user-spam.m4: Fix indentation in the output.

[exim-config] / auth.m4

diff --git a/auth.m4 b/auth.m4
index 074c6aa1a70c090579abb26e234d92a78c4ba6d1..817bfd651c8dad975b12724cf8e5061648ff3cf4 100644 (file)
--- a/auth.m4
+++ b/auth.m4
@@ -33,6 +33,22 @@ m4_define(<:ALLOW_PLAINTEXT_AUTH_P:>,
 <:or {{match_ip {$sender_host_address}{+thishost}} \
       {and {{def:tls_cipher} {eq{$acl_c_mode}{submission}}}}}:>)
 
+m4_define(<:CLIENT_SECRETS_FILE:>, <:CONF_sysconf_dir/client-secrets:>)
+
+m4_define(<:CLIENT_SECRET_GET:>,
+<:${if exists {CLIENT_SECRETS_FILE} \
+       {${lookup {$domain} partial0-lsearch {CLIENT_SECRETS_FILE} \
+           {${extract {$1}{$value}$2$3}} \
+           {${lookup {$host} partial0-lsearch {CLIENT_SECRETS_FILE} \
+                     {${extract {$1}{$value}$2$3}} $3}}}} \
+       $3}:>)
+
+m4_define(<:CLIENT_SECRET_EXISTSP:>,
+<:CLIENT_SECRET_GET($1, {true}, {false}):>)
+
+m4_define(<:CLIENT_SECRET:>,
+<:CLIENT_SECRET_GET($1, {${expand:$value}}, fail):>)
+
 SECTION(auth)m4_dnl
 plain:
        driver = plaintext
@@ -41,6 +57,8 @@ plain:
        server_prompts = :
        server_condition = CHECK_PASSWD($auth2, $auth3)
        server_set_id = $auth2
+       client_condition = CLIENT_SECRET_EXISTSP(plain)
+       client_send = <; CLIENT_SECRET(plain)
 
 login:
        driver = plaintext
@@ -49,6 +67,17 @@ login:
        server_prompts = <; Username: ; Password:
        server_condition = CHECK_PASSWD($auth1, $auth2)
        server_set_id = $auth1
+       client_condition = CLIENT_SECRET_EXISTSP(login-passwd)
+       client_send = <; \
+               ; CLIENT_SECRET(login-name) \
+               ; CLIENT_SECRET(login-passwd)
+
+cram_md5:
+       driver = cram_md5
+       public_name = CRAM-MD5
+       client_condition = CLIENT_SECRET_EXISTSP(cram-md5-secret)
+       client_name = CLIENT_SECRET(cram-md5-name)
+       client_secret = CLIENT_SECRET(cram-md5-secret)
 
 DIVERT(null)
 ###--------------------------------------------------------------------------
@@ -59,18 +88,30 @@ acl_smtp_mailauth = mailauth
 SECTION(acl, misc)m4_dnl
 ## Check the `AUTH=...' parameter to a `MAIL' command.
 mailauth:
+
        ## If the client has authenticated using TLS then we're OK.  The
        ## sender was presumably checked upstream, and we can believe that
        ## the name has been transmitted honestly.
-       accept    condition = ${if def:tls_peerdn}
+       accept   condition = ${if def:tls_peerdn}
+                set acl_m_user = ${if match_address{$authenticated_sender} \
+                                                   {*@CONF_master_domain} \
+                                      {${local_part:$authenticated_sender}}}
 
        ## If this is submission, and the client has authenticated, then we
        ## check that the name matches the user.
-       accept    condition = ${if eq {$authenticated_sender} \
-                                     {$authenticated_id@CONF_master_domain}}
+       accept   condition = ${if eq {$authenticated_sender} \
+                                    {$authenticated_id@CONF_master_domain}}
 
        ## Otherwise we can't tell who really sent it.
-       deny      message = Authenticated user not authoritative for claimed sender.
+       deny     message = Authenticated user not authoritative for claimed sender.
+
+SECTION(acl, data-hooks)m4_dnl
+       ## Report the `AUTH=' value, if we have one.  This is delayed from
+       ## the above so that Exim can figure out a queue id.  Once it's done
+       ## so, apparently it reports that automatically, so we don't need to
+       ## mention `$message_exim_id' explicitly here.
+       warn     condition = ${if def:acl_m_user}
+                logwrite = AUTH=${quote:$acl_m_user}
 
 DIVERT(null)
 ###----- That's all, folks --------------------------------------------------