equal
deleted
inserted
replaced
192 elseif not session.dialback_verifying then |
192 elseif not session.dialback_verifying then |
193 session.log("warn", "No SASL EXTERNAL offer and Dialback doesn't seem to be enabled, giving up"); |
193 session.log("warn", "No SASL EXTERNAL offer and Dialback doesn't seem to be enabled, giving up"); |
194 session:close({ |
194 session:close({ |
195 condition = "unsupported-feature", |
195 condition = "unsupported-feature", |
196 text = "No viable authentication method offered", |
196 text = "No viable authentication method offered", |
197 }); |
197 }, nil, "No viable authentication method offered by remote server"); |
198 return false; |
198 return false; |
199 end |
199 end |
200 end, -1); |
200 end, -1); |
201 end |
201 end |
202 |
202 |
253 if require_encryption or (secure_auth and not(insecure_domains[host])) or secure_domains[host] then |
253 if require_encryption or (secure_auth and not(insecure_domains[host])) or secure_domains[host] then |
254 session:close({ |
254 session:close({ |
255 condition = "policy-violation", |
255 condition = "policy-violation", |
256 text = "Encrypted server-to-server communication is required but was not " |
256 text = "Encrypted server-to-server communication is required but was not " |
257 ..((session.direction == "outgoing" and "offered") or "used") |
257 ..((session.direction == "outgoing" and "offered") or "used") |
258 }); |
258 }, nil, "Could not establish encrypted connection to remote server"); |
259 end |
259 end |
260 end |
260 end |
261 if hosts[host] then |
261 if hosts[host] then |
262 session:close({ condition = "undefined-condition", text = "Attempt to authenticate as a host we serve" }); |
262 session:close({ condition = "undefined-condition", text = "Attempt to authenticate as a host we serve" }); |
263 end |
263 end |
606 data = filter("bytes/in", data); |
606 data = filter("bytes/in", data); |
607 if data then |
607 if data then |
608 local ok, err = stream:feed(data); |
608 local ok, err = stream:feed(data); |
609 if ok then return; end |
609 if ok then return; end |
610 log("debug", "Received invalid XML (%s) %d bytes: %q", err, #data, data:sub(1, 300)); |
610 log("debug", "Received invalid XML (%s) %d bytes: %q", err, #data, data:sub(1, 300)); |
611 session:close("not-well-formed"); |
611 session:close("not-well-formed", nil, "Received invalid XML from remote server"); |
612 end |
612 end |
613 end |
613 end |
614 |
614 |
615 session.close = session_close; |
615 session.close = session_close; |
616 |
616 |
736 end |
736 end |
737 |
737 |
738 if must_secure and (session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid") then |
738 if must_secure and (session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid") then |
739 module:log("warn", "Forbidding insecure connection to/from %s", host or session.ip or "(unknown host)"); |
739 module:log("warn", "Forbidding insecure connection to/from %s", host or session.ip or "(unknown host)"); |
740 if session.direction == "incoming" then |
740 if session.direction == "incoming" then |
741 session:close({ condition = "not-authorized", text = "Your server's certificate is invalid, expired, or not trusted by "..session.to_host }); |
741 session:close({ condition = "not-authorized", text = "Your server's certificate is invalid, expired, or not trusted by "..session.to_host }, |
|
742 nil, "Remote server's certificate is invalid, expired, or not trusted"); |
742 else -- Close outgoing connections without warning |
743 else -- Close outgoing connections without warning |
743 session:close(false); |
744 session:close(false, nil, "Remote server's certificate is invalid, expired, or not trusted"); |
744 end |
745 end |
745 return false; |
746 return false; |
746 end |
747 end |
747 end |
748 end |
748 |
749 |