chiark / gitweb /
Initial commit.
[exim-config] / auth.m4
CommitLineData
185b5456
MW
1### -*-m4-*-
2###
3### Client authentication for distorted.org.uk Exim configuration
4###
5### (c) 2012 Mark Wooding
6###
7
8###----- Licensing notice ---------------------------------------------------
9###
10### This program is free software; you can redistribute it and/or modify
11### it under the terms of the GNU General Public License as published by
12### the Free Software Foundation; either version 2 of the License, or
13### (at your option) any later version.
14###
15### This program is distributed in the hope that it will be useful,
16### but WITHOUT ANY WARRANTY; without even the implied warranty of
17### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18### GNU General Public License for more details.
19###
20### You should have received a copy of the GNU General Public License
21### along with this program; if not, write to the Free Software Foundation,
22### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
23
24###--------------------------------------------------------------------------
25### Authenticators.
26
27m4_define(<:CHECK_PASSWD:>,
28<:${lookup {$1} lsearch {CONF_sysconf_dir/passwd} \
29 {${if crypteq {$2} {$value}}} \
30 {false}}:>)
31
32m4_define(<:ALLOW_PLAINTEXT_AUTH_P:>,
33<:or {{match_ip {$sender_host_address}{+localnet}} \
34 {and {{def:tls_cipher} {eq{$acl_c_mode}{submission}}}}}:>)
35
36SECTION(auth)m4_dnl
37plain:
38 driver = plaintext
39 public_name = PLAIN
40 server_advertise_condition = ${if ALLOW_PLAINTEXT_AUTH_P}
41 server_prompts = :
42 server_condition = CHECK_PASSWD($auth2, $auth3)
43 server_set_id = $auth2
44
45login:
46 driver = plaintext
47 public_name = LOGIN
48 server_advertise_condition = ${if ALLOW_PLAINTEXT_AUTH_P}
49 server_prompts = <; Username: ; Password:
50 server_condition = CHECK_PASSWD($auth1, $auth2)
51 server_set_id = $auth1
52
53DIVERT(null)
54###--------------------------------------------------------------------------
55### Verification of sender address.
56
57SECTION(global, acl)m4_dnl
58acl_not_smtp_start = not_smtp_start
59SECTION(acl, misc)m4_dnl
60not_smtp_start:
61 ## Record the user's name.
62 warn set acl_c_user = $sender_ident
63
64SECTION(acl, mail-hooks)m4_dnl
65 ## Check that a submitted message's sender address is allowable.
66 require acl = mail_check_auth
67
68SECTION(acl, misc)m4_dnl
69mail_check_auth:
70
71 ## If this isn't a submission then it doesn't need checking.
72 accept condition = ${if !eq{$acl_c_mode}{submission}}
73
74 ## If the caller hasn't formally authenticated, but this is a
75 ## loopback connection, then we can trust identd to tell us the right
76 ## answer. So we should stash the right name somewhere consistent.
77 warn set acl_c_user = $authenticated_id
78 hosts = +localnet
79 !authenticated = *
80 set acl_c_user = $sender_ident
81
82 ## User must be authenticated.
83 deny message = Sender not authenticated
84 !hosts = +localnet
85 !authenticated = *
86
87 ## Make sure that the local part is one that the authenticated sender
88 ## is allowed to claim.
89 deny message = Sender address forbidden to calling user
90 !condition = ${LOOKUP_DOMAIN($sender_address_domain,
91 {${if and {{match_local_part \
92 {$acl_c_user} \
93 {+dom_users}} \
94 {match_local_part \
95 {$sender_address_local_part} \
96 {+dom_locals}}}}},
97 {${if and {{match_local_part \
98 {$sender_address_local_part} \
99 {+user_extaddr}} \
100 {or {{eq {$sender_address_domain} \
101 {}} \
102 {match_domain \
103 {$sender_address_domain} \
104 {+public}}}}}}})}
105
106 ## All done.
107 accept
108
109DIVERT(null)
110###--------------------------------------------------------------------------
111### Dealing with `AUTH' parameters and relaying.
112
113SECTION(global, acl)m4_dnl
114acl_smtp_mailauth = mailauth
115SECTION(acl, misc)m4_dnl
116## Check the `AUTH=...' parameter to a `MAIL' command.
117mailauth:
118 ## If the client has authenticated using TLS then we're OK. The
119 ## sender was presumably checked upstream, and we can believe that
120 ## the name has been transmitted honestly.
121 accept condition = ${if def:tls_peerdn}
122
123 ## If this is submission, and the client has authenticated, then we
124 ## check that the name matches the user.
125 accept condition = ${if eq {$authenticated_sender} \
126 {$authenticated_id@CONF_master_domain}}
127
128 ## Otherwise we can't tell who really sent it.
129 deny message = Authenticated user not authoritative for claimed sender.
130
131DIVERT(null)
132###----- That's all, folks --------------------------------------------------