[PATCH] Mail: send starttls flag value to auth script

Maxim Dounin mdounin at mdounin.ru
Thu Mar 6 16:27:18 UTC 2014


Hello!

On Thu, Mar 06, 2014 at 10:59:29AM +0100, Filipe da Silva wrote:

> # HG changeset patch
> # User Filipe da Silva <fdasilvayy at gmail.com>
> # Date 1394099468 -3600
> #      Thu Mar 06 10:51:08 2014 +0100
> # Node ID 51fd90f96449c23af0076a19efbfdb1f88702125
> # Parent  24df9fa5868957c1fb9a2d1569271e0958327dad
> Mail: send starttls flag value to auth script.
> 
> Allow to do logging (if logging takes place in the auth script) and or force
> some users to use STARTTLS while others can use unencrypted connection.
> 
> diff -r 24df9fa58689 -r 51fd90f96449 src/mail/ngx_mail_auth_http_module.c
> --- a/src/mail/ngx_mail_auth_http_module.c	Thu Mar 06 10:51:08 2014 +0100
> +++ b/src/mail/ngx_mail_auth_http_module.c	Thu Mar 06 10:51:08 2014 +0100
> @@ -1165,6 +1165,9 @@ ngx_mail_auth_http_create_request(ngx_ma
>            + sizeof("Auth-Salt: ") - 1 + s->salt.len
>            + sizeof("Auth-Protocol: ") - 1 + cscf->protocol->name.len
>                  + sizeof(CRLF) - 1
> +#if (NGX_MAIL_SSL)
> +          + sizeof("Auth-STARTTLS: ") - 1 + 1 + sizeof(CRLF) - 1
> +#endif
>            + sizeof("Auth-Login-Attempt: ") - 1 + NGX_INT_T_LEN
>                  + sizeof(CRLF) - 1
>            + sizeof("Client-IP: ") - 1 + s->connection->addr_text.len
> @@ -1219,6 +1222,13 @@ ngx_mail_auth_http_create_request(ngx_ma
>                           cscf->protocol->name.len);
>      *b->last++ = CR; *b->last++ = LF;
>  
> +#if (NGX_MAIL_SSL)
> +    b->last = ngx_cpymem(b->last, "Auth-STARTTLS: ",
> +                         sizeof("Auth-STARTTLS: ") - 1);
> +    *b->last++ = s->starttls ? '1' : '0' ;
> +    *b->last++ = CR; *b->last++ = LF;
> +#endif
> +
>      b->last = ngx_sprintf(b->last, "Auth-Login-Attempt: %ui" CRLF,
>                            s->login_attempt);
>  

> # HG changeset patch
> # User Filipe da Silva <fdasilvayy at gmail.com>
> # Date 1394099468 -3600
> #      Thu Mar 06 10:51:08 2014 +0100
> # Node ID 51fd90f96449c23af0076a19efbfdb1f88702125
> # Parent  24df9fa5868957c1fb9a2d1569271e0958327dad
> Mail: send starttls flag value to auth script.
> 
> Allow to do logging (if logging takes place in the auth script) and or force
> some users to use STARTTLS while others can use unencrypted connection.
> 
> diff -r 24df9fa58689 -r 51fd90f96449 src/mail/ngx_mail_auth_http_module.c
> --- a/src/mail/ngx_mail_auth_http_module.c	Thu Mar 06 10:51:08 2014 +0100
> +++ b/src/mail/ngx_mail_auth_http_module.c	Thu Mar 06 10:51:08 2014 +0100
> @@ -1165,6 +1165,9 @@ ngx_mail_auth_http_create_request(ngx_ma
>            + sizeof("Auth-Salt: ") - 1 + s->salt.len
>            + sizeof("Auth-Protocol: ") - 1 + cscf->protocol->name.len
>                  + sizeof(CRLF) - 1
> +#if (NGX_MAIL_SSL)
> +          + sizeof("Auth-STARTTLS: ") - 1 + 1 + sizeof(CRLF) - 1
> +#endif
>            + sizeof("Auth-Login-Attempt: ") - 1 + NGX_INT_T_LEN
>                  + sizeof(CRLF) - 1
>            + sizeof("Client-IP: ") - 1 + s->connection->addr_text.len
> @@ -1219,6 +1222,13 @@ ngx_mail_auth_http_create_request(ngx_ma
>                           cscf->protocol->name.len);
>      *b->last++ = CR; *b->last++ = LF;
>  
> +#if (NGX_MAIL_SSL)
> +    b->last = ngx_cpymem(b->last, "Auth-STARTTLS: ",
> +                         sizeof("Auth-STARTTLS: ") - 1);
> +    *b->last++ = s->starttls ? '1' : '0' ;
> +    *b->last++ = CR; *b->last++ = LF;
> +#endif
> +
>      b->last = ngx_sprintf(b->last, "Auth-Login-Attempt: %ui" CRLF,
>                            s->login_attempt);
>  

I don't think that it's a good idea to pass STARTTLS into auth 
script.  If at all needed, it should be something like a flag "if 
SSL is used", not an explicit STARTTLS status.  From auth script 
point of view there is no difference if a connection uses SSL on a 
dedicated port or encryption was negotiated using STARTLS.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx-devel mailing list