, the password was exposed.");
|
|
|
07cc786 |
if (hr2 != hrSuccess)
|
|
|
07cc786 |
--- zarafa-7.1.11/gateway/POP3.cpp 2014-09-03 10:45:06.000000000 +0200
|
|
|
07cc786 |
+++ zarafa-7.1.11/gateway/POP3.cpp.plaintext_auth_localhost 2014-09-24 01:30:41.000000000 +0200
|
|
|
07cc786 |
@@ -320,7 +320,7 @@
|
|
|
07cc786 |
if (!lpChannel->UsingSsl() && lpChannel->sslctx())
|
|
|
07cc786 |
strCapabilities += "STLS\r\n";
|
|
|
07cc786 |
|
|
|
07cc786 |
- if (!(!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0))
|
|
|
07cc786 |
+ if (!(!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && strcmp(lpChannel->GetIPAddress().c_str(), "127.0.0.1") != 0))
|
|
|
07cc786 |
strCapabilities += "USER\r\n";
|
|
|
07cc786 |
}
|
|
|
07cc786 |
|
|
|
07cc786 |
@@ -402,7 +402,7 @@
|
|
|
07cc786 |
HRESULT hr = hrSuccess;
|
|
|
07cc786 |
char *plain = lpConfig->GetSetting("disable_plaintext_auth");
|
|
|
07cc786 |
|
|
|
07cc786 |
- if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0) {
|
|
|
07cc786 |
+ if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && strcmp(lpChannel->GetIPAddress().c_str(), "127.0.0.1") != 0) {
|
|
|
07cc786 |
hr = HrResponse(POP3_RESP_AUTH_ERROR, "Plaintext authentication disallowed on non-secure (SSL/TLS) connections");
|
|
|
07cc786 |
lpLogger->Log(EC_LOGLEVEL_ERROR, "Aborted login from %s with username \"%s\" (tried to use disallowed plaintext auth)",
|
|
|
07cc786 |
lpChannel->GetIPAddress().c_str(), strUser.c_str());
|
|
|
07cc786 |
@@ -431,7 +431,7 @@
|
|
|
07cc786 |
HRESULT hr = hrSuccess;
|
|
|
07cc786 |
char *plain = lpConfig->GetSetting("disable_plaintext_auth");
|
|
|
07cc786 |
|
|
|
07cc786 |
- if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0) {
|
|
|
07cc786 |
+ if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && strcmp(lpChannel->GetIPAddress().c_str(), "127.0.0.1") != 0) {
|
|
|
07cc786 |
hr = HrResponse(POP3_RESP_AUTH_ERROR, "Plaintext authentication disallowed on non-secure (SSL/TLS) connections");
|
|
|
07cc786 |
if(szUser.empty())
|
|
|
07cc786 |
lpLogger->Log(EC_LOGLEVEL_ERROR, "Aborted login from %s without username (tried to use disallowed "
|
|
|
07cc786 |
--- zarafa-7.1.11/doc/manual.xml 2014-09-03 09:56:28.000000000 +0200
|
|
|
07cc786 |
+++ zarafa-7.1.11/doc/manual.xml.plaintext_auth_localhost 2014-10-15 01:22:14.000000000 +0200
|
|
|
07cc786 |
@@ -8024,7 +8024,9 @@
|
|
|
07cc786 |
<term><option>disable_plaintext_auth</option></term>
|
|
|
07cc786 |
<listitem>
|
|
|
07cc786 |
<para>Disable all plaintext POP3 and IMAP authentications unless
|
|
|
07cc786 |
- SSL/TLS is used. Obviously this requires at least
|
|
|
07cc786 |
+ SSL/TLS is used (except for connections originating from
|
|
|
07cc786 |
+ <replaceable>127.0.0.1</replaceable> to allow saslauthd with rimap).
|
|
|
07cc786 |
+ Obviously enabling this configuration option requires at least
|
|
|
07cc786 |
<replaceable>ssl_private_key_file</replaceable> and
|
|
|
07cc786 |
<replaceable>ssl_certificate_file</replaceable> to take effect.</para>
|
|
|
07cc786 |
<para>Default: <replaceable>no</replaceable></para>
|