Ryan Schlesinger This patch is designed to add forcetls functionality to qmail-1.03 when patched with the qmail-1.03-jms1.5 patch (http://www.jms1.net/qmail/qmail-1.03-jms1.5.patch). This will prevent users from using AUTH without first issuing STARTTLS. It will NOT prevent unauthenticated users from sending email (ie local network traffic). It also will not advertise CRAM-MD5 after STARTTLS since it's not needed inside of TLS and CRAM-MD5 can slow down the SMTP transaction. To enable forcetls: echo 1 > /var/qmail/control/smtpforcetls To disable forcetls: echo 0 > /var/qmail/control/smtpforcetls (If the smtpforcetls file is missing, forcetls will default to off.) Special thanks to the administrator of the qmailrocks package for helping me test this. diff -U 3 qmail-1.03.orig/qmail-smtpd.c qmail-1.03/qmail-smtpd.c --- qmail-1.03.orig/qmail-smtpd.c 2004-07-04 00:32:09.000000000 -0400 +++ qmail-1.03/qmail-smtpd.c 2004-07-04 00:35:37.000000000 -0400 @@ -38,7 +38,7 @@ stralloc tlsserverciphers = {0}; #endif -/* #define AUTHCRAM */ +#define AUTHCRAM #define MAXHOPS 100 unsigned int databytes = 0; unsigned int mfchk = 0; @@ -48,6 +48,7 @@ unsigned int spfbehavior = 0; int useauth = 0; unsigned int essl = 0; +int forcetls = 0; #ifdef TLS int flagtimedout = 0; @@ -248,6 +249,8 @@ if (!stralloc_0(&tlsserverciphers)) die_nomem(); #endif + if(control_readint(&forcetls,"control/smtpforcetls") == -1) die_control(); + dohelo(remotehost); } @@ -368,11 +371,19 @@ void smtp_ehlo(arg) char *arg; { smtp_greet("250-"); - if ( useauth && ( ssl || essl ) ) + if ( useauth && ( ssl || essl || !forcetls ) ) { #ifdef AUTHCRAM - out("\r\n250-AUTH LOGIN CRAM-MD5 PLAIN"); - out("\r\n250-AUTH=LOGIN CRAM-MD5 PLAIN"); + if( !ssl ) + { + out("\r\n250-AUTH LOGIN CRAM-MD5 PLAIN"); + out("\r\n250-AUTH=LOGIN CRAM-MD5 PLAIN"); + } + else + { + out("\r\n250-AUTH LOGIN PLAIN"); + out("\r\n250-AUTH=LOGIN PLAIN"); + } #else out("\r\n250-AUTH LOGIN PLAIN"); out("\r\n250-AUTH=LOGIN PLAIN"); @@ -938,7 +949,7 @@ int i; char *cmd = arg; - if (!( useauth && (ssl||essl) )) + if (!( useauth && ( ssl || essl || !forcetls ) )) { out("503 auth not available (#5.3.3)\r\n"); return;