From 71e908a1d60838525f257530fc55cc466d60d372 Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan@rename-it.nl>
Date: Tue, 19 Jan 2016 22:33:02 +0100
Subject: [PATCH] managesieve-login: Fixed proxy to allow SASL mechanisms other
 than PLAIN. Also made sure that any capability-derived state information is
 reset properly before a new capability reply is to be parsed.

---
 src/managesieve-login/client.h            |  2 +-
 src/managesieve-login/managesieve-proxy.c | 19 +++++++++++++------
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/src/managesieve-login/client.h b/src/managesieve-login/client.h
index 08276690c..e62269a96 100644
--- a/src/managesieve-login/client.h
+++ b/src/managesieve-login/client.h
@@ -31,7 +31,7 @@ struct managesieve_client {
 	unsigned int auth_mech_name_parsed:1;
 
 	unsigned int proxy_starttls:1;
-	unsigned int proxy_sasl_plain:1;
+	unsigned int proxy_sasl:1;
 	unsigned int proxy_xclient:1;
 };
 
diff --git a/src/managesieve-login/managesieve-proxy.c b/src/managesieve-login/managesieve-proxy.c
index 0eec4e940..fa96c783b 100644
--- a/src/managesieve-login/managesieve-proxy.c
+++ b/src/managesieve-login/managesieve-proxy.c
@@ -78,9 +78,11 @@ static int proxy_write_auth
 
 	i_assert(client->common.proxy_ttl > 1);
 
-	if ( !client->proxy_sasl_plain ) {
+	if ( !client->proxy_sasl ) {
+		/* Prevent sending credentials to a server that has login disabled;
+		   i.e., due to the lack of TLS */
 		client_log_err(&client->common, "proxy: "
-			"Server does not support required PLAIN SASL mechanism");
+			"Server has disabled authentication (TLS required?)");
 		return -1;
 	}
 
@@ -283,10 +285,10 @@ static int proxy_input_capability
 				if ( ret == 2 && managesieve_arg_get_string(&args[1], &sasl_mechs) ) {
 					const char *const *mechs = t_strsplit(sasl_mechs, " ");
 
-					if ( str_array_icase_find(mechs, "PLAIN") )
-						client->proxy_sasl_plain = TRUE;
-					else
-						client->proxy_sasl_plain = FALSE;
+					if ( *mechs != NULL ) {
+						/* At least one SASL mechanism is supported */
+						client->proxy_sasl = TRUE;
+					}
 
 				} else {
 					client_log_err(&client->common, "proxy: "
@@ -404,6 +406,8 @@ int managesieve_proxy_parse_line(struct client *client, const char *line)
 				return -1;
 			}
 
+			msieve_client->proxy_sasl = FALSE;
+			msieve_client->proxy_xclient = FALSE;
 			msieve_client->proxy_state = MSIEVE_PROXY_STATE_TLS_READY;
 			return 1;
 		}
@@ -538,6 +542,9 @@ void managesieve_proxy_reset(struct client *client)
 	struct managesieve_client *msieve_client =
 		(struct managesieve_client *) client;
 
+	msieve_client->proxy_starttls = FALSE;
+	msieve_client->proxy_sasl = FALSE;
+	msieve_client->proxy_xclient = FALSE;
 	msieve_client->proxy_state = MSIEVE_PROXY_STATE_NONE;
 }
 
-- 
GitLab