[tpop3d-discuss] Re: New feature thought / part of TODO / auth_perl_user hook?

Dave Baker dave at dsb3.com
Thu, 9 Oct 2003 22:05:26 -0400 

On Tue, Oct 07, 2003 at 01:56:54PM -0400, Dave Baker wrote:
> In addition to the mention in the TODO (Offer an option to disconnect
> users who fail to issue STLS before USER), this would let tpop3d:
> 1) Allow USER/PASS on some domains, but APOP only on others 
> 2) Allow USER/PASS based on source IP (inside/outside a firewall perhaps)
> 3) ...  
>

I just scanned the list archive and didn't see this patch already, but
it's so painfully simple I'm surprised no-one's submitted it before.

It seems that apop_only doesn't (shouldn't?) have meaning within a TLS
transaction so as a really quick hit to make tpop3d work for what I need
(I just gained an outlook user ... it doesn't support apop, but will do
tls so that was the final nudge into opening port 995 at the firewall).

As I recall (it may even have been me who requested apop_only in the first
place ...) the only purpose of apop_only is to try to close the network
connection without giving a plain-text client the opportunity for sending
a password over the wire.  Depending on how much we trust SSL/TLS that
requirement either disappears completely, or gets greatly obsoleted.


Is this so obvious that I'm wasting my time mentioning it?  

Anyway, I'm going to spend a bit more time looking at a generalized
"allow_user" hook since I do still (perhaps) want connections over the
loopback device to be allowed to use USER/PASS, but for the time being I
think this patch will do what I need.



Dave


--- pop3.c.orig 2003-10-09 21:47:12.000000000 -0400
+++ pop3.c      2003-10-09 22:01:39.000000000 -0400
@@ -376,7 +376,7 @@
                 return do_capa(c);
             
             case USER:
-                if (apop_only) {
+                if (apop_only && !c->secured) {
                     connection_sendresponse(c, 0, _("Sorry, you must use APOP"));
                     return close_connection;
                 } else if (!do_user(c, p))
@@ -384,7 +384,7 @@
                 break;
 
             case PASS:
-                if (apop_only) {
+                if (apop_only && !c->secured) {
                     connection_sendresponse(c, 0, _("Sorry, you must use APOP"));
                     return close_connection;
                 } else if (!do_pass(c, p))



-- 

-    Dave Baker      :      dave@dsb3.com      :      http://dsb3.com/    -
GnuPG:  1024D/D7BCA55D / 09CD D148 57DE 711E 6708  B772 0DD4 51D5 D7BC A55D