From: Mark Wooding Date: Sun, 16 Mar 2014 14:04:00 +0000 (+0000) Subject: auth.m4, base.m4, exchange.m4: Make sender-address checking universal. X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/exim-config/commitdiff_plain/284c9d7ee4b07b87c8db9e85ae3e16511d3b6798 auth.m4, base.m4, exchange.m4: Make sender-address checking universal. Previously, satellite hosts weren't doing this at all, and usersat hosts were doing it half-heartedly. Make sure that everyone does it. --- diff --git a/auth.m4 b/auth.m4 index ae11798..3462c1a 100644 --- a/auth.m4 +++ b/auth.m4 @@ -50,65 +50,6 @@ login: server_condition = CHECK_PASSWD($auth1, $auth2) server_set_id = $auth1 -DIVERT(null) -###-------------------------------------------------------------------------- -### Verification of sender address. - -SECTION(global, acl)m4_dnl -acl_not_smtp_start = not_smtp_start -SECTION(acl, misc)m4_dnl -not_smtp_start: - ## Record the user's name. - warn set acl_c_user = $sender_ident - - ## Done. - accept - -SECTION(acl, mail-hooks)m4_dnl - ## Check that a submitted message's sender address is allowable. - require acl = mail_check_auth - -SECTION(acl, misc)m4_dnl -mail_check_auth: - - ## If this isn't a submission then it doesn't need checking. - accept condition = ${if !eq{$acl_c_mode}{submission}} - - ## If the caller hasn't formally authenticated, but this is a - ## loopback connection, then we can trust identd to tell us the right - ## answer. So we should stash the right name somewhere consistent. - warn set acl_c_user = $authenticated_id - hosts = +localnet - !authenticated = * - set acl_c_user = $sender_ident - - ## User must be authenticated. - deny message = Sender not authenticated - !hosts = +localnet - !authenticated = * - - ## Make sure that the local part is one that the authenticated sender - ## is allowed to claim. - deny message = Sender address forbidden to calling user - !condition = ${LOOKUP_DOMAIN($sender_address_domain, - {${if and {{match_local_part \ - {$acl_c_user} \ - {+dom_users}} \ - {match_local_part \ - {$sender_address_local_part} \ - {+dom_locals}}}}}, - {${if and {{match_local_part \ - {$sender_address_local_part} \ - {+user_extaddr}} \ - {or {{eq {$sender_address_domain} \ - {}} \ - {match_domain \ - {$sender_address_domain} \ - {+public}}}}}}})} - - ## All done. - accept - DIVERT(null) ###-------------------------------------------------------------------------- ### Dealing with `AUTH' parameters and relaying. diff --git a/base.m4 b/base.m4 index f8b2901..ac6b95c 100644 --- a/base.m4 +++ b/base.m4 @@ -119,6 +119,16 @@ helo: accept +SECTION(global, acl)m4_dnl +acl_not_smtp_start = not_smtp_start +SECTION(acl, misc)m4_dnl +not_smtp_start: + ## Record the user's name. + warn set acl_c_user = $sender_ident + + ## Done. + accept + SECTION(global, acl)m4_dnl acl_smtp_mail = mail SECTION(acl, mail)m4_dnl @@ -146,6 +156,15 @@ mail: warn condition = ${if eq{$acl_c_mode}{submission}} control = submission + ## Insist that a local client connect through TLS. + deny message = Hosts within CONF_master_domain must use TLS + !condition = ${if eq{$acl_c_mode}{submission}} + hosts = +allnets + !encrypted = * + + ## Check that a submitted message's sender address is allowable. + require acl = mail_check_auth + SECTION(acl, mail-tail)m4_dnl ## And we're done. accept @@ -210,6 +229,51 @@ expn_vrfy: accept hosts = +trusted deny message = Suck it and see +DIVERT(null) +###-------------------------------------------------------------------------- +### Verification of sender address. + +SECTION(acl, misc)m4_dnl +mail_check_auth: + + ## If this isn't a submission then it doesn't need checking. + accept condition = ${if !eq{$acl_c_mode}{submission}} + + ## If the caller hasn't formally authenticated, but this is a + ## loopback connection, then we can trust identd to tell us the right + ## answer. So we should stash the right name somewhere consistent. + warn set acl_c_user = $authenticated_id + hosts = +localnet + !authenticated = * + set acl_c_user = $sender_ident + + ## User must be authenticated. + deny message = Sender not authenticated + !hosts = +localnet + !authenticated = * + + ## Make sure that the local part is one that the authenticated sender + ## is allowed to claim. + deny message = Sender address forbidden to calling user + !condition = ${LOOKUP_DOMAIN($sender_address_domain, + {${if and {{match_local_part \ + {$acl_c_user} \ + {+dom_users}} \ + {match_local_part \ + {$sender_address_local_part} \ + {+dom_locals}}}}}, + {${if and {{match_local_part \ + {$sender_address_local_part} \ + {+user_extaddr}} \ + {or {{eq {$sender_address_domain} \ + {}} \ + {match_domain \ + {$sender_address_domain} \ + {+public}}}}}}})} + + ## All done. + accept + DIVERT(null) ###-------------------------------------------------------------------------- ### Common options for forwarding routers. diff --git a/exchange.m4 b/exchange.m4 index 3e771c6..4a7790d 100644 --- a/exchange.m4 +++ b/exchange.m4 @@ -47,12 +47,6 @@ SECTION(acl, mail-hooks)m4_dnl ## Check that a submitted message's sender address is allowable. require acl = mail_client_addr - ## Insist that a local client connect through TLS. - deny message = Hosts within CONF_master_domain must use TLS - !condition = ${if eq{$acl_c_mode}{submission}} - hosts = +allnets - !encrypted = * - SECTION(acl, misc)m4_dnl mail_client_addr: