[PATCH] Mail: send starttls flag value to auth script

Michael Kliewe info at phpgangsta.de
Thu Jul 31 02:32:16 UTC 2014


Hi Maxim,

this is very interesting to have in nginx, and it's a very easy patch. 
Any chance this gets into nginx? It helps a lot to migrate users to 
encrypted mail connections, allowing some users to still use unencrypted 
connections, and log in the auth script which user already uses 
encrypted connections.

It would be great if you could add it to nginx.

Thanks!
Michael

Am 19.06.2014 um 22:10 schrieb Filipe Da Silva:
> Hi,
>
> I forget to post the reworked version.
>
> Here is it.
>
> Regards,
> Filipe DA SILVA
>
> # HG changeset patch
> # Parent b2b5b1b741290adf60220f44f6e37cd8bd9d3885
> Mail: send a secure connection flag to auth script.
>
> Allow to do logging (if logging takes place in the auth script) and or force
> some users to use STARTTLS while others can use unencrypted connection.
>
> diff -r b2b5b1b74129 src/mail/ngx_mail_auth_http_module.c
> --- a/src/mail/ngx_mail_auth_http_module.c    Fri Mar 07 15:17:38 2014 +0400
> +++ b/src/mail/ngx_mail_auth_http_module.c    Wed Mar 12 15:49:21 2014 +0100
> @@ -1165,6 +1165,9 @@ ngx_mail_auth_http_create_request(ngx_ma
>             + sizeof("Auth-Salt: ") - 1 + s->salt.len
>             + sizeof("Auth-Protocol: ") - 1 + cscf->protocol->name.len
>                   + sizeof(CRLF) - 1
> +#if (NGX_MAIL_SSL)
> +          + sizeof("Auth-Secured: ") - 1 + 1 + sizeof(CRLF) - 1
> +#endif
>             + sizeof("Auth-Login-Attempt: ") - 1 + NGX_INT_T_LEN
>                   + sizeof(CRLF) - 1
>             + sizeof("Client-IP: ") - 1 + s->connection->addr_text.len
> @@ -1219,6 +1222,13 @@ ngx_mail_auth_http_create_request(ngx_ma
>                            cscf->protocol->name.len);
>       *b->last++ = CR; *b->last++ = LF;
>
> +#if (NGX_MAIL_SSL)
> +    b->last = ngx_cpymem(b->last, "Auth-Secured: ",
> +                         sizeof("Auth-Secured: ") - 1);
> +    *b->last++ = s->connection->ssl ? '1' : '0' ;
> +    *b->last++ = CR; *b->last++ = LF;
> +#endif
> +
>       b->last = ngx_sprintf(b->last, "Auth-Login-Attempt: %ui" CRLF,
>                             s->login_attempt);
>
>
>
>
> 2014-03-06 18:03 GMT+01:00 Michael Kliewe <info at phpgangsta.de>:
>> Hi Maxim,
>>
>> On Mar 6, 2014, at 5:27 PM, Maxim Dounin wrote:
>>
>>> Hello!
>>>
>>> On Thu, Mar 06, 2014 at 10:59:29AM +0100, Filipe da Silva wrote:
>>>
>>>> # HG changeset patch
>>>> # User Filipe da Silva <fdasilvayy at gmail.com>
>>>> # Date 1394099468 -3600
>>>> #      Thu Mar 06 10:51:08 2014 +0100
>>>> # Node ID 51fd90f96449c23af0076a19efbfdb1f88702125
>>>> # Parent  24df9fa5868957c1fb9a2d1569271e0958327dad
>>>> Mail: send starttls flag value to auth script.
>>>>
>>>> Allow to do logging (if logging takes place in the auth script) and or force
>>>> some users to use STARTTLS while others can use unencrypted connection.
>>>>
>>> I don't think that it's a good idea to pass STARTTLS into auth
>>> script.  If at all needed, it should be something like a flag "if
>>> SSL is used", not an explicit STARTTLS status.  From auth script
>>> point of view there is no difference if a connection uses SSL on a
>>> dedicated port or encryption was negotiated using STARTLS.
>> yes, it is needed ;-)
>>
>> You are right, that would also be possible, the auth script then can check which port has been used, and then has the information if it has been STARTTLS or SSL. In our case we want to distinguish between STARTTLS and SSL in the auth script.
>>
>> Both solutions are fine I think, so let's take Maxims ;-) (Sorry Filipe for the extra work)
>>
>> Hope this easy patch gets into nginx then, we need it ;-)
>>
>> Thanks!
>> Michael
>> _______________________________________________
>> nginx-devel mailing list
>> nginx-devel at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>>
>>
>> _______________________________________________
>> nginx-devel mailing list
>> nginx-devel at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20140731/42e7da86/attachment-0001.html>


More information about the nginx-devel mailing list