| 1 | ### -*-m4-*- |
| 2 | ### |
| 3 | ### Client authentication for distorted.org.uk Exim configuration |
| 4 | ### |
| 5 | ### (c) 2012 Mark Wooding |
| 6 | ### |
| 7 | |
| 8 | ###----- Licensing notice --------------------------------------------------- |
| 9 | ### |
| 10 | ### This program is free software; you can redistribute it and/or modify |
| 11 | ### it under the terms of the GNU General Public License as published by |
| 12 | ### the Free Software Foundation; either version 2 of the License, or |
| 13 | ### (at your option) any later version. |
| 14 | ### |
| 15 | ### This program is distributed in the hope that it will be useful, |
| 16 | ### but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 17 | ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 18 | ### GNU General Public License for more details. |
| 19 | ### |
| 20 | ### You should have received a copy of the GNU General Public License |
| 21 | ### along with this program; if not, write to the Free Software Foundation, |
| 22 | ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
| 23 | |
| 24 | ###-------------------------------------------------------------------------- |
| 25 | ### Authenticators. |
| 26 | |
| 27 | m4_define(<:CHECK_PASSWD:>, |
| 28 | <:${lookup {$1} lsearch {CONF_sysconf_dir/passwd} \ |
| 29 | {${if crypteq {$2} {$value}}} \ |
| 30 | {false}}:>) |
| 31 | |
| 32 | m4_define(<:ALLOW_PLAINTEXT_AUTH_P:>, |
| 33 | <:or {{match_ip {$sender_host_address}{+localnet}} \ |
| 34 | {and {{def:tls_cipher} {eq{$acl_c_mode}{submission}}}}}:>) |
| 35 | |
| 36 | SECTION(auth)m4_dnl |
| 37 | plain: |
| 38 | driver = plaintext |
| 39 | public_name = PLAIN |
| 40 | server_advertise_condition = ${if ALLOW_PLAINTEXT_AUTH_P} |
| 41 | server_prompts = : |
| 42 | server_condition = CHECK_PASSWD($auth2, $auth3) |
| 43 | server_set_id = $auth2 |
| 44 | |
| 45 | login: |
| 46 | driver = plaintext |
| 47 | public_name = LOGIN |
| 48 | server_advertise_condition = ${if ALLOW_PLAINTEXT_AUTH_P} |
| 49 | server_prompts = <; Username: ; Password: |
| 50 | server_condition = CHECK_PASSWD($auth1, $auth2) |
| 51 | server_set_id = $auth1 |
| 52 | |
| 53 | DIVERT(null) |
| 54 | ###-------------------------------------------------------------------------- |
| 55 | ### Verification of sender address. |
| 56 | |
| 57 | SECTION(global, acl)m4_dnl |
| 58 | acl_not_smtp_start = not_smtp_start |
| 59 | SECTION(acl, misc)m4_dnl |
| 60 | not_smtp_start: |
| 61 | ## Record the user's name. |
| 62 | warn set acl_c_user = $sender_ident |
| 63 | |
| 64 | ## Done. |
| 65 | accept |
| 66 | |
| 67 | SECTION(acl, mail-hooks)m4_dnl |
| 68 | ## Check that a submitted message's sender address is allowable. |
| 69 | require acl = mail_check_auth |
| 70 | |
| 71 | SECTION(acl, misc)m4_dnl |
| 72 | mail_check_auth: |
| 73 | |
| 74 | ## If this isn't a submission then it doesn't need checking. |
| 75 | accept condition = ${if !eq{$acl_c_mode}{submission}} |
| 76 | |
| 77 | ## If the caller hasn't formally authenticated, but this is a |
| 78 | ## loopback connection, then we can trust identd to tell us the right |
| 79 | ## answer. So we should stash the right name somewhere consistent. |
| 80 | warn set acl_c_user = $authenticated_id |
| 81 | hosts = +localnet |
| 82 | !authenticated = * |
| 83 | set acl_c_user = $sender_ident |
| 84 | |
| 85 | ## User must be authenticated. |
| 86 | deny message = Sender not authenticated |
| 87 | !hosts = +localnet |
| 88 | !authenticated = * |
| 89 | |
| 90 | ## Make sure that the local part is one that the authenticated sender |
| 91 | ## is allowed to claim. |
| 92 | deny message = Sender address forbidden to calling user |
| 93 | !condition = ${LOOKUP_DOMAIN($sender_address_domain, |
| 94 | {${if and {{match_local_part \ |
| 95 | {$acl_c_user} \ |
| 96 | {+dom_users}} \ |
| 97 | {match_local_part \ |
| 98 | {$sender_address_local_part} \ |
| 99 | {+dom_locals}}}}}, |
| 100 | {${if and {{match_local_part \ |
| 101 | {$sender_address_local_part} \ |
| 102 | {+user_extaddr}} \ |
| 103 | {or {{eq {$sender_address_domain} \ |
| 104 | {}} \ |
| 105 | {match_domain \ |
| 106 | {$sender_address_domain} \ |
| 107 | {+public}}}}}}})} |
| 108 | |
| 109 | ## All done. |
| 110 | accept |
| 111 | |
| 112 | DIVERT(null) |
| 113 | ###-------------------------------------------------------------------------- |
| 114 | ### Dealing with `AUTH' parameters and relaying. |
| 115 | |
| 116 | SECTION(global, acl)m4_dnl |
| 117 | acl_smtp_mailauth = mailauth |
| 118 | SECTION(acl, misc)m4_dnl |
| 119 | ## Check the `AUTH=...' parameter to a `MAIL' command. |
| 120 | mailauth: |
| 121 | ## If the client has authenticated using TLS then we're OK. The |
| 122 | ## sender was presumably checked upstream, and we can believe that |
| 123 | ## the name has been transmitted honestly. |
| 124 | accept condition = ${if def:tls_peerdn} |
| 125 | |
| 126 | ## If this is submission, and the client has authenticated, then we |
| 127 | ## check that the name matches the user. |
| 128 | accept condition = ${if eq {$authenticated_sender} \ |
| 129 | {$authenticated_id@CONF_master_domain}} |
| 130 | |
| 131 | ## Otherwise we can't tell who really sent it. |
| 132 | deny message = Authenticated user not authoritative for claimed sender. |
| 133 | |
| 134 | DIVERT(null) |
| 135 | ###----- That's all, folks -------------------------------------------------- |