3 ### Client authentication for distorted.org.uk Exim configuration
5 ### (c) 2012 Mark Wooding
8 ###----- Licensing notice ---------------------------------------------------
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
24 ###--------------------------------------------------------------------------
27 m4_define(<:CHECK_PASSWD:>,
28 <:${lookup {$1} lsearch {CONF_sysconf_dir/passwd} \
29 {${if crypteq {$2} {$value}}} \
32 m4_define(<:ALLOW_PLAINTEXT_AUTH_P:>,
33 <:or {{match_ip {$sender_host_address}{+thishost}} \
34 {and {{def:tls_cipher} {eq{$acl_c_mode}{submission}}}}}:>)
36 m4_define(<:CLIENT_SECRETS_FILE:>, <:CONF_sysconf_dir/client-secrets:>)
38 m4_define(<:CLIENT_SECRET_GET:>,
39 <:${if exists {CLIENT_SECRETS_FILE} \
40 {${lookup {$domain} partial0-lsearch {CLIENT_SECRETS_FILE} \
41 {${extract {$1}{$value}$2$3}} \
42 {${lookup {$host} partial0-lsearch {CLIENT_SECRETS_FILE} \
43 {${extract {$1}{$value}$2$3}} $3}}}} \
46 m4_define(<:CLIENT_SECRET_EXISTSP:>,
47 <:CLIENT_SECRET_GET($1, {true}, {false}):>)
49 m4_define(<:CLIENT_SECRET:>,
50 <:CLIENT_SECRET_GET($1, {${expand:$value}}, fail):>)
56 server_advertise_condition = ${if ALLOW_PLAINTEXT_AUTH_P}
58 server_condition = CHECK_PASSWD($auth2, $auth3)
59 server_set_id = $auth2
60 client_condition = CLIENT_SECRET_EXISTSP(plain)
61 client_send = <; CLIENT_SECRET(plain)
66 server_advertise_condition = ${if ALLOW_PLAINTEXT_AUTH_P}
67 server_prompts = <; Username: ; Password:
68 server_condition = CHECK_PASSWD($auth1, $auth2)
69 server_set_id = $auth1
70 client_condition = CLIENT_SECRET_EXISTSP(login-passwd)
72 ; CLIENT_SECRET(login-name) \
73 ; CLIENT_SECRET(login-passwd)
77 public_name = CRAM-MD5
78 client_condition = CLIENT_SECRET_EXISTSP(cram-md5-secret)
79 client_name = CLIENT_SECRET(cram-md5-name)
80 client_secret = CLIENT_SECRET(cram-md5-secret)
83 ###--------------------------------------------------------------------------
84 ### Dealing with `AUTH' parameters and relaying.
86 SECTION(global, acl)m4_dnl
87 acl_smtp_mailauth = mailauth
88 SECTION(acl, misc)m4_dnl
89 ## Check the `AUTH=...' parameter to a `MAIL' command.
92 ## If the client has authenticated using TLS then we're OK. The
93 ## sender was presumably checked upstream, and we can believe that
94 ## the name has been transmitted honestly.
95 accept condition = ${if def:tls_peerdn}
96 set acl_m_user = ${if match_address{$authenticated_sender} \
97 {*@CONF_master_domain} \
98 {${local_part:$authenticated_sender}}}
100 ## If this is submission, and the client has authenticated, then we
101 ## check that the name matches the user.
102 accept condition = ${if eq {$authenticated_sender} \
103 {$authenticated_id@CONF_master_domain}}
105 ## Otherwise we can't tell who really sent it.
106 deny message = Authenticated user not authoritative for claimed sender.
108 SECTION(acl, data-hooks)m4_dnl
109 ## Report the `AUTH=' value, if we have one. This is delayed from
110 ## the above so that Exim can figure out a queue id. Once it's done
111 ## so, apparently it reports that automatically, so we don't need to
112 ## mention `$message_exim_id' explicitly here.
113 warn condition = ${if def:acl_m_user}
114 logwrite = AUTH=${quote:$acl_m_user}
117 ###----- That's all, folks --------------------------------------------------