tls: added ability to store certs in config/ssl
was hard coded to ./ssl
This commit is contained in:
parent
c58404c3c4
commit
42296b950c
33
plugins/tls
33
plugins/tls
@ -45,7 +45,7 @@ MAIL FROM onwards.
|
|||||||
|
|
||||||
Use the script C<plugins/tls_cert> to automatically generate a self-signed
|
Use the script C<plugins/tls_cert> to automatically generate a self-signed
|
||||||
certificate with the appropriate characteristics. Otherwise, you should
|
certificate with the appropriate characteristics. Otherwise, you should
|
||||||
give absolute pathnames to the certificate, key, and the CA root cert
|
give absolute pathnames to the certificate, key, and the CA root cert
|
||||||
used to sign that certificate.
|
used to sign that certificate.
|
||||||
|
|
||||||
=head1 CIPHERS and COMPATIBILITY
|
=head1 CIPHERS and COMPATIBILITY
|
||||||
@ -63,9 +63,10 @@ use IO::Socket::SSL 0.98;
|
|||||||
|
|
||||||
sub init {
|
sub init {
|
||||||
my ($self, $qp, $cert, $key, $ca) = @_;
|
my ($self, $qp, $cert, $key, $ca) = @_;
|
||||||
$cert ||= 'ssl/qpsmtpd-server.crt';
|
my $dir = -d 'ssl' ? 'ssl' : 'config/ssl';
|
||||||
$key ||= 'ssl/qpsmtpd-server.key';
|
$cert ||= "$dir/qpsmtpd-server.crt";
|
||||||
$ca ||= 'ssl/qpsmtpd-ca.crt';
|
$key ||= "$dir/qpsmtpd-server.key";
|
||||||
|
$ca ||= "$dir/qpsmtpd-ca.crt";
|
||||||
unless ( -f $cert && -f $key && -f $ca ) {
|
unless ( -f $cert && -f $key && -f $ca ) {
|
||||||
$self->log(LOGERROR, "Cannot locate cert/key! Run plugins/tls_cert to generate");
|
$self->log(LOGERROR, "Cannot locate cert/key! Run plugins/tls_cert to generate");
|
||||||
return;
|
return;
|
||||||
@ -74,7 +75,7 @@ sub init {
|
|||||||
$self->tls_key($key);
|
$self->tls_key($key);
|
||||||
$self->tls_ca($ca);
|
$self->tls_ca($ca);
|
||||||
$self->tls_ciphers($self->qp->config('tls_ciphers') || 'HIGH');
|
$self->tls_ciphers($self->qp->config('tls_ciphers') || 'HIGH');
|
||||||
|
|
||||||
$self->log(LOGDEBUG, "ciphers: ".$self->tls_ciphers);
|
$self->log(LOGDEBUG, "ciphers: ".$self->tls_ciphers);
|
||||||
|
|
||||||
local $^W; # this bit is very noisy...
|
local $^W; # this bit is very noisy...
|
||||||
@ -87,9 +88,9 @@ sub init {
|
|||||||
SSL_server => 1
|
SSL_server => 1
|
||||||
) or die "Could not create SSL context: $!";
|
) or die "Could not create SSL context: $!";
|
||||||
# now extract the password...
|
# now extract the password...
|
||||||
|
|
||||||
$self->ssl_context($ssl_ctx);
|
$self->ssl_context($ssl_ctx);
|
||||||
|
|
||||||
# Check for possible AUTH mechanisms
|
# Check for possible AUTH mechanisms
|
||||||
HOOK: foreach my $hook ( keys %{$qp->hooks} ) {
|
HOOK: foreach my $hook ( keys %{$qp->hooks} ) {
|
||||||
no strict 'refs';
|
no strict 'refs';
|
||||||
@ -120,20 +121,20 @@ sub hook_ehlo {
|
|||||||
|
|
||||||
sub hook_unrecognized_command {
|
sub hook_unrecognized_command {
|
||||||
my ($self, $transaction, $cmd, @args) = @_;
|
my ($self, $transaction, $cmd, @args) = @_;
|
||||||
return DECLINED unless $cmd eq 'starttls';
|
return DECLINED unless lc $cmd eq 'starttls';
|
||||||
return DECLINED unless $transaction->notes('tls_enabled');
|
return DECLINED unless $transaction->notes('tls_enabled');
|
||||||
return DENY, "Syntax error (no parameters allowed)" if @args;
|
return DENY, "Syntax error (no parameters allowed)" if @args;
|
||||||
|
|
||||||
# OK, now we setup TLS
|
# OK, now we setup TLS
|
||||||
$self->qp->respond (220, "Go ahead with TLS");
|
$self->qp->respond (220, "Go ahead with TLS");
|
||||||
|
|
||||||
unless ( _convert_to_ssl($self) ) {
|
unless ( _convert_to_ssl($self) ) {
|
||||||
# SSL setup failed. Now we must respond to every command with 5XX
|
# SSL setup failed. Now we must respond to every command with 5XX
|
||||||
warn("TLS failed: $@\n");
|
warn("TLS failed: $@\n");
|
||||||
$transaction->notes('ssl_failed', 1);
|
$transaction->notes('ssl_failed', 1);
|
||||||
return DENY, "TLS Negotiation Failed";
|
return DENY, "TLS Negotiation Failed";
|
||||||
}
|
}
|
||||||
|
|
||||||
$self->log(LOGWARN, "TLS setup returning");
|
$self->log(LOGWARN, "TLS setup returning");
|
||||||
return DONE;
|
return DONE;
|
||||||
}
|
}
|
||||||
@ -143,7 +144,7 @@ sub hook_connect {
|
|||||||
|
|
||||||
my $local_port = $self->qp->connection->local_port;
|
my $local_port = $self->qp->connection->local_port;
|
||||||
return DECLINED unless defined $local_port && $local_port == 465; # SMTPS
|
return DECLINED unless defined $local_port && $local_port == 465; # SMTPS
|
||||||
|
|
||||||
unless ( _convert_to_ssl($self) ) {
|
unless ( _convert_to_ssl($self) ) {
|
||||||
return (DENY_DISCONNECT, "Cannot establish SSL session");
|
return (DENY_DISCONNECT, "Cannot establish SSL session");
|
||||||
}
|
}
|
||||||
@ -182,7 +183,7 @@ sub _convert_to_ssl {
|
|||||||
SSL_server => 1,
|
SSL_server => 1,
|
||||||
SSL_reuse_ctx => $self->ssl_context,
|
SSL_reuse_ctx => $self->ssl_context,
|
||||||
) or die "Could not create SSL socket: $!";
|
) or die "Could not create SSL socket: $!";
|
||||||
|
|
||||||
# Clone connection object (without data received from client)
|
# Clone connection object (without data received from client)
|
||||||
$self->qp->connection($self->connection->clone());
|
$self->qp->connection($self->connection->clone());
|
||||||
$self->qp->reset_transaction;
|
$self->qp->reset_transaction;
|
||||||
@ -283,18 +284,18 @@ sub upgrade_socket {
|
|||||||
SSL_startHandshake => 0,
|
SSL_startHandshake => 0,
|
||||||
SSL_server => 1,
|
SSL_server => 1,
|
||||||
SSL_reuse_ctx => $self->{_stashed_plugin}->ssl_context,
|
SSL_reuse_ctx => $self->{_stashed_plugin}->ssl_context,
|
||||||
}
|
}
|
||||||
) or die "Could not upgrade socket to SSL: $!";
|
) or die "Could not upgrade socket to SSL: $!";
|
||||||
$self->{_ssl_started} = 1;
|
$self->{_ssl_started} = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
$self->event_read($self->{_stashed_qp});
|
$self->event_read($self->{_stashed_qp});
|
||||||
}
|
}
|
||||||
|
|
||||||
sub event_read {
|
sub event_read {
|
||||||
my UpgradeClientSSL $self = shift;
|
my UpgradeClientSSL $self = shift;
|
||||||
my $qp = shift;
|
my $qp = shift;
|
||||||
|
|
||||||
$qp->watch_read( 0 );
|
$qp->watch_read( 0 );
|
||||||
|
|
||||||
my $sock = $qp->{sock}->accept_SSL;
|
my $sock = $qp->{sock}->accept_SSL;
|
||||||
|
Loading…
Reference in New Issue
Block a user