Re: connection notes across TLS?
No, the connect hook has already fired by the time that the TLS connection is established. But if the switch to TLS has basically the same effect as opening a new connection, we should probably run the connect-hook again at that time. Or we could have an additional 'connect_tls' (or 'connect_restart'?) hook (which could also be used on port 465 for the deprecated ssmtp). That happens later at STARTTLS (by hooking into unrecognized_command), which is typically immediately after EHLO has completed. So maybe the unrecognized_command hook should have a possible return value of 'RESTART' which signals the core to restart the connection. I consider TLS beeing implemented by unrecognized_command unclean anyway. We should probably have a special TLS-Hook and TLS is only offered by the core if a plugin is installed into the TLS-Hook (like AUTH is implemented). This would also allow to have more than one TLS-Plugin, for example a generic plugin first, starting a encrypted connection, and a second plugin next, checking e.g. a client certificate. Would be more flexible imho. As a side note and preliminary information: I'm proud to tell you that there will be a printed article about qpsmtpd in one of the next issues of the german magazine 'iX' written by me :-) Regards Michael -- It's an insane world, but i'm proud to be a part of it. -- Bill Hicks
Re: connection notes across TLS?
Michael Holzt wrote: But if the switch to TLS has basically the same effect as opening a new connection, we should probably run the connect-hook again at that time. Or we could have an additional 'connect_tls' (or 'connect_restart'?) hook (which could also be used on port 465 for the deprecated ssmtp). It is and it isn't the same thing as opening a new connection. I think of connect() being at the TCP level and everything after EHLO/HELO to be at the SMTP level. I don't think that it would be appropriate to generically rerun the connect hook after TLSSTART (but see below). I consider TLS beeing implemented by unrecognized_command unclean anyway. We should probably have a special TLS-Hook and TLS is only offered by the core if a plugin is installed into the TLS-Hook (like AUTH is implemented). This would also allow to have more than one TLS-Plugin, for example a generic plugin first, starting a encrypted connection, and a second plugin next, checking e.g. a client certificate. Would be more flexible imho. At this point, I think TLS is stable enough that this would be my preferred route as well. I wonder if it is time to provide a register_extension() sub that could be used to generically support extended SMTP commands without having to hack the core every time one comes around. AUTH could get refitted to use this method then. In any case, once we have a tls() hook, we can then have a post_tls() hook which would be the appropriate place to redo any connect()-like hooks (like the OP wanted). John
Re: connection notes across TLS?
On 9-Aug-06, at 7:17 AM, Michael Holzt wrote: I consider TLS beeing implemented by unrecognized_command unclean anyway. Ironically I consider the way AUTH was implemented to be unclean. It's all a matter of perspective.
Re: connection notes across TLS?
On 9-Aug-06, at 12:47 PM, Michael Holzt wrote: I consider TLS beeing implemented by unrecognized_command unclean anyway. Ironically I consider the way AUTH was implemented to be unclean. It's all a matter of perspective. Oh, i'm sure we can agree that both ways are not too clean. I think the new proposal for registering extensions/commands is a good solution to cleanup both. Yeah agreed - it does seem like a good plan (though I guess there are a finite number of useful extensions - but at work we're talking about ways in which we could use a custom version of SMTP as a sort of milter interface).
connection notes across TLS?
I am running 0.32 forkserver with mostly custom/customized plugins. I have a connection plugin (connect hook) which happens to set some connection notes, but when TLS runs, the notes are no longer there. I think that sounds appropriate, as TLS essentially starts a new connection. But with my connection plugin listed after the TLS plugin, will that connection hook not fire again? What I can verify in the log (without debug levels) is that the connection plugin runs before the TLS plugin, but I haven't verified if the connection plugin actually runs again - I suspect it doesn't. Can anyone confirm if the connect hook will fire after TLS (it's listed after TLS in the config/plugins file)? Can anyone please suggest a simple way to pass a note from the connection plugin to everything after TLS? Thanks.
Re: connection notes across TLS?
[EMAIL PROTECTED] wrote: I think that sounds appropriate, as TLS essentially starts a new connection. It's a required part of the RFC, see RFC-2487 Section 5.2: Upon completion of the TLS handshake, ... [t]he server MUST discard any knowledge obtained from the client... Can anyone confirm if the connect hook will fire after TLS (it's listed after TLS in the config/plugins file)? No, the connect hook has already fired by the time that the TLS connection is established. That happens later at STARTTLS (by hooking into unrecognized_command), which is typically immediately after EHLO has completed. The order of lines in config/plugins only determines what order *within* *each* *hook* the plugins will fire. Can anyone please suggest a simple way to pass a note from the connection plugin to everything after TLS? You can't. What information are you trying to pass? Can you redo whatever analysis you performed before, say in a rcpt hook? John
Re: connection notes across TLS?
On Tue, 8 Aug 2006, John Peacock wrote:
[EMAIL PROTECTED] wrote:
Can anyone please suggest a simple way to pass a note from the
connection plugin to everything after TLS?
You can't. What information are you trying to pass? Can you redo whatever
analysis you performed before, say in a rcpt hook?
I set a note based on the results of an IP lookup on a local
database. I should be able to get the IP again with
$self-qp-connection-remote_ip and rerun the lookup - just need to
figure the best hook to put it into, and whether or not to create a
separate plugin for it.
Probably a separate plugin that checks for
$transaction-notes('tls_enabled'). Which hook...
(Thanks.)
