Commit | Line | Data |
---|---|---|
185b5456 MW |
1 | ### -*-m4-*- |
2 | ### | |
3 | ### Client authentication for distorted.org.uk Exim configuration | |
4 | ### | |
5 | ### (c) 2012 Mark Wooding | |
6 | ### | |
7 | ||
8 | ###----- Licensing notice --------------------------------------------------- | |
9 | ### | |
10 | ### This program is free software; you can redistribute it and/or modify | |
11 | ### it under the terms of the GNU General Public License as published by | |
12 | ### the Free Software Foundation; either version 2 of the License, or | |
13 | ### (at your option) any later version. | |
14 | ### | |
15 | ### This program is distributed in the hope that it will be useful, | |
16 | ### but WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
18 | ### GNU General Public License for more details. | |
19 | ### | |
20 | ### You should have received a copy of the GNU General Public License | |
21 | ### along with this program; if not, write to the Free Software Foundation, | |
22 | ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. | |
23 | ||
24 | ###-------------------------------------------------------------------------- | |
25 | ### Authenticators. | |
26 | ||
27 | m4_define(<:CHECK_PASSWD:>, | |
28 | <:${lookup {$1} lsearch {CONF_sysconf_dir/passwd} \ | |
29 | {${if crypteq {$2} {$value}}} \ | |
30 | {false}}:>) | |
31 | ||
32 | m4_define(<:ALLOW_PLAINTEXT_AUTH_P:>, | |
4ff4ad42 | 33 | <:or {{match_ip {$sender_host_address}{+thishost}} \ |
185b5456 MW |
34 | {and {{def:tls_cipher} {eq{$acl_c_mode}{submission}}}}}:>) |
35 | ||
ae9744ce MW |
36 | m4_define(<:CLIENT_SECRETS_FILE:>, <:CONF_sysconf_dir/client-secrets:>) |
37 | ||
38 | m4_define(<:CLIENT_SECRET_GET:>, | |
39 | <:${if exists {CLIENT_SECRETS_FILE} \ | |
40 | {${lookup {$domain} partial0-lsearch {CLIENT_SECRETS_FILE} \ | |
41 | {${extract {$1}{$value}$2$3}} \ | |
42 | {${lookup {$host} partial0-lsearch {CLIENT_SECRETS_FILE} \ | |
43 | {${extract {$1}{$value}$2$3}} $3}}}} \ | |
44 | $3}:>) | |
45 | ||
46 | m4_define(<:CLIENT_SECRET_EXISTSP:>, | |
47 | <:CLIENT_SECRET_GET($1, {true}, {false}):>) | |
48 | ||
49 | m4_define(<:CLIENT_SECRET:>, | |
50 | <:CLIENT_SECRET_GET($1, {${expand:$value}}, fail):>) | |
51 | ||
185b5456 MW |
52 | SECTION(auth)m4_dnl |
53 | plain: | |
54 | driver = plaintext | |
55 | public_name = PLAIN | |
56 | server_advertise_condition = ${if ALLOW_PLAINTEXT_AUTH_P} | |
57 | server_prompts = : | |
58 | server_condition = CHECK_PASSWD($auth2, $auth3) | |
59 | server_set_id = $auth2 | |
ae9744ce MW |
60 | client_condition = CLIENT_SECRET_EXISTSP(plain) |
61 | client_send = <; CLIENT_SECRET(plain) | |
185b5456 MW |
62 | |
63 | login: | |
64 | driver = plaintext | |
65 | public_name = LOGIN | |
66 | server_advertise_condition = ${if ALLOW_PLAINTEXT_AUTH_P} | |
67 | server_prompts = <; Username: ; Password: | |
68 | server_condition = CHECK_PASSWD($auth1, $auth2) | |
69 | server_set_id = $auth1 | |
ae9744ce MW |
70 | client_condition = CLIENT_SECRET_EXISTSP(login-passwd) |
71 | client_send = <; \ | |
72 | ; CLIENT_SECRET(login-name) \ | |
73 | ; CLIENT_SECRET(login-passwd) | |
74 | ||
75 | cram_md5: | |
76 | driver = cram_md5 | |
77 | public_name = CRAM-MD5 | |
78 | client_condition = CLIENT_SECRET_EXISTSP(cram-md5-secret) | |
79 | client_name = CLIENT_SECRET(cram-md5-name) | |
80 | client_secret = CLIENT_SECRET(cram-md5-secret) | |
185b5456 MW |
81 | |
82 | DIVERT(null) | |
83 | ###-------------------------------------------------------------------------- | |
185b5456 MW |
84 | ### Dealing with `AUTH' parameters and relaying. |
85 | ||
86 | SECTION(global, acl)m4_dnl | |
87 | acl_smtp_mailauth = mailauth | |
88 | SECTION(acl, misc)m4_dnl | |
89 | ## Check the `AUTH=...' parameter to a `MAIL' command. | |
90 | mailauth: | |
4aceee8c | 91 | |
185b5456 MW |
92 | ## If the client has authenticated using TLS then we're OK. The |
93 | ## sender was presumably checked upstream, and we can believe that | |
94 | ## the name has been transmitted honestly. | |
4aceee8c | 95 | accept condition = ${if def:tls_peerdn} |
e9015968 MW |
96 | set acl_m_user = ${if match_address{$authenticated_sender} \ |
97 | {*@CONF_master_domain} \ | |
98 | {${local_part:$authenticated_sender}}} | |
185b5456 MW |
99 | |
100 | ## If this is submission, and the client has authenticated, then we | |
101 | ## check that the name matches the user. | |
4aceee8c MW |
102 | accept condition = ${if eq {$authenticated_sender} \ |
103 | {$authenticated_id@CONF_master_domain}} | |
185b5456 MW |
104 | |
105 | ## Otherwise we can't tell who really sent it. | |
4aceee8c | 106 | deny message = Authenticated user not authoritative for claimed sender. |
185b5456 | 107 | |
9aa166fa MW |
108 | SECTION(acl, data-hooks)m4_dnl |
109 | ## Report the `AUTH=' value, if we have one. This is delayed from | |
110 | ## the above so that Exim can figure out a queue id. Once it's done | |
111 | ## so, apparently it reports that automatically, so we don't need to | |
112 | ## mention `$message_exim_id' explicitly here. | |
113 | warn condition = ${if def:acl_m_user} | |
114 | logwrite = AUTH=${quote:$acl_m_user} | |
115 | ||
185b5456 MW |
116 | DIVERT(null) |
117 | ###----- That's all, folks -------------------------------------------------- |