net_reader: no STARTTLS for IMAP localhost or onions

At least not by default, to match existing NNTP behavior.
Tor .onions are already encrypted, and there's no point
in encrypting traffic on localhost outside of testing.

diff --git a/lib/PublicInbox/NetReader.pm b/lib/PublicInbox/NetReader.pm
index 236e824cd26d48ec2326b97455b139d0b5841a65..e305523e300b16c2b32b59442ecadf44be683c02 100644 (file)
--- a/lib/PublicInbox/NetReader.pm
+++ b/lib/PublicInbox/NetReader.pm
@@ -91,6 +91,16 @@ try configuring a socks5h:// proxy:
 EOM
 }
 
+# Net::NNTP doesn't support CAPABILITIES, yet; and both IMAP+NNTP
+# servers may have multiple listen sockets.
+sub try_starttls ($) {
+       my ($host) = @_;
+       return if $host =~ /\.onion\z/si;
+       return if $host =~ /\A127\.[0-9]+\.[0-9]+\.[0-9]+\z/s;
+       return if $host eq '::1';
+       1;
+}
+
 # mic_for may prompt the user and store auth info, prepares mic_get
 sub mic_for ($$$$) { # mic = Mail::IMAPClient
        my ($self, $uri, $mic_common, $lei) = @_;
@@ -122,6 +132,7 @@ sub mic_for ($$$$) { # mic = Mail::IMAPClient
        # it to be disabled since I usually connect to localhost
        if (!$mic_arg->{Ssl} && !defined($mic_arg->{Starttls}) &&
                        $mic->has_capability('STARTTLS') &&
+                       try_starttls($host) &&
                        $mic->can('starttls')) {
                $mic->starttls or die "E: <$uri> STARTTLS: $@\n";
        }
@@ -164,15 +175,6 @@ sub mic_for ($$$$) { # mic = Mail::IMAPClient
        $mic;
 }
 
-# Net::NNTP doesn't support CAPABILITIES, yet
-sub try_starttls ($) {
-       my ($host) = @_;
-       return if $host =~ /\.onion\z/s;
-       return if $host =~ /\A127\.[0-9]+\.[0-9]+\.[0-9]+\z/s;
-       return if $host eq '::1';
-       1;
-}
-
 sub nn_new ($$$) {
        my ($nn_arg, $nntp_cfg, $uri) = @_;
        my $nn;

diff --git a/t/imapd-tls.t b/t/imapd-tls.t
index 72ba8769610a90db756fb20d6773e090e010abb6..73f5112fcb7275e672be10a944f4c143e9a2be16 100644 (file)
--- a/t/imapd-tls.t
+++ b/t/imapd-tls.t
@@ -1,8 +1,8 @@
+#!perl -w
 # Copyright (C) 2020-2021 all contributors <meta@public-inbox.org>
 # License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
 use strict;
-use warnings;
-use Test::More;
+use v5.10.1;
 use Socket qw(IPPROTO_TCP SOL_SOCKET);
 use PublicInbox::TestCommon;
 # IO::Poll is part of the standard library, but distros may split it off...
@@ -155,6 +155,13 @@ for my $args (
        ok(sysread($slow, my $end, 4096) > 0, 'got end');
        is(sysread($slow, my $eof, 4096), 0, 'got EOF');
 
+       test_lei(sub {
+               lei_ok qw(ls-mail-source), "imap://$starttls_addr",
+                       \'STARTTLS not used by default';
+               ok(!lei(qw(ls-mail-source -c imap.starttls=true),
+                       "imap://$starttls_addr"), 'STARTTLS verify fails');
+       });
+
        SKIP: {
                skip 'TCP_DEFER_ACCEPT is Linux-only', 2 if $^O ne 'linux';
                my $var = eval { Socket::TCP_DEFER_ACCEPT() } // 9;

diff --git a/t/nntpd-tls.t b/t/nntpd-tls.t
index 2c09d34e5b452fadebd31c987ed4082903e79caa..9af6c25443a07d768adceadf186e6e3568a9bf61 100644 (file)
--- a/t/nntpd-tls.t
+++ b/t/nntpd-tls.t
@@ -146,6 +146,14 @@ for my $args (
        is(sysread($slow, my $eof, 4096), 0, 'got EOF');
        $slow = undef;
 
+       test_lei(sub {
+               lei_ok qw(ls-mail-source), "nntp://$starttls_addr",
+                       \'STARTTLS not used by default';
+               ok(!lei(qw(ls-mail-source -c nntp.starttls=true),
+                       "nntp://$starttls_addr"), 'STARTTLS verify fails');
+               diag $lei_err;
+       });
+
        SKIP: {
                skip 'TCP_DEFER_ACCEPT is Linux-only', 2 if $^O ne 'linux';
                my $var = eval { Socket::TCP_DEFER_ACCEPT() } // 9;