[patch] New option: proxy_passfile

Øyvind Kolbu oyvind.kolbu at usit.uio.no
Mon Jul 28 03:35:52 EDT 2008 

Hi

We use cyrus 2.3.12p2 as standalone nodes behind a nginx proxy, and found
that we needed to migrate users from one node to another. The solution was
the options proxy_authname, proxy_password and proxyservers. However we
have our configfiles in CVS and distribute the commit diffs on a
mailinglist, and hence we don't wan't the cleartext password in the
configfile. The simple attached patch reads the password from a given file.

-- 
Øyvind Kolbu
Postmaster
University of Oslo
-------------- next part --------------
diff -ruN src-2.3.12p2-orig/imap/backend.c src-2.3.12p2/imap/backend.c
--- src-2.3.12p2-orig/imap/backend.c	2008-07-23 16:40:15.000000000 +0200
+++ src-2.3.12p2/imap/backend.c	2008-07-28 08:10:28.000000000 +0200
@@ -165,7 +165,8 @@
 				char **mechlist, const char *userid,
 				sasl_callback_t *cb, const char **status)
 {
-    int r;
+    int r, mustfree;
+    FILE *f;
     sasl_security_properties_t secprops =
 	{ 0, 0xFF, PROT_BUFSIZE, 0, NULL, NULL }; /* default secprops */
     struct sockaddr_storage saddr_l, saddr_r;
@@ -181,12 +182,22 @@
 	p = strchr(optstr, '.');
 	if (p) *p = '\0';
 	strlcat(optstr, "_password", sizeof(optstr));
-	pass = config_getoverflowstring(optstr, NULL);
-	if(!pass) pass = config_getstring(IMAPOPT_PROXY_PASSWORD);
-	cb = mysasl_callbacks(userid, 
-			      config_getstring(IMAPOPT_PROXY_AUTHNAME),
-			      config_getstring(IMAPOPT_PROXY_REALM),
-			      pass);
+	pass = (const char *) config_getoverflowstring(optstr, NULL);
+	if(!pass) {
+	    if ((f = fopen(config_getstring(IMAPOPT_PROXY_PASSFILE), "r"))) {
+		// Arbitary choosen max length for password.
+                pass = xmalloc(256);
+	        fgets(pass, 255, f);
+		mustfree = 1;
+            } else {
+		pass = (const char *) config_getstring(IMAPOPT_PROXY_PASSWORD);
+            }
+
+	}
+        cb = mysasl_callbacks(userid, 
+                              config_getstring(IMAPOPT_PROXY_AUTHNAME),
+                              config_getstring(IMAPOPT_PROXY_REALM),
+                              pass);
     }
 
     /* set the IP addresses */
@@ -207,6 +218,10 @@
 			(userid  && *userid ? SASL_NEED_PROXY : 0) |
 			(prot->sasl_cmd.parse_success ? SASL_SUCCESS_DATA : 0),
 			&s->saslconn);
+    
+    if (mustfree)
+	free(pass);
+
     if (r != SASL_OK) {
 	return r;
     }
diff -ruN src-2.3.12p2-orig/lib/imapoptions src-2.3.12p2/lib/imapoptions
--- src-2.3.12p2-orig/lib/imapoptions	2008-07-23 16:40:15.000000000 +0200
+++ src-2.3.12p2/lib/imapoptions	2008-07-28 08:09:14.000000000 +0200
@@ -770,6 +770,10 @@
 /* The authentication name to use when authenticating to a backend server
    in the Cyrus Murder. */
 
+{ "proxy_passfile", NULL, STRING }
+/* File containing password to use when authenticating to a backend server
+   in the Cyrus Murder. */
+
 { "proxy_password", NULL, STRING }
 /* The default password to use when authenticating to a backend server
    in the Cyrus Murder.  May be overridden on a host-specific basis using
diff -ruN src-2.3.12p2-orig/lib/imapopts.c src-2.3.12p2/lib/imapopts.c
--- src-2.3.12p2-orig/lib/imapopts.c	2008-07-23 16:40:15.000000000 +0200
+++ src-2.3.12p2/lib/imapopts.c	2008-07-28 08:09:14.000000000 +0200
@@ -159,6 +159,7 @@
   { IMAPOPT_POSTSPEC, "postspec", 0, {(void *)(NULL)}, OPT_STRING, {  { NULL, IMAP_ENUM_ZERO } } },
   { IMAPOPT_POSTUSER, "postuser", 0, {(void *)("")}, OPT_STRING, {  { NULL, IMAP_ENUM_ZERO } } },
   { IMAPOPT_PROXY_AUTHNAME, "proxy_authname", 0, {(void *)("proxy")}, OPT_STRING, {  { NULL, IMAP_ENUM_ZERO } } },
+  { IMAPOPT_PROXY_PASSFILE, "proxy_passfile", 0, {(void *)(NULL)}, OPT_STRING, {  { NULL, IMAP_ENUM_ZERO } } },
   { IMAPOPT_PROXY_PASSWORD, "proxy_password", 0, {(void *)(NULL)}, OPT_STRING, {  { NULL, IMAP_ENUM_ZERO } } },
   { IMAPOPT_PROXY_REALM, "proxy_realm", 0, {(void *)(NULL)}, OPT_STRING, {  { NULL, IMAP_ENUM_ZERO } } },
   { IMAPOPT_PROXYD_ALLOW_STATUS_REFERRAL, "proxyd_allow_status_referral", 0, {(void*)0}, OPT_SWITCH, {  { NULL, IMAP_ENUM_ZERO } } },
diff -ruN src-2.3.12p2-orig/lib/imapopts.h src-2.3.12p2/lib/imapopts.h
--- src-2.3.12p2-orig/lib/imapopts.h	2008-07-23 16:40:15.000000000 +0200
+++ src-2.3.12p2/lib/imapopts.h	2008-07-28 08:09:14.000000000 +0200
@@ -146,6 +146,7 @@
   IMAPOPT_POSTSPEC,
   IMAPOPT_POSTUSER,
   IMAPOPT_PROXY_AUTHNAME,
+  IMAPOPT_PROXY_PASSFILE,
   IMAPOPT_PROXY_PASSWORD,
   IMAPOPT_PROXY_REALM,
   IMAPOPT_PROXYD_ALLOW_STATUS_REFERRAL,
diff -ruN src-2.3.12p2-orig/man/imapd.conf.5 src-2.3.12p2/man/imapd.conf.5
--- src-2.3.12p2-orig/man/imapd.conf.5	2008-07-23 16:40:15.000000000 +0200
+++ src-2.3.12p2/man/imapd.conf.5	2008-07-28 08:09:14.000000000 +0200
@@ -653,6 +653,9 @@
 The default password to use when authenticating to a backend server
 in the Cyrus Murder.  May be overridden on a host-specific basis using
 the hostname_password option. 
+.IP "\fBproxy_passfile:\fR <none>" 5
+File containing password to use when authenticating to a backend server 
+in the Cyrus Murder
 .IP "\fBproxy_realm:\fR <none>" 5
 The authentication realm to use when authenticating to a backend server
 in the Cyrus Murder

More information about the Cyrus-devel mailing list