From 3bede3fae77775088b8b66e7a26a5e2ee1f61fff Mon Sep 17 00:00:00 2001 From: Ken Hornstein Date: Mon, 27 Feb 2012 20:50:49 -0500 Subject: [PATCH] Add support for -nosasl and -saslmaxssf switches. --- man/post.man | 13 +++++++++++-- man/send.man | 13 +++++++++++-- mts/smtp/smtp.c | 29 ++++++++++++++++------------- mts/smtp/smtp.h | 2 +- uip/post.c | 33 ++++++++++++++++++++++++--------- uip/send.c | 18 ++++++++++++------ uip/whatnowsbr.c | 18 ++++++++++++------ 7 files changed, 87 insertions(+), 39 deletions(-) diff --git a/man/post.man b/man/post.man index 2bff3de..50b0298 100644 --- a/man/post.man +++ b/man/post.man @@ -21,6 +21,9 @@ post \- deliver a message .RB [ \-width .IR columns ] .RB [ \-sasl ] +.RB [ \-nosasl ] +.RB [ \-saslmaxssf +.IR ssf ] .RB [ \-saslmech .IR mechanism ] .RB [ \-user @@ -195,7 +198,9 @@ If .B nmh has been compiled with SASL support, the .B \-sasl -switch will enable +and +.B \-nosasl +switches will enable and disable the use of SASL authentication with the SMTP MTA. Depending on the SASL mechanism used, this may require an additional password prompt from the user (but the @@ -214,7 +219,11 @@ will attempt to negotiate a security layer for session encryption. Encrypted data is labelled with `(sasl-encrypted)' and `(sasl-decrypted)' when viewing the SMTP transaction with the .B \-snoop -switch. +switch. The +.B \-saslmaxssf +switch can be used to select the maximum value of the Security Strength Factor. +This is an integer value and the exact meaning of this value depends on the +underlying SASL mechanism. A value of 0 disables encryption. .PP If .B nmh diff --git a/man/send.man b/man/send.man index d9158c8..87a74eb 100644 --- a/man/send.man +++ b/man/send.man @@ -33,6 +33,9 @@ send \- send a message .RB [ \-port .IR port-name/number ] .RB [ \-sasl ] +.RB [ \-nosasl ] +.RB [ \-saslmaxssf +.IR ssf ] .RB [ \-saslmech .IR mechanism ] .RB [ \-user @@ -336,7 +339,9 @@ If .B nmh has been compiled with SASL support, the .B \-sasl -switch will enable +and +.B \-nosasl +switches will enable and disable the use of SASL authentication with the SMTP MTA. Depending on the SASL mechanism used, this may require an additional password prompt from the user (but the @@ -355,7 +360,11 @@ will attempt to negotiate a security layer for session encryption. Encrypted data is labelled with `(encrypted)' and `(decrypted)' when viewing the SMTP transaction with the .B \-snoop -switch. +switch. The +.B \-saslmaxssf +switch can be used to select the maximum value of the Security Strength Factor. +This is an integer value and the exact meaning of this value depends on the +underlying SASL mechanism. A value of 0 disables encryption. .PP If .B nmh diff --git a/mts/smtp/smtp.c b/mts/smtp/smtp.c index faca17a..620dabc 100644 --- a/mts/smtp/smtp.c +++ b/mts/smtp/smtp.c @@ -147,9 +147,9 @@ char *EHLOkeys[MAXEHLO + 1]; * static prototypes */ static int smtp_init (char *, char *, char *, int, int, int, int, int, int, - char *, char *, int); + int, char *, char *, int); static int sendmail_init (char *, char *, int, int, int, int, int, int, - char *, char *); + int, char *, char *); static int rclient (char *, char *); static int sm_ierror (char *fmt, ...); @@ -173,26 +173,28 @@ static int sm_fgets(char *, int, FILE *); * Function prototypes needed for SASL */ -static int sm_auth_sasl(char *, char *, char *); +static int sm_auth_sasl(char *, int, char *, char *); #endif /* CYRUS_SASL */ int sm_init (char *client, char *server, char *port, int watch, int verbose, - int debug, int onex, int queued, int sasl, char *saslmech, - char *user, int tls) + int debug, int onex, int queued, int sasl, int saslssf, + char *saslmech, char *user, int tls) { if (sm_mts == MTS_SMTP) return smtp_init (client, server, port, watch, verbose, - debug, onex, queued, sasl, saslmech, user, tls); + debug, onex, queued, sasl, saslssf, saslmech, + user, tls); else return sendmail_init (client, server, watch, verbose, - debug, onex, queued, sasl, saslmech, user); + debug, onex, queued, sasl, saslssf, saslmech, + user); } static int smtp_init (char *client, char *server, char *port, int watch, int verbose, int debug, int onex, int queued, - int sasl, char *saslmech, char *user, int tls) + int sasl, int saslssf, char *saslmech, char *user, int tls) { #ifdef CYRUS_SASL char *server_mechs; @@ -427,7 +429,7 @@ smtp_init (char *client, char *server, char *port, int watch, int verbose, saslmech, server_mechs); } - if (sm_auth_sasl(user, saslmech ? saslmech : server_mechs, + if (sm_auth_sasl(user, saslssf, saslmech ? saslmech : server_mechs, server) != RP_OK) { sm_end(NOTOK); return NOTOK; @@ -449,13 +451,14 @@ send_options: ; int sendmail_init (char *client, char *server, int watch, int verbose, int debug, int onex, int queued, - int sasl, char *saslmech, char *user) + int sasl, int saslssf, char *saslmech, char *user) { #ifdef CYRUS_SASL char *server_mechs; #else /* CYRUS_SASL */ NMH_UNUSED (server); NMH_UNUSED (sasl); + NMH_UNUSED (saslssf); NMH_UNUSED (saslmech); NMH_UNUSED (user); #endif /* CYRUS_SASL */ @@ -603,7 +606,7 @@ sendmail_init (char *client, char *server, int watch, int verbose, saslmech, server_mechs); } - if (sm_auth_sasl(user, saslmech ? saslmech : server_mechs, + if (sm_auth_sasl(user, saslssf, saslmech ? saslmech : server_mechs, server) != RP_OK) { sm_end(NOTOK); return NOTOK; @@ -875,7 +878,7 @@ sm_end (int type) * (optionally) negotiated a security layer. */ static int -sm_auth_sasl(char *user, char *mechlist, char *inhost) +sm_auth_sasl(char *user, int saslssf, char *mechlist, char *inhost) { int result, status; unsigned int buflen, outlen; @@ -953,7 +956,7 @@ sm_auth_sasl(char *user, char *mechlist, char *inhost) memset(&secprops, 0, sizeof(secprops)); secprops.maxbufsize = SASL_MAXRECVBUF; - secprops.max_ssf = tls_active ? 0 : UINT_MAX; + secprops.max_ssf = tls_active ? 0 : (saslssf != -1 ? saslssf : UINT_MAX); result = sasl_setprop(conn, SASL_SEC_PROPS, &secprops); diff --git a/mts/smtp/smtp.h b/mts/smtp/smtp.h index c88620e..7de0edc 100644 --- a/mts/smtp/smtp.h +++ b/mts/smtp/smtp.h @@ -22,7 +22,7 @@ struct smtp { * prototypes */ /* int client (); */ -int sm_init (char *, char *, char *, int, int, int, int, int, int, char *, char *, int); +int sm_init (char *, char *, char *, int, int, int, int, int, int, int, char *, char *, int); int sm_winit (int, char *); int sm_wadr (char *, char *, char *); int sm_waend (void); diff --git a/uip/post.c b/uip/post.c index 580d3d1..6ce3280 100644 --- a/uip/post.c +++ b/uip/post.c @@ -131,17 +131,21 @@ static struct swit switches[] = { { "queued", -6 }, #define SASLSW 37 { "sasl", SASLminc(-4) }, -#define SASLMECHSW 38 +#define NOSASLSW 38 + { "nosasl", SASLminc(-6) }, +#define SASLMXSSFSW 39 + { "saslmaxssf", SASLminc(-10) }, +#define SASLMECHSW 40 { "saslmech", SASLminc(-5) }, -#define USERSW 39 +#define USERSW 41 { "user", SASLminc(-4) }, -#define PORTSW 40 +#define PORTSW 42 { "port server port name/number", 4 }, -#define TLSSW 41 +#define TLSSW 43 { "tls", TLSminc(-3) }, -#define FILEPROCSW 42 +#define FILEPROCSW 44 { "fileproc", -4 }, -#define MHLPROCSW 43 +#define MHLPROCSW 45 { "mhlproc", -3 }, { NULL, 0 } }; @@ -239,6 +243,7 @@ static int checksw = 0; /* whom -check */ static int linepos=0; /* putadr()'s position on the line */ static int nameoutput=0; /* putadr() has output header name */ static int sasl=0; /* Use SASL auth for SMTP */ +static int saslssf=-1; /* Our maximum SSF for SASL */ static char *saslmech=NULL; /* Force use of particular SASL mech */ static char *user=NULL; /* Authenticate as this user */ static char *port="smtp"; /* Name of server port for SMTP */ @@ -515,6 +520,16 @@ main (int argc, char **argv) case SASLSW: sasl++; continue; + + case NOSASLSW: + sasl = 0; + continue; + + case SASLMXSSFSW: + if (!(cp = *argp++) || *cp == '-') + adios (NULL, "missing argument to %s", argp[-2]); + saslssf = atoi(cp); + continue; case SASLMECHSW: if (!(saslmech = *argp++) || *saslmech == '-') @@ -1431,8 +1446,8 @@ post (char *file, int bccque, int talk) sigon (); if (rp_isbad (retval = sm_init (clientsw, serversw, port, watch, verbose, - snoop, onex, queued, sasl, saslmech, - user, tls)) + snoop, onex, queued, sasl, saslssf, + saslmech, user, tls)) || rp_isbad (retval = sm_winit (smtpmode, from))) die (NULL, "problem initializing server; %s", rp_string (retval)); @@ -1471,7 +1486,7 @@ verify_all_addresses (int talk) if (!whomsw || checksw) if (rp_isbad (retval = sm_init (clientsw, serversw, port, watch, verbose, snoop, 0, queued, sasl, - saslmech, user, tls)) + saslssf, saslmech, user, tls)) || rp_isbad (retval = sm_winit (smtpmode, from))) die (NULL, "problem initializing server; %s", rp_string (retval)); diff --git a/uip/send.c b/uip/send.c index 62bf60a..9e804bc 100644 --- a/uip/send.c +++ b/uip/send.c @@ -102,17 +102,21 @@ static struct swit switches[] = { { "snoop", 5 }, #define SASLSW 37 { "sasl", SASLminc(4) }, -#define SASLMECHSW 38 +#define NOSASLSW 38 + { "nosasl", SASLminc(-6) }, +#define SASLMXSSFSW 39 + { "saslmaxssf", SASLminc(-10) }, +#define SASLMECHSW 40 { "saslmech mechanism", SASLminc(-5) }, -#define USERSW 39 +#define USERSW 41 { "user username", SASLminc(-4) }, -#define ATTACHSW 40 +#define ATTACHSW 42 { "attach", 6 }, -#define ATTACHFORMATSW 41 +#define ATTACHFORMATSW 43 { "attachformat", 7 }, -#define PORTSW 42 +#define PORTSW 44 { "port server-port-name/number" , 4 }, -#define TLSSW 43 +#define TLSSW 45 { "tls", TLSminc(-3) }, { NULL, 0 } }; @@ -278,6 +282,7 @@ main (int argc, char **argv) case SOMLSW: case SNOOPSW: case SASLSW: + case NOSASLSW: case TLSSW: vec[vecp++] = --cp; continue; @@ -288,6 +293,7 @@ main (int argc, char **argv) case CLIESW: case SERVSW: case SASLMECHSW: + case SASLMXSSFSW: case USERSW: case PORTSW: vec[vecp++] = --cp; diff --git a/uip/whatnowsbr.c b/uip/whatnowsbr.c index 36ba346..ac9dc3a 100644 --- a/uip/whatnowsbr.c +++ b/uip/whatnowsbr.c @@ -1054,17 +1054,21 @@ static struct swit sendswitches[] = { { "nodraftfolder", -3 }, #define SASLSW 36 { "sasl", SASLminc(-4) }, -#define SASLMECHSW 37 +#define NOSASLSW 37 + { "nosasl", SASLminc(-6) }, +#define SASLMXSSFSW 38 + { "saslmaxssf", SASLminc(-10) }, +#define SASLMECHSW 39 { "saslmech", SASLminc(-5) }, -#define USERSW 38 +#define USERSW 40 { "user", SASLminc(-4) }, -#define SNDATTACHSW 39 +#define SNDATTACHSW 41 { "attach file", 6 }, -#define SNDATTACHFORMAT 40 +#define SNDATTACHFORMAT 42 { "attachformat", 7 }, -#define PORTSW 41 +#define PORTSW 43 { "port server-port-name/number", 4 }, -#define TLSSW 42 +#define TLSSW 44 { "tls", TLSminc(-3) }, { NULL, 0 } }; @@ -1227,6 +1231,7 @@ sendit (char *sp, char **arg, char *file, int pushed) case SOMLSW: case SNOOPSW: case SASLSW: + case NOSASLSW: case TLSSW: vec[vecp++] = --cp; continue; @@ -1236,6 +1241,7 @@ sendit (char *sp, char **arg, char *file, int pushed) case WIDTHSW: case CLIESW: case SERVSW: + case SASLMXSSFSW: case SASLMECHSW: case USERSW: case PORTSW: -- 1.7.10.4