chiark - git - mdw - exim-config/blob - auth.m4

   1 ### -*-m4-*-
   2 ###
   3 ### Client authentication for distorted.org.uk Exim configuration
   4 ###
   5 ### (c) 2012 Mark Wooding
   6 ###
   7
   8 ###----- Licensing notice ---------------------------------------------------
   9 ###
  10 ### This program is free software; you can redistribute it and/or modify
  11 ### it under the terms of the GNU General Public License as published by
  12 ### the Free Software Foundation; either version 2 of the License, or
  13 ### (at your option) any later version.
  14 ###
  15 ### This program is distributed in the hope that it will be useful,
  16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18 ### GNU General Public License for more details.
  19 ###
  20 ### You should have received a copy of the GNU General Public License
  21 ### along with this program; if not, write to the Free Software Foundation,
  22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  23
  24 ###--------------------------------------------------------------------------
  25 ### Authenticators.
  26
  27 m4_define(<:CHECK_PASSWD:>,
  28 <:${lookup {$1} lsearch {CONF_sysconf_dir/passwd} \
  29            {${if crypteq {$2} {$value}}} \
  30            {false}}:>)
  31
  32 m4_define(<:ALLOW_PLAINTEXT_AUTH_P:>,
  33 <:or {{match_ip {$sender_host_address}{+localnet}} \
  34       {and {{def:tls_cipher} {eq{$acl_c_mode}{submission}}}}}:>)
  35
  36 SECTION(auth)m4_dnl
  37 plain:
  38         driver = plaintext
  39         public_name = PLAIN
  40         server_advertise_condition = ${if ALLOW_PLAINTEXT_AUTH_P}
  41         server_prompts = :
  42         server_condition = CHECK_PASSWD($auth2, $auth3)
  43         server_set_id = $auth2
  44
  45 login:
  46         driver = plaintext
  47         public_name = LOGIN
  48         server_advertise_condition = ${if ALLOW_PLAINTEXT_AUTH_P}
  49         server_prompts = <; Username: ; Password:
  50         server_condition = CHECK_PASSWD($auth1, $auth2)
  51         server_set_id = $auth1
  52
  53 DIVERT(null)
  54 ###--------------------------------------------------------------------------
  55 ### Verification of sender address.
  56
  57 SECTION(global, acl)m4_dnl
  58 acl_not_smtp_start = not_smtp_start
  59 SECTION(acl, misc)m4_dnl
  60 not_smtp_start:
  61         ## Record the user's name.
  62         warn     set acl_c_user = $sender_ident
  63
  64 SECTION(acl, mail-hooks)m4_dnl
  65         ## Check that a submitted message's sender address is allowable.
  66         require  acl = mail_check_auth
  67
  68 SECTION(acl, misc)m4_dnl
  69 mail_check_auth:
  70
  71         ## If this isn't a submission then it doesn't need checking.
  72         accept   condition = ${if !eq{$acl_c_mode}{submission}}
  73
  74         ## If the caller hasn't formally authenticated, but this is a
  75         ## loopback connection, then we can trust identd to tell us the right
  76         ## answer.  So we should stash the right name somewhere consistent.
  77         warn     set acl_c_user = $authenticated_id
  78                  hosts = +localnet
  79                 !authenticated = *
  80                  set acl_c_user = $sender_ident
  81
  82         ## User must be authenticated.
  83         deny     message = Sender not authenticated
  84                 !hosts = +localnet
  85                 !authenticated = *
  86
  87         ## Make sure that the local part is one that the authenticated sender
  88         ## is allowed to claim.
  89         deny     message = Sender address forbidden to calling user
  90                 !condition = ${LOOKUP_DOMAIN($sender_address_domain,
  91                                {${if and {{match_local_part \
  92                                             {$acl_c_user} \
  93                                             {+dom_users}} \
  94                                           {match_local_part \
  95                                             {$sender_address_local_part} \
  96                                             {+dom_locals}}}}},
  97                                {${if and {{match_local_part \
  98                                             {$sender_address_local_part} \
  99                                             {+user_extaddr}} \
 100                                           {or {{eq {$sender_address_domain} \
 101                                                    {}} \
 102                                                {match_domain \
 103                                                  {$sender_address_domain} \
 104                                                  {+public}}}}}}})}
 105
 106         ## All done.
 107         accept
 108
 109 DIVERT(null)
 110 ###--------------------------------------------------------------------------
 111 ### Dealing with `AUTH' parameters and relaying.
 112
 113 SECTION(global, acl)m4_dnl
 114 acl_smtp_mailauth = mailauth
 115 SECTION(acl, misc)m4_dnl
 116 ## Check the `AUTH=...' parameter to a `MAIL' command.
 117 mailauth:
 118         ## If the client has authenticated using TLS then we're OK.  The
 119         ## sender was presumably checked upstream, and we can believe that
 120         ## the name has been transmitted honestly.
 121         accept    condition = ${if def:tls_peerdn}
 122
 123         ## If this is submission, and the client has authenticated, then we
 124         ## check that the name matches the user.
 125         accept    condition = ${if eq {$authenticated_sender} \
 126                                       {$authenticated_id@CONF_master_domain}}
 127
 128         ## Otherwise we can't tell who really sent it.
 129         deny      message = Authenticated user not authoritative for claimed sender.
 130
 131 DIVERT(null)
 132 ###----- That's all, folks --------------------------------------------------