Inform the client when a SASL message cannot be sent

When SASL is properly configured with a 'target' server, we are able to inform the client when the message fails to send. Currently if a target is configured and it is offline, no response is sent. This can cause some clients to time out while waiting for a response. If a target isn't configured, behaviour will not change with this commit. The default of '*' will still send to all servers. Updated example config with 'target' variable.
2025-03-10 02:59:01 -04:00 · 2017-07-27 03:05:44 -06:00 · 2017-07-27 03:05:44 -06:00 · 9d4b4344b4
commit 9d4b4344b4
parent 5c65a0a03d
2 changed files with 11 additions and 0 deletions
--- a/docs/conf/modules.conf.example
+++ b/docs/conf/modules.conf.example
@ -1591,6 +1591,13 @@
 # Layer via AUTHENTICATE. Note: You also need to have m_cap.so loaded
 # for SASL to work.
 #<module name="m_sasl.so">
+# Define the following to your services server name to improve security
+# by ensuring the SASL messages are only sent to the services server
+# and not to all connected servers. This prevents a rogue server from
+# capturing SASL messages. Having this defined can also improve client
+# connections when your services are down, as the client will be told
+# that SASL failed rather than just timing out on registration.
+#<sasl target="services.mynetwork.com">

 #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
 # Secure list module: Prevent /LIST in the first minute of connection,
--- a/src/modules/m_sasl.cpp
+++ b/src/modules/m_sasl.cpp
@ -35,6 +35,10 @@ static void SendSASL(const parameterlist& params)
 {
 	if (!ServerInstance->PI->SendEncapsulatedData(params))
 	{
+		User* u = ServerInstance->FindUUID(params[2]);
+		if (u)
+			u->WriteNumeric(904, "%s :SASL authentication failed", u->nick.c_str());
+
 		SASLFallback(NULL, params);
 	}
 }