[exim-config] / auth.m4

### -*-m4-*-
###
### Client authentication for distorted.org.uk Exim configuration
###
### (c) 2012 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

###--------------------------------------------------------------------------
### Authenticators.

m4_define(<:CHECK_PASSWD:>,
<:${lookup {$1} lsearch {CONF_sysconf_dir/passwd} \
	   {${if crypteq {$2} {$value}}} \
	   {false}}:>)

m4_define(<:ALLOW_PLAINTEXT_AUTH_P:>,
<:or {{match_ip {$sender_host_address}{+thishost}} \
      {and {{def:tls_cipher} {eq{$acl_c_mode}{submission}}}}}:>)

SECTION(auth)m4_dnl
plain:
	driver = plaintext
	public_name = PLAIN
	server_advertise_condition = ${if ALLOW_PLAINTEXT_AUTH_P}
	server_prompts = :
	server_condition = CHECK_PASSWD($auth2, $auth3)
	server_set_id = $auth2

login:
	driver = plaintext
	public_name = LOGIN
	server_advertise_condition = ${if ALLOW_PLAINTEXT_AUTH_P}
	server_prompts = <; Username: ; Password:
	server_condition = CHECK_PASSWD($auth1, $auth2)
	server_set_id = $auth1

DIVERT(null)
###--------------------------------------------------------------------------
### Dealing with `AUTH' parameters and relaying.

SECTION(global, acl)m4_dnl
acl_smtp_mailauth = mailauth
SECTION(acl, misc)m4_dnl
## Check the `AUTH=...' parameter to a `MAIL' command.
mailauth:
	## If the client has authenticated using TLS then we're OK.  The
	## sender was presumably checked upstream, and we can believe that
	## the name has been transmitted honestly.
	accept	  condition = ${if def:tls_peerdn}

	## If this is submission, and the client has authenticated, then we
	## check that the name matches the user.
	accept	  condition = ${if eq {$authenticated_sender} \
				      {$authenticated_id@CONF_master_domain}}

	## Otherwise we can't tell who really sent it.
	deny	  message = Authenticated user not authoritative for claimed sender.

DIVERT(null)
###----- That's all, folks --------------------------------------------------
Commit	Line	Data
185b5456 MW	1	### --m4--
	2	###
	3	### Client authentication for distorted.org.uk Exim configuration
	4	###
	5	### (c) 2012 Mark Wooding
	6	###
	7
	8	###----- Licensing notice ---------------------------------------------------
	9	###
	10	### This program is free software; you can redistribute it and/or modify
	11	### it under the terms of the GNU General Public License as published by
	12	### the Free Software Foundation; either version 2 of the License, or
	13	### (at your option) any later version.
	14	###
	15	### This program is distributed in the hope that it will be useful,
	16	### but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	18	### GNU General Public License for more details.
	19	###
	20	### You should have received a copy of the GNU General Public License
	21	### along with this program; if not, write to the Free Software Foundation,
	22	### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	23
	24	###--------------------------------------------------------------------------
	25	### Authenticators.
	26
	27	m4_define(<:CHECK_PASSWD:>,
	28	<:${lookup {$1} lsearch {CONF_sysconf_dir/passwd} \
	29	{${if crypteq {$2} {$value}}} \
	30	{false}}:>)
	31
	32	m4_define(<:ALLOW_PLAINTEXT_AUTH_P:>,
4ff4ad42	33	<:or {{match_ip {$sender_host_address}{+thishost}} \
185b5456 MW	34	{and {{def:tls_cipher} {eq{$acl_c_mode}{submission}}}}}:>)
	35
	36	SECTION(auth)m4_dnl
	37	plain:
	38	driver = plaintext
	39	public_name = PLAIN
	40	server_advertise_condition = ${if ALLOW_PLAINTEXT_AUTH_P}
	41	server_prompts = :
	42	server_condition = CHECK_PASSWD($auth2, $auth3)
	43	server_set_id = $auth2
	44
	45	login:
	46	driver = plaintext
	47	public_name = LOGIN
	48	server_advertise_condition = ${if ALLOW_PLAINTEXT_AUTH_P}
	49	server_prompts = <; Username: ; Password:
	50	server_condition = CHECK_PASSWD($auth1, $auth2)
	51	server_set_id = $auth1
	52
185b5456 MW	53	DIVERT(null)
	54	###--------------------------------------------------------------------------
	55	### Dealing with `AUTH' parameters and relaying.
	56
	57	SECTION(global, acl)m4_dnl
	58	acl_smtp_mailauth = mailauth
	59	SECTION(acl, misc)m4_dnl
	60	## Check the `AUTH=...' parameter to a `MAIL' command.
	61	mailauth:
	62	## If the client has authenticated using TLS then we're OK. The
	63	## sender was presumably checked upstream, and we can believe that
	64	## the name has been transmitted honestly.
	65	accept condition = ${if def:tls_peerdn}
	66
	67	## If this is submission, and the client has authenticated, then we
	68	## check that the name matches the user.
	69	accept condition = ${if eq {$authenticated_sender} \
	70	{$authenticated_id@CONF_master_domain}}
	71
	72	## Otherwise we can't tell who really sent it.
	73	deny message = Authenticated user not authoritative for claimed sender.
	74
	75	DIVERT(null)
	76	###----- That's all, folks --------------------------------------------------