### -*-m4-*- ### ### Client authentication for distorted.org.uk Exim configuration ### ### (c) 2012 Mark Wooding ### ###----- Licensing notice --------------------------------------------------- ### ### This program is free software; you can redistribute it and/or modify ### it under the terms of the GNU General Public License as published by ### the Free Software Foundation; either version 2 of the License, or ### (at your option) any later version. ### ### This program is distributed in the hope that it will be useful, ### but WITHOUT ANY WARRANTY; without even the implied warranty of ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ### GNU General Public License for more details. ### ### You should have received a copy of the GNU General Public License ### along with this program; if not, write to the Free Software Foundation, ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ###-------------------------------------------------------------------------- ### Authenticators. m4_define(<:CHECK_PASSWD:>, <:${lookup {$1} lsearch {CONF_sysconf_dir/passwd} \ {${if crypteq {$2} {$value}}} \ {false}}:>) m4_define(<:ALLOW_PLAINTEXT_AUTH_P:>, <:or {{match_ip {$sender_host_address}{+thishost}} \ {and {{def:tls_cipher} {eq{$acl_c_mode}{submission}}}}}:>) m4_define(<:CLIENT_SECRETS_FILE:>, <:CONF_sysconf_dir/client-secrets:>) m4_define(<:CLIENT_SECRET_GET:>, <:${if exists {CLIENT_SECRETS_FILE} \ {${lookup {$domain} partial0-lsearch {CLIENT_SECRETS_FILE} \ {${extract {$1}{$value}$2$3}} \ {${lookup {$host} partial0-lsearch {CLIENT_SECRETS_FILE} \ {${extract {$1}{$value}$2$3}} $3}}}} \ $3}:>) m4_define(<:CLIENT_SECRET_EXISTSP:>, <:CLIENT_SECRET_GET($1, {true}, {false}):>) m4_define(<:CLIENT_SECRET:>, <:CLIENT_SECRET_GET($1, {${expand:$value}}, fail):>) SECTION(auth)m4_dnl plain: driver = plaintext public_name = PLAIN server_advertise_condition = ${if ALLOW_PLAINTEXT_AUTH_P} server_prompts = : server_condition = CHECK_PASSWD($auth2, $auth3) server_set_id = $auth2 client_condition = CLIENT_SECRET_EXISTSP(plain) client_send = <; CLIENT_SECRET(plain) login: driver = plaintext public_name = LOGIN server_advertise_condition = ${if ALLOW_PLAINTEXT_AUTH_P} server_prompts = <; Username: ; Password: server_condition = CHECK_PASSWD($auth1, $auth2) server_set_id = $auth1 client_condition = CLIENT_SECRET_EXISTSP(login-passwd) client_send = <; \ ; CLIENT_SECRET(login-name) \ ; CLIENT_SECRET(login-passwd) cram_md5: driver = cram_md5 public_name = CRAM-MD5 client_condition = CLIENT_SECRET_EXISTSP(cram-md5-secret) client_name = CLIENT_SECRET(cram-md5-name) client_secret = CLIENT_SECRET(cram-md5-secret) DIVERT(null) ###-------------------------------------------------------------------------- ### Dealing with `AUTH' parameters and relaying. SECTION(global, acl)m4_dnl acl_smtp_mailauth = mailauth SECTION(acl, misc)m4_dnl ## Check the `AUTH=...' parameter to a `MAIL' command. mailauth: ## If the client has authenticated using TLS then we're OK. The ## sender was presumably checked upstream, and we can believe that ## the name has been transmitted honestly. accept condition = ${if def:tls_peerdn} ## If this is submission, and the client has authenticated, then we ## check that the name matches the user. accept condition = ${if eq {$authenticated_sender} \ {$authenticated_id@CONF_master_domain}} ## Otherwise we can't tell who really sent it. deny message = Authenticated user not authoritative for claimed sender. DIVERT(null) ###----- That's all, folks --------------------------------------------------