3 ### Client authentication for distorted.org.uk Exim configuration
5 ### (c) 2012 Mark Wooding
8 ###----- Licensing notice ---------------------------------------------------
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
24 ###--------------------------------------------------------------------------
27 m4_define(<:CHECK_PASSWD:>,
28 <:${lookup {$1} lsearch {CONF_sysconf_dir/passwd} \
29 {${if crypteq {$2} {$value}}} \
32 m4_define(<:ALLOW_PLAINTEXT_AUTH_P:>,
33 <:or {{match_ip {$sender_host_address}{+localnet}} \
34 {and {{def:tls_cipher} {eq{$acl_c_mode}{submission}}}}}:>)
40 server_advertise_condition = ${if ALLOW_PLAINTEXT_AUTH_P}
42 server_condition = CHECK_PASSWD($auth2, $auth3)
43 server_set_id = $auth2
48 server_advertise_condition = ${if ALLOW_PLAINTEXT_AUTH_P}
49 server_prompts = <; Username: ; Password:
50 server_condition = CHECK_PASSWD($auth1, $auth2)
51 server_set_id = $auth1
54 ###--------------------------------------------------------------------------
55 ### Verification of sender address.
57 SECTION(global, acl)m4_dnl
58 acl_not_smtp_start = not_smtp_start
59 SECTION(acl, misc)m4_dnl
61 ## Record the user's name.
62 warn set acl_c_user = $sender_ident
64 SECTION(acl, mail-hooks)m4_dnl
65 ## Check that a submitted message's sender address is allowable.
66 require acl = mail_check_auth
68 SECTION(acl, misc)m4_dnl
71 ## If this isn't a submission then it doesn't need checking.
72 accept condition = ${if !eq{$acl_c_mode}{submission}}
74 ## If the caller hasn't formally authenticated, but this is a
75 ## loopback connection, then we can trust identd to tell us the right
76 ## answer. So we should stash the right name somewhere consistent.
77 warn set acl_c_user = $authenticated_id
80 set acl_c_user = $sender_ident
82 ## User must be authenticated.
83 deny message = Sender not authenticated
87 ## Make sure that the local part is one that the authenticated sender
88 ## is allowed to claim.
89 deny message = Sender address forbidden to calling user
90 !condition = ${LOOKUP_DOMAIN($sender_address_domain,
91 {${if and {{match_local_part \
95 {$sender_address_local_part} \
97 {${if and {{match_local_part \
98 {$sender_address_local_part} \
100 {or {{eq {$sender_address_domain} \
103 {$sender_address_domain} \
110 ###--------------------------------------------------------------------------
111 ### Dealing with `AUTH' parameters and relaying.
113 SECTION(global, acl)m4_dnl
114 acl_smtp_mailauth = mailauth
115 SECTION(acl, misc)m4_dnl
116 ## Check the `AUTH=...' parameter to a `MAIL' command.
118 ## If the client has authenticated using TLS then we're OK. The
119 ## sender was presumably checked upstream, and we can believe that
120 ## the name has been transmitted honestly.
121 accept condition = ${if def:tls_peerdn}
123 ## If this is submission, and the client has authenticated, then we
124 ## check that the name matches the user.
125 accept condition = ${if eq {$authenticated_sender} \
126 {$authenticated_id@CONF_master_domain}}
128 ## Otherwise we can't tell who really sent it.
129 deny message = Authenticated user not authoritative for claimed sender.
132 ###----- That's all, folks --------------------------------------------------