[tpop3d-discuss] Re: New feature thought / part of TODO / auth_perl_user hook?
Dave Baker
dave at dsb3.com
Thu, 9 Oct 2003 22:05:26 -0400
On Tue, Oct 07, 2003 at 01:56:54PM -0400, Dave Baker wrote:
> In addition to the mention in the TODO (Offer an option to disconnect
> users who fail to issue STLS before USER), this would let tpop3d:
> 1) Allow USER/PASS on some domains, but APOP only on others
> 2) Allow USER/PASS based on source IP (inside/outside a firewall perhaps)
> 3) ...
>
I just scanned the list archive and didn't see this patch already, but
it's so painfully simple I'm surprised no-one's submitted it before.
It seems that apop_only doesn't (shouldn't?) have meaning within a TLS
transaction so as a really quick hit to make tpop3d work for what I need
(I just gained an outlook user ... it doesn't support apop, but will do
tls so that was the final nudge into opening port 995 at the firewall).
As I recall (it may even have been me who requested apop_only in the first
place ...) the only purpose of apop_only is to try to close the network
connection without giving a plain-text client the opportunity for sending
a password over the wire. Depending on how much we trust SSL/TLS that
requirement either disappears completely, or gets greatly obsoleted.
Is this so obvious that I'm wasting my time mentioning it?
Anyway, I'm going to spend a bit more time looking at a generalized
"allow_user" hook since I do still (perhaps) want connections over the
loopback device to be allowed to use USER/PASS, but for the time being I
think this patch will do what I need.
Dave
--- pop3.c.orig 2003-10-09 21:47:12.000000000 -0400
+++ pop3.c 2003-10-09 22:01:39.000000000 -0400
@@ -376,7 +376,7 @@
return do_capa(c);
case USER:
- if (apop_only) {
+ if (apop_only && !c->secured) {
connection_sendresponse(c, 0, _("Sorry, you must use APOP"));
return close_connection;
} else if (!do_user(c, p))
@@ -384,7 +384,7 @@
break;
case PASS:
- if (apop_only) {
+ if (apop_only && !c->secured) {
connection_sendresponse(c, 0, _("Sorry, you must use APOP"));
return close_connection;
} else if (!do_pass(c, p))
--
- Dave Baker : dave@dsb3.com : http://dsb3.com/ -
GnuPG: 1024D/D7BCA55D / 09CD D148 57DE 711E 6708 B772 0DD4 51D5 D7BC A55D