[PATCH] Mail: send starttls flag value to auth script

Filipe Da Silva fdasilvayy at gmail.com
Sat Mar 7 10:34:35 UTC 2015 

I think that the half way solution is this one attached :

- when an SSL connection is active : "Auth-SSL: on" ( current code status)
- else when it could have been active (using STARTTLS): "Auth-SSL: off"
- else SSL was disabled: there is nothing to send.

Regards,
Filipe DA SILVA.

2015-03-03 17:28 GMT+01:00 Michael Kliewe <info at phpgangsta.de>:
> Hi Maxim,
>
> On Mar 3, 2015, at 4:50 PM, Maxim Dounin wrote:
>
>> Hello!
>>
>> On Tue, Mar 03, 2015 at 03:14:50PM +0100, Michael Kliewe wrote:
>>
>>> Hi again,
>>>
>>> On Mar 2, 2015, at 3:56 PM, Maxim Dounin wrote:
>>>
>>> I'm sorry, I don't really want to repeat my arguments, but as I
>>> said I don't have control over all nginx servers that are used.
>>> Some will be "older", some will be newer. And I cannot force
>>> "them" to introduce the auth_http_header to just send the nginx
>>> version or capability of sending Auth-SSL header or not...
>>
>> If you can't, than just switch off warnings till the update is
>> complete, as already suggested.
>
> That might take months or years, some are out of my control as I said.
> And we are already sending warnings currently because of the patch from Filipe, which works fine.
> I cannot use your modified patch, I still have to patch Filipes version manually then.
>
>>
>>> Filipe's patch is working fine since > 6 month, it's either
>>> sending 0 or 1. The 0 is an important information and should not
>>> be dropped.
>>>
>>> Can you tell me the disadvantage of sending "off" in case the
>>> connection is unencrypted? I don't really see the problem at the
>>> moment why you don't add the else branch, you are dropping
>>> information that is needed (and that was there in the original
>>> patch)... It's just 3 lines more code and doesn't hurt anybody,
>>> but provides important information to the auth script.
>>
>> As already explained, the problem is that the header will be added
>> forever for all setups, and it will be waste of resources in all
>> these setups.  It will be waste of resources in your setup as well
>> after the transition period.
>
> But you are already adding the header in case it is an encrypted connection, which currently is >90% of all cases, at least here in Germany. If you call that "waste of ressources", you are already doing that for 90% of all IMAP/POP3 connections, I'm just asking to do that for the last 10% that are unencrypted (and will fade away during the next years, as more and more providers disallow unencrypted connections).
> I'm just asking for the last 10% of connections, which are the important ones, if you need that feature.
>
> Otherwise I still have to use the patch from Filipe everywhere, because it allows slow migration and distinction between "encrypted", "unencrypted" and "unknown" in the auth script.
>
> If you want to be as efficient as possible, you should send just "AUTH_SSL: off" in case of an unencrypted connection, and no header at all for an encrypted connection. That would be a lot better, because >90% of all IMAP/POP3 connections are encrypted today.
>
> Michael
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
-------------- next part --------------
# HG changeset patch
# Parent  b3dc82de188c6954b5f761d11900309165e77813
Mail: Modify Auth-SSL header to indicate when SSL is not used
when it could be (STARTTLS enabled).

diff -r b3dc82de188c -r 9aecb997009e src/mail/ngx_mail_auth_http_module.c
--- a/src/mail/ngx_mail_auth_http_module.c	Sat Mar 07 10:54:11 2015 +0100
+++ b/src/mail/ngx_mail_auth_http_module.c	Sat Mar 07 11:04:39 2015 +0100
@@ -1244,7 +1244,7 @@ ngx_mail_auth_http_create_request(ngx_ma
           + sizeof("Auth-SMTP-From: ") - 1 + s->smtp_from.len + sizeof(CRLF) - 1
           + sizeof("Auth-SMTP-To: ") - 1 + s->smtp_to.len + sizeof(CRLF) - 1
 #if (NGX_MAIL_SSL)
-          + sizeof("Auth-SSL: on" CRLF) - 1
+          + sizeof("Auth-SSL: off" CRLF) - 1
           + sizeof("Auth-SSL-Verify: ") - 1 + verify.len + sizeof(CRLF) - 1
           + sizeof("Auth-SSL-Subject: ") - 1 + subject.len + sizeof(CRLF) - 1
           + sizeof("Auth-SSL-Issuer: ") - 1 + issuer.len + sizeof(CRLF) - 1
@@ -1383,7 +1383,12 @@ ngx_mail_auth_http_create_request(ngx_ma
             *b->last++ = CR; *b->last++ = LF;
         }
     }
-
+    else if ( s-> starttls )
+    {
+        /* SSL isn't used when it could be.  */
+        b->last = ngx_cpymem(b->last, "Auth-SSL: off" CRLF,
+                             sizeof("Auth-SSL: off" CRLF) - 1);
+    }
 #endif
 
     if (ahcf->header.len) {

More information about the nginx-devel mailing list