[PATCH] Mail: send starttls flag value to auth script
Filipe Da Silva
fdasilvayy at gmail.com
Thu Jun 19 20:10:30 UTC 2014
Hi,
I forget to post the reworked version.
Here is it.
Regards,
Filipe DA SILVA
# HG changeset patch
# Parent b2b5b1b741290adf60220f44f6e37cd8bd9d3885
Mail: send a secure connection flag to auth script.
Allow to do logging (if logging takes place in the auth script) and or force
some users to use STARTTLS while others can use unencrypted connection.
diff -r b2b5b1b74129 src/mail/ngx_mail_auth_http_module.c
--- a/src/mail/ngx_mail_auth_http_module.c Fri Mar 07 15:17:38 2014 +0400
+++ b/src/mail/ngx_mail_auth_http_module.c Wed Mar 12 15:49:21 2014 +0100
@@ -1165,6 +1165,9 @@ ngx_mail_auth_http_create_request(ngx_ma
+ sizeof("Auth-Salt: ") - 1 + s->salt.len
+ sizeof("Auth-Protocol: ") - 1 + cscf->protocol->name.len
+ sizeof(CRLF) - 1
+#if (NGX_MAIL_SSL)
+ + sizeof("Auth-Secured: ") - 1 + 1 + sizeof(CRLF) - 1
+#endif
+ sizeof("Auth-Login-Attempt: ") - 1 + NGX_INT_T_LEN
+ sizeof(CRLF) - 1
+ sizeof("Client-IP: ") - 1 + s->connection->addr_text.len
@@ -1219,6 +1222,13 @@ ngx_mail_auth_http_create_request(ngx_ma
cscf->protocol->name.len);
*b->last++ = CR; *b->last++ = LF;
+#if (NGX_MAIL_SSL)
+ b->last = ngx_cpymem(b->last, "Auth-Secured: ",
+ sizeof("Auth-Secured: ") - 1);
+ *b->last++ = s->connection->ssl ? '1' : '0' ;
+ *b->last++ = CR; *b->last++ = LF;
+#endif
+
b->last = ngx_sprintf(b->last, "Auth-Login-Attempt: %ui" CRLF,
s->login_attempt);
2014-03-06 18:03 GMT+01:00 Michael Kliewe <info at phpgangsta.de>:
> Hi Maxim,
>
> On Mar 6, 2014, at 5:27 PM, Maxim Dounin wrote:
>
>> Hello!
>>
>> On Thu, Mar 06, 2014 at 10:59:29AM +0100, Filipe da Silva wrote:
>>
>>> # HG changeset patch
>>> # User Filipe da Silva <fdasilvayy at gmail.com>
>>> # Date 1394099468 -3600
>>> # Thu Mar 06 10:51:08 2014 +0100
>>> # Node ID 51fd90f96449c23af0076a19efbfdb1f88702125
>>> # Parent 24df9fa5868957c1fb9a2d1569271e0958327dad
>>> Mail: send starttls flag value to auth script.
>>>
>>> Allow to do logging (if logging takes place in the auth script) and or force
>>> some users to use STARTTLS while others can use unencrypted connection.
>>>
>>
>> I don't think that it's a good idea to pass STARTTLS into auth
>> script. If at all needed, it should be something like a flag "if
>> SSL is used", not an explicit STARTTLS status. From auth script
>> point of view there is no difference if a connection uses SSL on a
>> dedicated port or encryption was negotiated using STARTLS.
>
> yes, it is needed ;-)
>
> You are right, that would also be possible, the auth script then can check which port has been used, and then has the information if it has been STARTTLS or SSL. In our case we want to distinguish between STARTTLS and SSL in the auth script.
>
> Both solutions are fine I think, so let's take Maxims ;-) (Sorry Filipe for the extra work)
>
> Hope this easy patch gets into nginx then, we need it ;-)
>
> Thanks!
> Michael
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
-------------- next part --------------
# HG changeset patch
# Parent b2b5b1b741290adf60220f44f6e37cd8bd9d3885
Mail: send a secure connection flag to auth script.
Allow to do logging (if logging takes place in the auth script) and or force
some users to use STARTTLS while others can use unencrypted connection.
diff -r b2b5b1b74129 src/mail/ngx_mail_auth_http_module.c
--- a/src/mail/ngx_mail_auth_http_module.c Fri Mar 07 15:17:38 2014 +0400
+++ b/src/mail/ngx_mail_auth_http_module.c Wed Mar 12 15:49:21 2014 +0100
@@ -1165,6 +1165,9 @@ ngx_mail_auth_http_create_request(ngx_ma
+ sizeof("Auth-Salt: ") - 1 + s->salt.len
+ sizeof("Auth-Protocol: ") - 1 + cscf->protocol->name.len
+ sizeof(CRLF) - 1
+#if (NGX_MAIL_SSL)
+ + sizeof("Auth-Secured: ") - 1 + 1 + sizeof(CRLF) - 1
+#endif
+ sizeof("Auth-Login-Attempt: ") - 1 + NGX_INT_T_LEN
+ sizeof(CRLF) - 1
+ sizeof("Client-IP: ") - 1 + s->connection->addr_text.len
@@ -1219,6 +1222,13 @@ ngx_mail_auth_http_create_request(ngx_ma
cscf->protocol->name.len);
*b->last++ = CR; *b->last++ = LF;
+#if (NGX_MAIL_SSL)
+ b->last = ngx_cpymem(b->last, "Auth-Secured: ",
+ sizeof("Auth-Secured: ") - 1);
+ *b->last++ = s->connection->ssl ? '1' : '0' ;
+ *b->last++ = CR; *b->last++ = LF;
+#endif
+
b->last = ngx_sprintf(b->last, "Auth-Login-Attempt: %ui" CRLF,
s->login_attempt);
More information about the nginx-devel
mailing list