prosody
b3c8757ee4f4
plugins/mod_s2s/mod_s2s.lua
Software / code / prosody
Comparison
plugins/mod_s2s/mod_s2s.lua @ 5390:b3c8757ee4f4
mod_s2s: Prevent s2s to and from hosts we serve locally
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Wed, 27 Mar 2013 23:09:47 +0100 |
| parent | 5389:d147a4227a72 |
| child | 5408:767ecb0091a6 |
comparison
equal
deleted
inserted
replaced
| 5389:d147a4227a72 | 5390:b3c8757ee4f4 |
|---|---|
| 78 local from_host, to_host, stanza = event.from_host, event.to_host, event.stanza; | 78 local from_host, to_host, stanza = event.from_host, event.to_host, event.stanza; |
| 79 if not hosts[from_host] then | 79 if not hosts[from_host] then |
| 80 log("warn", "Attempt to send stanza from %s - a host we don't serve", from_host); | 80 log("warn", "Attempt to send stanza from %s - a host we don't serve", from_host); |
| 81 return false; | 81 return false; |
| 82 end | 82 end |
| 83 if hosts[to_host] then | |
| 84 log("warn", "Attempt to route stanza to a remote %s - a host we do serve?!", from_host); | |
| 85 return false; | |
| 86 end | |
| 83 local host = hosts[from_host].s2sout[to_host]; | 87 local host = hosts[from_host].s2sout[to_host]; |
| 84 if host then | 88 if host then |
| 85 -- We have a connection to this host already | 89 -- We have a connection to this host already |
| 86 if host.type == "s2sout_unauthed" and (stanza.name ~= "db:verify" or not host.dialback_key) then | 90 if host.type == "s2sout_unauthed" and (stanza.name ~= "db:verify" or not host.dialback_key) then |
| 87 (host.log or log)("debug", "trying to send over unauthed s2sout to "..to_host); | 91 (host.log or log)("debug", "trying to send over unauthed s2sout to "..to_host); |
| 185 condition = "policy-violation", | 189 condition = "policy-violation", |
| 186 text = "Encrypted server-to-server communication is required but was not " | 190 text = "Encrypted server-to-server communication is required but was not " |
| 187 ..((session.direction == "outgoing" and "offered") or "used") | 191 ..((session.direction == "outgoing" and "offered") or "used") |
| 188 }); | 192 }); |
| 189 end | 193 end |
| 194 end | |
| 195 if hosts[host] then | |
| 196 session:close({ condition = "undefined-condition", text = "Attempt to authenticate as a host we serve" }); | |
| 190 end | 197 end |
| 191 if session.type == "s2sout_unauthed" then | 198 if session.type == "s2sout_unauthed" then |
| 192 session.type = "s2sout"; | 199 session.type = "s2sout"; |
| 193 elseif session.type == "s2sin_unauthed" then | 200 elseif session.type == "s2sin_unauthed" then |
| 194 session.type = "s2sin"; | 201 session.type = "s2sin"; |
| 317 condition = "policy-violation"; | 324 condition = "policy-violation"; |
| 318 text = "Server-to-server communication is disabled for this host"; | 325 text = "Server-to-server communication is disabled for this host"; |
| 319 }); | 326 }); |
| 320 return; | 327 return; |
| 321 end | 328 end |
| 329 end | |
| 330 | |
| 331 if hosts[from] then | |
| 332 session:close({ condition = "undefined-condition", text = "Attempt to connect from a host we serve" }); | |
| 333 return; | |
| 322 end | 334 end |
| 323 | 335 |
| 324 if session.secure and not session.cert_chain_status then | 336 if session.secure and not session.cert_chain_status then |
| 325 if check_cert_status(session) == false then | 337 if check_cert_status(session) == false then |
| 326 return; | 338 return; |
