diff options
| author | Rob N ★ <robn@fastmail.com> | 2016-10-08 18:05:00 +1100 |
|---|---|---|
| committer | Rob N ★ <robn@fastmail.com> | 2016-10-08 18:05:00 +1100 |
| commit | 66c23edf6308867572d5c4b8341e7a3fe7e97864 (patch) | |
| tree | ef7915e431e44d1394d27d3fb70cdcb0d893e467 /src/mail/ngx_mail_imap_handler.c | |
| parent | a747089a1dd63f323111c82000debfd83a5e6719 (diff) | |
| download | nginx-66c23edf6308867572d5c4b8341e7a3fe7e97864.tar.gz nginx-66c23edf6308867572d5c4b8341e7a3fe7e97864.zip | |
Mail: support SASL EXTERNAL (RFC 4422).
This is needed to allow TLS client certificate auth to work. With
ssl_verify_client configured, the auth daemon can choose to allow the
connection to proceed based on the certificate data.
This has been tested with Thunderbird for IMAP only. I've not yet found a
client that will do client certificate auth for POP3 or SMTP, and the method is
not really documented anywhere that I can find. That said, its simple enough
that the way I've done is probably right.
Diffstat (limited to 'src/mail/ngx_mail_imap_handler.c')
| -rw-r--r-- | src/mail/ngx_mail_imap_handler.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/src/mail/ngx_mail_imap_handler.c b/src/mail/ngx_mail_imap_handler.c index 57e2fb77d..1c5445785 100644 --- a/src/mail/ngx_mail_imap_handler.c +++ b/src/mail/ngx_mail_imap_handler.c @@ -222,6 +222,10 @@ ngx_mail_imap_auth_state(ngx_event_t *rev) case ngx_imap_auth_cram_md5: rc = ngx_mail_auth_cram_md5(s, c); break; + + case ngx_imap_auth_external: + rc = ngx_mail_auth_external(s, c, 0); + break; } } else if (rc == NGX_IMAP_NEXT) { @@ -399,6 +403,13 @@ ngx_mail_imap_authenticate(ngx_mail_session_t *s, ngx_connection_t *c) } return NGX_ERROR; + + case NGX_MAIL_AUTH_EXTERNAL: + + ngx_str_set(&s->out, imap_username); + s->mail_state = ngx_imap_auth_external; + + return NGX_OK; } return rc; |