File: tls

package info (click to toggle)
qpsmtpd 0.40-3
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 1,024 kB
  • ctags: 393
  • sloc: perl: 6,462; sh: 383; makefile: 54
file content (224 lines) | stat: -rw-r--r-- 6,466 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
 
#!perl -w

=head1 NAME

tls - plugin to support STARTTLS

=head1 SYNOPSIS

# in config/plugins

tls [B<cert_path priv_key_path ca_path>]

=over indentlevel

=item B<cert_path>

Path to the server certificate file. Default: I<ssl/qpsmtpd-server.crt>

=item B<priv_key_path>

Path to the private key file. Default: I<ssl/qpsmtpd-server.key>

=item B<ca_path>

Path to the certificate autority file. Default: I<ssl/qpsmtpd-ca.crt>

=head1 DESCRIPTION

This plugin implements basic TLS support.  It can also be used to support
port 465 (SMTP over SSL), but only with qpsmtpd-forkserver.  In this case,
be sure to load plugins/tls before any other connect plugins and start
qpsmtpd like this:

  qpsmtpd-forkserver --port 25 --port 465

You can also specify multiple --listen-address options as well; see the help
for qpsmtpd-forkserver for more details.

If TLS is successfully negotiated then the C<tls_enabled> field in the
Connection notes is set. If you wish to make TLS mandatory you should check
that field and take appropriate action. Note that you can only do that from
MAIL FROM onwards.

Use the script C<plugins/tls_cert> to automatically generate a self-signed
certificate with the appropriate characteristics.  Otherwise, you should
give absolute pathnames to the certificate, key, and the CA root cert 
used to sign that certificate.

=head1 CIPHERS and COMPATIBILITY

By default, we use only the plugins that openssl considers to be
"high security". If you need to tweak the available ciphers for some
broken client (such as Versamail 3.x), have a look at the available
ciphers at L<http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS>,
and put a suitable string in config/tls_ciphers (e.g. "DEFAULT" or
"HIGH:MEDIUM")

=cut

use IO::Socket::SSL;# qw(debug1 debug2 debug3 debug4);

sub init {
    my ($self, $qp, $cert, $key, $ca) = @_;
    $cert ||= 'ssl/qpsmtpd-server.crt';
    $key  ||= 'ssl/qpsmtpd-server.key';
    $ca   ||= 'ssl/qpsmtpd-ca.crt';
    unless ( -f $cert && -f $key && -f $ca ) {
        $self->log(LOGERROR, "Cannot locate cert/key!  Run plugins/tls_cert to generate");
        return;
    }
    $self->tls_cert($cert);
    $self->tls_key($key);
    $self->tls_ca($ca);
    $self->tls_ciphers($self->qp->config('tls_ciphers') || 'HIGH');
    
    $self->log(LOGINFO, "ciphers: $self->tls_ciphers");

    local $^W; # this bit is very noisy...
    my $ssl_ctx = IO::Socket::SSL::SSL_Context->new(
        SSL_use_cert => 1,
        SSL_cert_file => $self->tls_cert,
        SSL_key_file => $self->tls_key,
        SSL_ca_file => $self->tls_ca,
        SSL_cipher_list => $self->tls_ciphers,
        SSL_server => 1
    ) or die "Could not create SSL context: $!";
    # now extract the password...
    
    $self->ssl_context($ssl_ctx);
    
    # Check for possible AUTH mechanisms
HOOK: foreach my $hook ( keys %{$qp->{hooks}} ) {
        no strict 'refs';
        if ( $hook =~ m/^auth-?(.+)?$/ ) {
            if ( defined $1 ) {
                my $hooksub = "hook_$hook";
                $hooksub =~ s/\W/_/g;
                *$hooksub = \&bad_ssl_hook;
            }
            else { # at least one polymorphous auth provider
                *hook_auth = \&bad_ssl_hook;
            }
        }
    }
    
}

sub hook_ehlo {
    my ($self, $transaction) = @_;
    return DECLINED unless $self->can_do_tls;
    return DECLINED if $self->connection->notes('tls_enabled');
    return DENY, "Command refused due to lack of security" if $transaction->notes('ssl_failed');
    my $cap = $transaction->notes('capabilities');
    $cap ||= [];
    push @$cap, 'STARTTLS';
    $transaction->notes('tls_enabled', 1);
    $transaction->notes('capabilities', $cap);
    return DECLINED;
}

sub hook_unrecognized_command {
    my ($self, $transaction, $cmd, @args) = @_;
    return DECLINED unless $cmd eq 'starttls';
    return DECLINED unless $transaction->notes('tls_enabled');
    return DENY, "Syntax error (no parameters allowed)" if @args;
    
    # OK, now we setup TLS
    $self->qp->respond (220, "Go ahead with TLS");
    
    unless ( _convert_to_ssl($self) ) {
        # SSL setup failed. Now we must respond to every command with 5XX
        warn("TLS failed: $@\n");
        $transaction->notes('ssl_failed', 1);
        return DENY, "TLS Negotiation Failed";
    }
    
    $self->log(LOGWARN, "TLS setup returning");
    return DONE;
}

sub hook_connect {
    my ($self, $transaction) = @_;

    my $local_port = $self->qp->connection->local_port;
    return DECLINED unless $local_port == 465; # SMTPS
    
    unless ( _convert_to_ssl($self) ) {
	return (DENY_DISCONNECT, "Cannot establish SSL session");
    }
    $self->log(LOGWARN, "Connected via SMTPS");
    return DECLINED;
}

sub _convert_to_ssl {
    my ($self) = @_;

    eval {
        my $tlssocket = IO::Socket::SSL->new_from_fd(
            fileno(STDIN), '+>',
            SSL_use_cert => 1,
            SSL_cert_file => $self->tls_cert,
            SSL_key_file => $self->tls_key,
            SSL_ca_file => $self->tls_ca,
            SSL_cipher_list => $self->tls_ciphers,
            SSL_server => 1,
            SSL_reuse_ctx => $self->ssl_context,
        ) or die "Could not create SSL socket: $!";
    
        # Clone connection object (without data received from client)
        $self->qp->connection($self->connection->clone());
        $self->qp->reset_transaction;
        *STDIN = *STDOUT = $self->connection->notes('tls_socket', $tlssocket);
        $self->connection->notes('tls_enabled', 1);
    };
    if ($@) {
	return 0;
    }
    else {
	return 1;
    }
}

sub can_do_tls {
    my ($self) = @_;
    $self->tls_cert && -r $self->tls_cert;
}

sub tls_cert {
    my $self = shift;
    @_ and $self->{_tls_cert} = shift;
    $self->{_tls_cert};
}

sub tls_key {
    my $self = shift;
    @_ and $self->{_tls_key} = shift;
    $self->{_tls_key};
}

sub tls_ca {
    my $self = shift;
    @_ and $self->{_tls_ca} = shift;
    $self->{_tls_ca};
}

sub tls_ciphers {
    my $self = shift;
    @_ and $self->{_tls_ciphers} = shift;
    $self->{_tls_ciphers};
}

sub ssl_context {
    my $self = shift;
    @_ and $self->{_ssl_ctx} = shift;
    $self->{_ssl_ctx};
}

# Fulfill RFC 2487 secn 5.1
sub bad_ssl_hook {
    my ($self, $transaction) = @_;
    return DENY, "Command refused due to lack of security" if $transaction->notes('ssl_failed');
    return DECLINED;
}
*hook_helo = *hook_data = *hook_rcpt = *hook_mail = \&bad_ssl_hook;