X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/exim-config/blobdiff_plain/4ff4ad42f953b335fd5006fe5965cd3e871f601d..3e7e168cf0a57fea364ad9a913574b383565d9be:/auth.m4 diff --git a/auth.m4 b/auth.m4 index 074c6aa..817bfd6 100644 --- a/auth.m4 +++ b/auth.m4 @@ -33,6 +33,22 @@ m4_define(<:ALLOW_PLAINTEXT_AUTH_P:>, <:or {{match_ip {$sender_host_address}{+thishost}} \ {and {{def:tls_cipher} {eq{$acl_c_mode}{submission}}}}}:>) +m4_define(<:CLIENT_SECRETS_FILE:>, <:CONF_sysconf_dir/client-secrets:>) + +m4_define(<:CLIENT_SECRET_GET:>, +<:${if exists {CLIENT_SECRETS_FILE} \ + {${lookup {$domain} partial0-lsearch {CLIENT_SECRETS_FILE} \ + {${extract {$1}{$value}$2$3}} \ + {${lookup {$host} partial0-lsearch {CLIENT_SECRETS_FILE} \ + {${extract {$1}{$value}$2$3}} $3}}}} \ + $3}:>) + +m4_define(<:CLIENT_SECRET_EXISTSP:>, +<:CLIENT_SECRET_GET($1, {true}, {false}):>) + +m4_define(<:CLIENT_SECRET:>, +<:CLIENT_SECRET_GET($1, {${expand:$value}}, fail):>) + SECTION(auth)m4_dnl plain: driver = plaintext @@ -41,6 +57,8 @@ plain: server_prompts = : server_condition = CHECK_PASSWD($auth2, $auth3) server_set_id = $auth2 + client_condition = CLIENT_SECRET_EXISTSP(plain) + client_send = <; CLIENT_SECRET(plain) login: driver = plaintext @@ -49,6 +67,17 @@ login: server_prompts = <; Username: ; Password: server_condition = CHECK_PASSWD($auth1, $auth2) server_set_id = $auth1 + client_condition = CLIENT_SECRET_EXISTSP(login-passwd) + client_send = <; \ + ; CLIENT_SECRET(login-name) \ + ; CLIENT_SECRET(login-passwd) + +cram_md5: + driver = cram_md5 + public_name = CRAM-MD5 + client_condition = CLIENT_SECRET_EXISTSP(cram-md5-secret) + client_name = CLIENT_SECRET(cram-md5-name) + client_secret = CLIENT_SECRET(cram-md5-secret) DIVERT(null) ###-------------------------------------------------------------------------- @@ -59,18 +88,30 @@ acl_smtp_mailauth = mailauth SECTION(acl, misc)m4_dnl ## Check the `AUTH=...' parameter to a `MAIL' command. mailauth: + ## If the client has authenticated using TLS then we're OK. The ## sender was presumably checked upstream, and we can believe that ## the name has been transmitted honestly. - accept condition = ${if def:tls_peerdn} + accept condition = ${if def:tls_peerdn} + set acl_m_user = ${if match_address{$authenticated_sender} \ + {*@CONF_master_domain} \ + {${local_part:$authenticated_sender}}} ## If this is submission, and the client has authenticated, then we ## check that the name matches the user. - accept condition = ${if eq {$authenticated_sender} \ - {$authenticated_id@CONF_master_domain}} + accept condition = ${if eq {$authenticated_sender} \ + {$authenticated_id@CONF_master_domain}} ## Otherwise we can't tell who really sent it. - deny message = Authenticated user not authoritative for claimed sender. + deny message = Authenticated user not authoritative for claimed sender. + +SECTION(acl, data-hooks)m4_dnl + ## Report the `AUTH=' value, if we have one. This is delayed from + ## the above so that Exim can figure out a queue id. Once it's done + ## so, apparently it reports that automatically, so we don't need to + ## mention `$message_exim_id' explicitly here. + warn condition = ${if def:acl_m_user} + logwrite = AUTH=${quote:$acl_m_user} DIVERT(null) ###----- That's all, folks --------------------------------------------------