Re: [PATCH] TLS+auth conflict

Thu, 04 Aug 2005 10:26:48 -0700 

Marco Aurelio Monteiro wrote:

Hello!
In SMTP.pm around line 204 there is a regular expression that checks what authentication methods should be displayed after a EHLO command. If the register hook is called "auth" (with nothing after, like auth-plain or auth-login) it displays all authentication methods, considering it a "polymorphous auth provider". In tls plugin, the last line ("*hook_helo = *hook_data = *hook_rcpt = *hook_mail = *hook_auth = \&bad_ssl_hook;") connects the funtion bad_ssl_hook to the "auth" hook unconditionally, trying to follow RFC2487 secn 5.1, turning on all authentication methods. It caused some strange behavior when working with other authentication plugin. Patch attached. BTW, we are returning a 550 error after TLS negotiation fails, while RFC2487 suggests a 554 return code. Should I describe this return code at Constants.pm? 

Thanks.

return ( DENY , "5.5.4 command refused due to lack of security" );

If other auth plugins are confused, doesn't qpsmtpd ignore
them after it receives a DENY from any hook? Would the client
be confused by--"550 5.5.4 command refused...security"?

when I get a plugin working I go back and add detail--

return ( OK , "2.5.2 cannot verify user but will attempt delivery" ) ;

return ( DENYSOFT , "4.7.1 delivery not authorized" ) ;

return ( DENYSOFT , "4.4.3 directory server temporarily unavailable" )

return ( DENY , "5.2.0. User moved permanently " . $msg_id )

-Bob


------------------------------------------------------------------------

--- tls.orig    Wed Aug  3 13:54:10 2005
+++ tls Wed Aug  3 14:34:49 2005
@@ -107,6 +107,11 @@
         # SSL setup failed. Now we must respond to every command with 5XX
         warn("TLS failed: [EMAIL PROTECTED]");
         $transaction->notes('ssl_failed', 1);
+       $self->register_hook('helo', 'bad_ssl_hook');
+       $self->register_hook('data', 'bad_ssl_hook');
+       $self->register_hook('rcpt', 'bad_ssl_hook');
+       $self->register_hook('mail', 'bad_ssl_hook');
+       $self->register_hook('auth', 'bad_ssl_hook');
         return DENY, "TLS Negotiation Failed";
     }
@@ -140,7 +145,5 @@ 
 # Fulfill RFC 2487 secn 5.1
 sub bad_ssl_hook {
     my ($self, $transaction) = @_;
-    return DENY, "Command refused due to lack of security" if 
$transaction->notes('ssl_failed');
-    return DECLINED;
+    return DENY, "Command refused due to lack of security";
 }
-*hook_helo = *hook_data = *hook_rcpt = *hook_mail = *hook_auth = 
\&bad_ssl_hook;

Reply via email to