Tree - rpms/zarafa - src.fedoraproject.org

rpms / zarafa

Overview Files Commits Branches Forks Releases
Monitoring status:

Orphaned for:
Take
Bugzilla Assignee:

Fedora:: orphan
EPEL:: robert
Files

Blob Blame History Raw
Patch by Robert Scheck <robert@fedoraproject.org> for Zarafa <= 7.1.11 which enhances my earlier
this year implemented "disable_plaintext_auth" feature (new option in Zarafa >= 7.1.10 to disable
all plaintext authentications unless SSL/TLS is used), https://jira.zarafa.com/browse/ZCP-12142
contains the initial implementation and a more verbose feature description.

Given that there are unfortunately still Zarafa systems around using saslauthd without pam_mapi
but rimap instead the "disable_plaintext_auth" feature prevents them from enabling this option as
rimap doesn't support SSL/TLS; https://jira.zarafa.com/browse/ZCP-12473 contains an example report
by a Zarafa customer. Thus this patch adds an exception if the source IPv4 address is "127.0.0.1"
and allows even if "disable_plaintext_auth" is enabled a cleartext authentication. It was a design
decision to check only for 127.0.0.1/32 rather 127.0.0.0/8 because there seem to be systems where
the loopback network except 127.0.0.1/32 is routable?!

Important: The technical implementation of this patch might be not perfect as I am not really a C/
C++ developer. There should be a code review by an experienced C/C++ developer before merging into
Zarafa core.

Proposed to upstream via e-mail on Thu, 16 Oct 2014 00:00:05 +0200, patch was put into the upstream
ticket https://jira.zarafa.com/browse/ZCP-12473.

--- zarafa-7.1.11/gateway/IMAP.cpp				2014-09-03 10:45:06.000000000 +0200
+++ zarafa-7.1.11/gateway/IMAP.cpp.plaintext_auth_localhost	2014-09-24 01:29:10.000000000 +0200
@@ -757,7 +757,7 @@
 		if (!lpChannel->UsingSsl() && lpChannel->sslctx())
 			strCapabilities += " STARTTLS";
 
-		if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0)
+		if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && strcmp(lpChannel->GetIPAddress().c_str(), "127.0.0.1") != 0)
 			strCapabilities += " LOGINDISABLED";
 		else
 			strCapabilities += " AUTH=PLAIN";
@@ -923,7 +923,7 @@
 	char *plain = lpConfig->GetSetting("disable_plaintext_auth");
 
 	// If plaintext authentication was disabled any authentication attempt must be refused very soon
-	if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0) {
+	if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && strcmp(lpChannel->GetIPAddress().c_str(), "127.0.0.1") != 0) {
 		hr2 = HrResponse(RESP_TAGGED_NO, strTag, "[PRIVACYREQUIRED] Plaintext authentication disallowed on non-secure "
 							 "(SSL/TLS) connections.");
 		if (hr2 != hrSuccess)
@@ -1002,7 +1002,7 @@
 	}	
 
 	// If plaintext authentication was disabled any login attempt must be refused very soon
-	if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0) {
+	if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && strcmp(lpChannel->GetIPAddress().c_str(), "127.0.0.1") != 0) {
 		hr2 = HrResponse(RESP_UNTAGGED, "BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your client "
 						"did it anyway. If anyone was listening, the password was exposed.");
 		if (hr2 != hrSuccess)
--- zarafa-7.1.11/gateway/POP3.cpp				2014-09-03 10:45:06.000000000 +0200
+++ zarafa-7.1.11/gateway/POP3.cpp.plaintext_auth_localhost	2014-09-24 01:30:41.000000000 +0200
@@ -320,7 +320,7 @@
 		if (!lpChannel->UsingSsl() && lpChannel->sslctx())
 			strCapabilities += "STLS\r\n";
 
-		if (!(!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0))
+		if (!(!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && strcmp(lpChannel->GetIPAddress().c_str(), "127.0.0.1") != 0))
 			strCapabilities += "USER\r\n";
 	}
 
@@ -402,7 +402,7 @@
 	HRESULT hr = hrSuccess;
 	char *plain = lpConfig->GetSetting("disable_plaintext_auth");
 
-	if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0) {
+	if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && strcmp(lpChannel->GetIPAddress().c_str(), "127.0.0.1") != 0) {
 		hr = HrResponse(POP3_RESP_AUTH_ERROR, "Plaintext authentication disallowed on non-secure (SSL/TLS) connections");
 		lpLogger->Log(EC_LOGLEVEL_ERROR, "Aborted login from %s with username \"%s\" (tried to use disallowed plaintext auth)",
 					  lpChannel->GetIPAddress().c_str(), strUser.c_str());
@@ -431,7 +431,7 @@
 	HRESULT hr = hrSuccess;
 	char *plain = lpConfig->GetSetting("disable_plaintext_auth");
 
-	if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0) {
+	if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && strcmp(lpChannel->GetIPAddress().c_str(), "127.0.0.1") != 0) {
 		hr = HrResponse(POP3_RESP_AUTH_ERROR, "Plaintext authentication disallowed on non-secure (SSL/TLS) connections");
 		if(szUser.empty())
 			lpLogger->Log(EC_LOGLEVEL_ERROR, "Aborted login from %s without username (tried to use disallowed "
--- zarafa-7.1.11/doc/manual.xml				2014-09-03 09:56:28.000000000 +0200
+++ zarafa-7.1.11/doc/manual.xml.plaintext_auth_localhost	2014-10-15 01:22:14.000000000 +0200
@@ -8024,7 +8024,9 @@
 			<term><option>disable_plaintext_auth</option></term>
 			<listitem>
 			  <para>Disable all plaintext POP3 and IMAP authentications unless
-			  SSL/TLS is used. Obviously this requires at least
+			  SSL/TLS is used (except for connections originating from
+			  <replaceable>127.0.0.1</replaceable> to allow saslauthd with rimap).
+			  Obviously enabling this configuration option requires at least
 			  <replaceable>ssl_private_key_file</replaceable> and
 			  <replaceable>ssl_certificate_file</replaceable> to take effect.</para>
 			  <para>Default: <replaceable>no</replaceable></para>
rpms / zarafa

Source Code

Files
