[PATCH] Mail: send starttls flag value to auth script
Maxim Dounin
mdounin at mdounin.ru
Thu Mar 6 16:27:18 UTC 2014
Hello!
On Thu, Mar 06, 2014 at 10:59:29AM +0100, Filipe da Silva wrote:
> # HG changeset patch
> # User Filipe da Silva <fdasilvayy at gmail.com>
> # Date 1394099468 -3600
> # Thu Mar 06 10:51:08 2014 +0100
> # Node ID 51fd90f96449c23af0076a19efbfdb1f88702125
> # Parent 24df9fa5868957c1fb9a2d1569271e0958327dad
> Mail: send starttls flag value to auth script.
>
> Allow to do logging (if logging takes place in the auth script) and or force
> some users to use STARTTLS while others can use unencrypted connection.
>
> diff -r 24df9fa58689 -r 51fd90f96449 src/mail/ngx_mail_auth_http_module.c
> --- a/src/mail/ngx_mail_auth_http_module.c Thu Mar 06 10:51:08 2014 +0100
> +++ b/src/mail/ngx_mail_auth_http_module.c Thu Mar 06 10:51:08 2014 +0100
> @@ -1165,6 +1165,9 @@ ngx_mail_auth_http_create_request(ngx_ma
> + sizeof("Auth-Salt: ") - 1 + s->salt.len
> + sizeof("Auth-Protocol: ") - 1 + cscf->protocol->name.len
> + sizeof(CRLF) - 1
> +#if (NGX_MAIL_SSL)
> + + sizeof("Auth-STARTTLS: ") - 1 + 1 + sizeof(CRLF) - 1
> +#endif
> + sizeof("Auth-Login-Attempt: ") - 1 + NGX_INT_T_LEN
> + sizeof(CRLF) - 1
> + sizeof("Client-IP: ") - 1 + s->connection->addr_text.len
> @@ -1219,6 +1222,13 @@ ngx_mail_auth_http_create_request(ngx_ma
> cscf->protocol->name.len);
> *b->last++ = CR; *b->last++ = LF;
>
> +#if (NGX_MAIL_SSL)
> + b->last = ngx_cpymem(b->last, "Auth-STARTTLS: ",
> + sizeof("Auth-STARTTLS: ") - 1);
> + *b->last++ = s->starttls ? '1' : '0' ;
> + *b->last++ = CR; *b->last++ = LF;
> +#endif
> +
> b->last = ngx_sprintf(b->last, "Auth-Login-Attempt: %ui" CRLF,
> s->login_attempt);
>
> # HG changeset patch
> # User Filipe da Silva <fdasilvayy at gmail.com>
> # Date 1394099468 -3600
> # Thu Mar 06 10:51:08 2014 +0100
> # Node ID 51fd90f96449c23af0076a19efbfdb1f88702125
> # Parent 24df9fa5868957c1fb9a2d1569271e0958327dad
> Mail: send starttls flag value to auth script.
>
> Allow to do logging (if logging takes place in the auth script) and or force
> some users to use STARTTLS while others can use unencrypted connection.
>
> diff -r 24df9fa58689 -r 51fd90f96449 src/mail/ngx_mail_auth_http_module.c
> --- a/src/mail/ngx_mail_auth_http_module.c Thu Mar 06 10:51:08 2014 +0100
> +++ b/src/mail/ngx_mail_auth_http_module.c Thu Mar 06 10:51:08 2014 +0100
> @@ -1165,6 +1165,9 @@ ngx_mail_auth_http_create_request(ngx_ma
> + sizeof("Auth-Salt: ") - 1 + s->salt.len
> + sizeof("Auth-Protocol: ") - 1 + cscf->protocol->name.len
> + sizeof(CRLF) - 1
> +#if (NGX_MAIL_SSL)
> + + sizeof("Auth-STARTTLS: ") - 1 + 1 + sizeof(CRLF) - 1
> +#endif
> + sizeof("Auth-Login-Attempt: ") - 1 + NGX_INT_T_LEN
> + sizeof(CRLF) - 1
> + sizeof("Client-IP: ") - 1 + s->connection->addr_text.len
> @@ -1219,6 +1222,13 @@ ngx_mail_auth_http_create_request(ngx_ma
> cscf->protocol->name.len);
> *b->last++ = CR; *b->last++ = LF;
>
> +#if (NGX_MAIL_SSL)
> + b->last = ngx_cpymem(b->last, "Auth-STARTTLS: ",
> + sizeof("Auth-STARTTLS: ") - 1);
> + *b->last++ = s->starttls ? '1' : '0' ;
> + *b->last++ = CR; *b->last++ = LF;
> +#endif
> +
> b->last = ngx_sprintf(b->last, "Auth-Login-Attempt: %ui" CRLF,
> s->login_attempt);
>
I don't think that it's a good idea to pass STARTTLS into auth
script. If at all needed, it should be something like a flag "if
SSL is used", not an explicit STARTTLS status. From auth script
point of view there is no difference if a connection uses SSL on a
dedicated port or encryption was negotiated using STARTLS.
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list