Commit | Line | Data |
---|---|---|
185b5456 MW |
1 | ### -*-m4-*- |
2 | ### | |
3 | ### Client authentication for distorted.org.uk Exim configuration | |
4 | ### | |
5 | ### (c) 2012 Mark Wooding | |
6 | ### | |
7 | ||
8 | ###----- Licensing notice --------------------------------------------------- | |
9 | ### | |
10 | ### This program is free software; you can redistribute it and/or modify | |
11 | ### it under the terms of the GNU General Public License as published by | |
12 | ### the Free Software Foundation; either version 2 of the License, or | |
13 | ### (at your option) any later version. | |
14 | ### | |
15 | ### This program is distributed in the hope that it will be useful, | |
16 | ### but WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
18 | ### GNU General Public License for more details. | |
19 | ### | |
20 | ### You should have received a copy of the GNU General Public License | |
21 | ### along with this program; if not, write to the Free Software Foundation, | |
22 | ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. | |
23 | ||
24 | ###-------------------------------------------------------------------------- | |
25 | ### Authenticators. | |
26 | ||
27 | m4_define(<:CHECK_PASSWD:>, | |
28 | <:${lookup {$1} lsearch {CONF_sysconf_dir/passwd} \ | |
29 | {${if crypteq {$2} {$value}}} \ | |
30 | {false}}:>) | |
31 | ||
32 | m4_define(<:ALLOW_PLAINTEXT_AUTH_P:>, | |
33 | <:or {{match_ip {$sender_host_address}{+localnet}} \ | |
34 | {and {{def:tls_cipher} {eq{$acl_c_mode}{submission}}}}}:>) | |
35 | ||
36 | SECTION(auth)m4_dnl | |
37 | plain: | |
38 | driver = plaintext | |
39 | public_name = PLAIN | |
40 | server_advertise_condition = ${if ALLOW_PLAINTEXT_AUTH_P} | |
41 | server_prompts = : | |
42 | server_condition = CHECK_PASSWD($auth2, $auth3) | |
43 | server_set_id = $auth2 | |
44 | ||
45 | login: | |
46 | driver = plaintext | |
47 | public_name = LOGIN | |
48 | server_advertise_condition = ${if ALLOW_PLAINTEXT_AUTH_P} | |
49 | server_prompts = <; Username: ; Password: | |
50 | server_condition = CHECK_PASSWD($auth1, $auth2) | |
51 | server_set_id = $auth1 | |
52 | ||
53 | DIVERT(null) | |
54 | ###-------------------------------------------------------------------------- | |
55 | ### Verification of sender address. | |
56 | ||
57 | SECTION(global, acl)m4_dnl | |
58 | acl_not_smtp_start = not_smtp_start | |
59 | SECTION(acl, misc)m4_dnl | |
60 | not_smtp_start: | |
61 | ## Record the user's name. | |
62 | warn set acl_c_user = $sender_ident | |
63 | ||
352b0392 MW |
64 | ## Done. |
65 | accept | |
66 | ||
185b5456 MW |
67 | SECTION(acl, mail-hooks)m4_dnl |
68 | ## Check that a submitted message's sender address is allowable. | |
69 | require acl = mail_check_auth | |
70 | ||
71 | SECTION(acl, misc)m4_dnl | |
72 | mail_check_auth: | |
73 | ||
74 | ## If this isn't a submission then it doesn't need checking. | |
75 | accept condition = ${if !eq{$acl_c_mode}{submission}} | |
76 | ||
77 | ## If the caller hasn't formally authenticated, but this is a | |
78 | ## loopback connection, then we can trust identd to tell us the right | |
79 | ## answer. So we should stash the right name somewhere consistent. | |
80 | warn set acl_c_user = $authenticated_id | |
81 | hosts = +localnet | |
82 | !authenticated = * | |
83 | set acl_c_user = $sender_ident | |
84 | ||
85 | ## User must be authenticated. | |
86 | deny message = Sender not authenticated | |
87 | !hosts = +localnet | |
88 | !authenticated = * | |
89 | ||
90 | ## Make sure that the local part is one that the authenticated sender | |
91 | ## is allowed to claim. | |
92 | deny message = Sender address forbidden to calling user | |
93 | !condition = ${LOOKUP_DOMAIN($sender_address_domain, | |
94 | {${if and {{match_local_part \ | |
95 | {$acl_c_user} \ | |
96 | {+dom_users}} \ | |
97 | {match_local_part \ | |
98 | {$sender_address_local_part} \ | |
99 | {+dom_locals}}}}}, | |
100 | {${if and {{match_local_part \ | |
101 | {$sender_address_local_part} \ | |
102 | {+user_extaddr}} \ | |
103 | {or {{eq {$sender_address_domain} \ | |
104 | {}} \ | |
105 | {match_domain \ | |
106 | {$sender_address_domain} \ | |
107 | {+public}}}}}}})} | |
108 | ||
109 | ## All done. | |
110 | accept | |
111 | ||
112 | DIVERT(null) | |
113 | ###-------------------------------------------------------------------------- | |
114 | ### Dealing with `AUTH' parameters and relaying. | |
115 | ||
116 | SECTION(global, acl)m4_dnl | |
117 | acl_smtp_mailauth = mailauth | |
118 | SECTION(acl, misc)m4_dnl | |
119 | ## Check the `AUTH=...' parameter to a `MAIL' command. | |
120 | mailauth: | |
121 | ## If the client has authenticated using TLS then we're OK. The | |
122 | ## sender was presumably checked upstream, and we can believe that | |
123 | ## the name has been transmitted honestly. | |
124 | accept condition = ${if def:tls_peerdn} | |
125 | ||
126 | ## If this is submission, and the client has authenticated, then we | |
127 | ## check that the name matches the user. | |
128 | accept condition = ${if eq {$authenticated_sender} \ | |
129 | {$authenticated_id@CONF_master_domain}} | |
130 | ||
131 | ## Otherwise we can't tell who really sent it. | |
132 | deny message = Authenticated user not authoritative for claimed sender. | |
133 | ||
134 | DIVERT(null) | |
135 | ###----- That's all, folks -------------------------------------------------- |