diff --git a/plugins/tls b/plugins/tls index 8991230..75c6751 100644 --- a/plugins/tls +++ b/plugins/tls @@ -45,7 +45,7 @@ MAIL FROM onwards. Use the script C to automatically generate a self-signed certificate with the appropriate characteristics. Otherwise, you should -give absolute pathnames to the certificate, key, and the CA root cert +give absolute pathnames to the certificate, key, and the CA root cert used to sign that certificate. =head1 CIPHERS and COMPATIBILITY @@ -63,9 +63,10 @@ use IO::Socket::SSL 0.98; sub init { my ($self, $qp, $cert, $key, $ca) = @_; - $cert ||= 'ssl/qpsmtpd-server.crt'; - $key ||= 'ssl/qpsmtpd-server.key'; - $ca ||= 'ssl/qpsmtpd-ca.crt'; + my $dir = -d 'ssl' ? 'ssl' : 'config/ssl'; + $cert ||= "$dir/qpsmtpd-server.crt"; + $key ||= "$dir/qpsmtpd-server.key"; + $ca ||= "$dir/qpsmtpd-ca.crt"; unless ( -f $cert && -f $key && -f $ca ) { $self->log(LOGERROR, "Cannot locate cert/key! Run plugins/tls_cert to generate"); return; @@ -74,7 +75,7 @@ sub init { $self->tls_key($key); $self->tls_ca($ca); $self->tls_ciphers($self->qp->config('tls_ciphers') || 'HIGH'); - + $self->log(LOGDEBUG, "ciphers: ".$self->tls_ciphers); local $^W; # this bit is very noisy... @@ -87,9 +88,9 @@ sub init { SSL_server => 1 ) or die "Could not create SSL context: $!"; # now extract the password... - + $self->ssl_context($ssl_ctx); - + # Check for possible AUTH mechanisms HOOK: foreach my $hook ( keys %{$qp->hooks} ) { no strict 'refs'; @@ -120,20 +121,20 @@ sub hook_ehlo { sub hook_unrecognized_command { my ($self, $transaction, $cmd, @args) = @_; - return DECLINED unless $cmd eq 'starttls'; + return DECLINED unless lc $cmd eq 'starttls'; return DECLINED unless $transaction->notes('tls_enabled'); return DENY, "Syntax error (no parameters allowed)" if @args; - + # OK, now we setup TLS $self->qp->respond (220, "Go ahead with TLS"); - + unless ( _convert_to_ssl($self) ) { # SSL setup failed. Now we must respond to every command with 5XX warn("TLS failed: $@\n"); $transaction->notes('ssl_failed', 1); return DENY, "TLS Negotiation Failed"; } - + $self->log(LOGWARN, "TLS setup returning"); return DONE; } @@ -143,7 +144,7 @@ sub hook_connect { my $local_port = $self->qp->connection->local_port; return DECLINED unless defined $local_port && $local_port == 465; # SMTPS - + unless ( _convert_to_ssl($self) ) { return (DENY_DISCONNECT, "Cannot establish SSL session"); } @@ -182,7 +183,7 @@ sub _convert_to_ssl { SSL_server => 1, SSL_reuse_ctx => $self->ssl_context, ) or die "Could not create SSL socket: $!"; - + # Clone connection object (without data received from client) $self->qp->connection($self->connection->clone()); $self->qp->reset_transaction; @@ -283,18 +284,18 @@ sub upgrade_socket { SSL_startHandshake => 0, SSL_server => 1, SSL_reuse_ctx => $self->{_stashed_plugin}->ssl_context, - } + } ) or die "Could not upgrade socket to SSL: $!"; $self->{_ssl_started} = 1; } - + $self->event_read($self->{_stashed_qp}); } sub event_read { my UpgradeClientSSL $self = shift; my $qp = shift; - + $qp->watch_read( 0 ); my $sock = $qp->{sock}->accept_SSL;