chiark - git - mdw - exim-config/blob - auth.m4

   1 ### -*-m4-*-
   2 ###
   3 ### Client authentication for distorted.org.uk Exim configuration
   4 ###
   5 ### (c) 2012 Mark Wooding
   6 ###
   7
   8 ###----- Licensing notice ---------------------------------------------------
   9 ###
  10 ### This program is free software; you can redistribute it and/or modify
  11 ### it under the terms of the GNU General Public License as published by
  12 ### the Free Software Foundation; either version 2 of the License, or
  13 ### (at your option) any later version.
  14 ###
  15 ### This program is distributed in the hope that it will be useful,
  16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18 ### GNU General Public License for more details.
  19 ###
  20 ### You should have received a copy of the GNU General Public License
  21 ### along with this program; if not, write to the Free Software Foundation,
  22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  23
  24 ###--------------------------------------------------------------------------
  25 ### Authenticators.
  26
  27 m4_define(<:CHECK_PASSWD:>,
  28 <:${lookup {$1} lsearch {CONF_sysconf_dir/passwd} \
  29            {${if crypteq {$2} {$value}}} \
  30            {false}}:>)
  31
  32 m4_define(<:ALLOW_PLAINTEXT_AUTH_P:>,
  33 <:or {{match_ip {$sender_host_address}{+thishost}} \
  34       {and {{def:tls_cipher} {eq{$acl_c_mode}{submission}}}}}:>)
  35
  36 m4_define(<:CLIENT_SECRETS_FILE:>, <:CONF_sysconf_dir/client-secrets:>)
  37
  38 m4_define(<:CLIENT_SECRET_GET:>,
  39 <:${if exists {CLIENT_SECRETS_FILE} \
  40        {${lookup {$domain} partial0-lsearch {CLIENT_SECRETS_FILE} \
  41             {${extract {$1}{$value}$2$3}} \
  42             {${lookup {$host} partial0-lsearch {CLIENT_SECRETS_FILE} \
  43                       {${extract {$1}{$value}$2$3}} $3}}}} \
  44        $3}:>)
  45
  46 m4_define(<:CLIENT_SECRET_EXISTSP:>,
  47 <:CLIENT_SECRET_GET($1, {true}, {false}):>)
  48
  49 m4_define(<:CLIENT_SECRET:>,
  50 <:CLIENT_SECRET_GET($1, {${expand:$value}}, fail):>)
  51
  52 SECTION(auth)m4_dnl
  53 plain:
  54         driver = plaintext
  55         public_name = PLAIN
  56         server_advertise_condition = ${if ALLOW_PLAINTEXT_AUTH_P}
  57         server_prompts = :
  58         server_condition = CHECK_PASSWD($auth2, $auth3)
  59         server_set_id = $auth2
  60         client_condition = CLIENT_SECRET_EXISTSP(plain)
  61         client_send = <; CLIENT_SECRET(plain)
  62
  63 login:
  64         driver = plaintext
  65         public_name = LOGIN
  66         server_advertise_condition = ${if ALLOW_PLAINTEXT_AUTH_P}
  67         server_prompts = <; Username: ; Password:
  68         server_condition = CHECK_PASSWD($auth1, $auth2)
  69         server_set_id = $auth1
  70         client_condition = CLIENT_SECRET_EXISTSP(login-passwd)
  71         client_send = <; \
  72                 ; CLIENT_SECRET(login-name) \
  73                 ; CLIENT_SECRET(login-passwd)
  74
  75 cram_md5:
  76         driver = cram_md5
  77         public_name = CRAM-MD5
  78         client_condition = CLIENT_SECRET_EXISTSP(cram-md5-secret)
  79         client_name = CLIENT_SECRET(cram-md5-name)
  80         client_secret = CLIENT_SECRET(cram-md5-secret)
  81
  82 DIVERT(null)
  83 ###--------------------------------------------------------------------------
  84 ### Dealing with `AUTH' parameters and relaying.
  85
  86 SECTION(global, acl)m4_dnl
  87 acl_smtp_mailauth = mailauth
  88 SECTION(acl, misc)m4_dnl
  89 ## Check the `AUTH=...' parameter to a `MAIL' command.
  90 mailauth:
  91
  92         ## If the client has authenticated using TLS then we're OK.  The
  93         ## sender was presumably checked upstream, and we can believe that
  94         ## the name has been transmitted honestly.
  95         accept   condition = ${if def:tls_peerdn}
  96                  set acl_m_user = ${if match_address{$authenticated_sender} \
  97                                                     {*@CONF_master_domain} \
  98                                        {${local_part:$authenticated_sender}}}
  99
 100         ## If this is submission, and the client has authenticated, then we
 101         ## check that the name matches the user.
 102         accept   condition = ${if eq {$authenticated_sender} \
 103                                      {$authenticated_id@CONF_master_domain}}
 104
 105         ## Otherwise we can't tell who really sent it.
 106         deny     message = Authenticated user not authoritative for claimed sender.
 107
 108 SECTION(acl, data-hooks)m4_dnl
 109         ## Report the `AUTH=' value, if we have one.  This is delayed from
 110         ## the above so that Exim can figure out a queue id.  Once it's done
 111         ## so, apparently it reports that automatically, so we don't need to
 112         ## mention `$message_exim_id' explicitly here.
 113         warn     condition = ${if def:acl_m_user}
 114                  logwrite = AUTH=${quote:$acl_m_user}
 115
 116 DIVERT(null)
 117 ###----- That's all, folks --------------------------------------------------