byterazor/qpsmtpd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

tls: added ability to store certs in config/ssl

Browse Source 
was hard coded to ./ssl
This commit is contained in:
Matt Simerson 2013-04-20 16:27:14 -04:00
parent f03128523c
commit 515188ace5
1 changed files with 17 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
plugins/tls
View File

@ -45,7 +45,7 @@ MAIL FROM onwards.
Use the script C<plugins/tls_cert> to automatically generate a self-signed Use the script C<plugins/tls_cert> to automatically generate a self-signed
certificate with the appropriate characteristics. Otherwise, you should certificate with the appropriate characteristics. Otherwise, you should
give absolute pathnames to the certificate, key, and the CA root cert give absolute pathnames to the certificate, key, and the CA root cert
used to sign that certificate. used to sign that certificate.
=head1 CIPHERS and COMPATIBILITY =head1 CIPHERS and COMPATIBILITY
@ -63,9 +63,10 @@ use IO::Socket::SSL 0.98;
sub init { sub init {
my ($self, $qp, $cert, $key, $ca) = @_; my ($self, $qp, $cert, $key, $ca) = @_;
$cert ||= 'ssl/qpsmtpd-server.crt'; my $dir = -d 'ssl' ? 'ssl' : 'config/ssl';
$key ||= 'ssl/qpsmtpd-server.key'; $cert ||= "$dir/qpsmtpd-server.crt";
$ca ||= 'ssl/qpsmtpd-ca.crt'; $key ||= "$dir/qpsmtpd-server.key";
$ca ||= "$dir/qpsmtpd-ca.crt";
unless ( -f $cert && -f $key && -f $ca ) { unless ( -f $cert && -f $key && -f $ca ) {
$self->log(LOGERROR, "Cannot locate cert/key! Run plugins/tls_cert to generate"); $self->log(LOGERROR, "Cannot locate cert/key! Run plugins/tls_cert to generate");
return; return;
@ -74,7 +75,7 @@ sub init {
$self->tls_key($key); $self->tls_key($key);
$self->tls_ca($ca); $self->tls_ca($ca);
$self->tls_ciphers($self->qp->config('tls_ciphers') || 'HIGH'); $self->tls_ciphers($self->qp->config('tls_ciphers') || 'HIGH');
$self->log(LOGDEBUG, "ciphers: ".$self->tls_ciphers); $self->log(LOGDEBUG, "ciphers: ".$self->tls_ciphers);
local $^W; # this bit is very noisy... local $^W; # this bit is very noisy...
@ -87,9 +88,9 @@ sub init {
SSL_server => 1 SSL_server => 1
) or die "Could not create SSL context: $!"; ) or die "Could not create SSL context: $!";
# now extract the password... # now extract the password...
$self->ssl_context($ssl_ctx); $self->ssl_context($ssl_ctx);
# Check for possible AUTH mechanisms # Check for possible AUTH mechanisms
HOOK: foreach my $hook ( keys %{$qp->hooks} ) { HOOK: foreach my $hook ( keys %{$qp->hooks} ) {
no strict 'refs'; no strict 'refs';
@ -120,20 +121,20 @@ sub hook_ehlo {
sub hook_unrecognized_command { sub hook_unrecognized_command {
my ($self, $transaction, $cmd, @args) = @_; my ($self, $transaction, $cmd, @args) = @_;
return DECLINED unless $cmd eq 'starttls'; return DECLINED unless lc $cmd eq 'starttls';
return DECLINED unless $transaction->notes('tls_enabled'); return DECLINED unless $transaction->notes('tls_enabled');
return DENY, "Syntax error (no parameters allowed)" if @args; return DENY, "Syntax error (no parameters allowed)" if @args;
# OK, now we setup TLS # OK, now we setup TLS
$self->qp->respond (220, "Go ahead with TLS"); $self->qp->respond (220, "Go ahead with TLS");
unless ( _convert_to_ssl($self) ) { unless ( _convert_to_ssl($self) ) {
# SSL setup failed. Now we must respond to every command with 5XX # SSL setup failed. Now we must respond to every command with 5XX
warn("TLS failed: $@\n"); warn("TLS failed: $@\n");
$transaction->notes('ssl_failed', 1); $transaction->notes('ssl_failed', 1);
return DENY, "TLS Negotiation Failed"; return DENY, "TLS Negotiation Failed";
} }
$self->log(LOGWARN, "TLS setup returning"); $self->log(LOGWARN, "TLS setup returning");
return DONE; return DONE;
} }
@ -143,7 +144,7 @@ sub hook_connect {
my $local_port = $self->qp->connection->local_port; my $local_port = $self->qp->connection->local_port;
return DECLINED unless defined $local_port && $local_port == 465; # SMTPS return DECLINED unless defined $local_port && $local_port == 465; # SMTPS
unless ( _convert_to_ssl($self) ) { unless ( _convert_to_ssl($self) ) {
return (DENY_DISCONNECT, "Cannot establish SSL session"); return (DENY_DISCONNECT, "Cannot establish SSL session");
} }
@ -182,7 +183,7 @@ sub _convert_to_ssl {
SSL_server => 1, SSL_server => 1,
SSL_reuse_ctx => $self->ssl_context, SSL_reuse_ctx => $self->ssl_context,
) or die "Could not create SSL socket: $!"; ) or die "Could not create SSL socket: $!";
# Clone connection object (without data received from client) # Clone connection object (without data received from client)
$self->qp->connection($self->connection->clone()); $self->qp->connection($self->connection->clone());
$self->qp->reset_transaction; $self->qp->reset_transaction;
@ -283,18 +284,18 @@ sub upgrade_socket {
SSL_startHandshake => 0, SSL_startHandshake => 0,
SSL_server => 1, SSL_server => 1,
SSL_reuse_ctx => $self->{_stashed_plugin}->ssl_context, SSL_reuse_ctx => $self->{_stashed_plugin}->ssl_context,
} }
) or die "Could not upgrade socket to SSL: $!"; ) or die "Could not upgrade socket to SSL: $!";
$self->{_ssl_started} = 1; $self->{_ssl_started} = 1;
} }
$self->event_read($self->{_stashed_qp}); $self->event_read($self->{_stashed_qp});
} }
sub event_read { sub event_read {
my UpgradeClientSSL $self = shift; my UpgradeClientSSL $self = shift;
my $qp = shift; my $qp = shift;
$qp->watch_read( 0 ); $qp->watch_read( 0 );
my $sock = $qp->{sock}->accept_SSL; my $sock = $qp->{sock}->accept_SSL;