From 56e8f9b656fdc8bbec569b6ac5deb6fe66c62aed Mon Sep 17 00:00:00 2001
From: Matthias Andree <matthias.andree@gmx.de>
Date: Sun, 31 Oct 2021 12:53:45 +0100
Subject: IMAP: improve STARTTLS error message for ssh-plugin case

For common ssh-based IMAP PREAUTH setups (i. e. those that use a plugin
- no matter its contents - and that set auth ssh), change the STARTTLS
error message to suggest sslproto '' instead.
---
 imap.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'imap.c')

diff --git a/imap.c b/imap.c
index f57c3e0f..0580d901 100644
--- a/imap.c
+++ b/imap.c
@@ -489,8 +489,13 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting)
 #ifdef SSL_ENABLE
     /* Defend against a PREAUTH-prevents-STARTTLS attack */
     if (preauth && must_starttls(ctl)) {
-	report(stderr, GT_("%s: configuration requires TLS, but STARTTLS is not permitted "
-				"because of authenticated state (PREAUTH). Aborting connection.  Server permitting, try --ssl instead (see manual).\n"), commonname);
+	if (ctl->server.plugin && A_SSH == ctl->server.authenticate) {
+		report(stderr, GT_("%s: configuration requires TLS, but STARTTLS is not permitted "
+					"because of authenticated state (PREAUTH). Aborting connection.  If your plugin is secure, you can defeat STARTTLS with --sslproto '' (see manual).\n"), commonname);
+	} else {
+		report(stderr, GT_("%s: configuration requires TLS, but STARTTLS is not permitted "
+					"because of authenticated state (PREAUTH). Aborting connection.  Server permitting, try --ssl instead (see manual).\n"), commonname);
+	}
         preauth = FALSE;  /* reset for the next session */
 	return PS_SOCKET;
     }
-- 
cgit v1.2.3