mdw@git.distorted.org.uk Git - exim-config/blob - auth.m4

   1 ### -*-m4-*-
   2 ###
   3 ### Client authentication for distorted.org.uk Exim configuration
   4 ###
   5 ### (c) 2012 Mark Wooding
   6 ###
   7
   8 ###----- Licensing notice ---------------------------------------------------
   9 ###
  10 ### This program is free software; you can redistribute it and/or modify
  11 ### it under the terms of the GNU General Public License as published by
  12 ### the Free Software Foundation; either version 2 of the License, or
  13 ### (at your option) any later version.
  14 ###
  15 ### This program is distributed in the hope that it will be useful,
  16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18 ### GNU General Public License for more details.
  19 ###
  20 ### You should have received a copy of the GNU General Public License
  21 ### along with this program; if not, write to the Free Software Foundation,
  22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  23
  24 ###--------------------------------------------------------------------------
  25 ### Authenticators.
  26
  27 m4_define(<:CHECK_PASSWD:>,
  28 <:${lookup {$1} lsearch {CONF_sysconf_dir/passwd} \
  29            {${if crypteq {$2} {$value}}} \
  30            {false}}:>)
  31
  32 m4_define(<:ALLOW_PLAINTEXT_AUTH_P:>,
  33 <:or {{match_ip {$sender_host_address}{+localnet}} \
  34       {and {{def:tls_cipher} {eq{$acl_c_mode}{submission}}}}}:>)
  35
  36 SECTION(auth)m4_dnl
  37 plain:
  38         driver = plaintext
  39         public_name = PLAIN
  40         server_advertise_condition = ${if ALLOW_PLAINTEXT_AUTH_P}
  41         server_prompts = :
  42         server_condition = CHECK_PASSWD($auth2, $auth3)
  43         server_set_id = $auth2
  44
  45 login:
  46         driver = plaintext
  47         public_name = LOGIN
  48         server_advertise_condition = ${if ALLOW_PLAINTEXT_AUTH_P}
  49         server_prompts = <; Username: ; Password:
  50         server_condition = CHECK_PASSWD($auth1, $auth2)
  51         server_set_id = $auth1
  52
  53 DIVERT(null)
  54 ###--------------------------------------------------------------------------
  55 ### Verification of sender address.
  56
  57 SECTION(global, acl)m4_dnl
  58 acl_not_smtp_start = not_smtp_start
  59 SECTION(acl, misc)m4_dnl
  60 not_smtp_start:
  61         ## Record the user's name.
  62         warn     set acl_c_user = $sender_ident
  63
  64         ## Done.
  65         accept
  66
  67 SECTION(acl, mail-hooks)m4_dnl
  68         ## Check that a submitted message's sender address is allowable.
  69         require  acl = mail_check_auth
  70
  71 SECTION(acl, misc)m4_dnl
  72 mail_check_auth:
  73
  74         ## If this isn't a submission then it doesn't need checking.
  75         accept   condition = ${if !eq{$acl_c_mode}{submission}}
  76
  77         ## If the caller hasn't formally authenticated, but this is a
  78         ## loopback connection, then we can trust identd to tell us the right
  79         ## answer.  So we should stash the right name somewhere consistent.
  80         warn     set acl_c_user = $authenticated_id
  81                  hosts = +localnet
  82                 !authenticated = *
  83                  set acl_c_user = $sender_ident
  84
  85         ## User must be authenticated.
  86         deny     message = Sender not authenticated
  87                 !hosts = +localnet
  88                 !authenticated = *
  89
  90         ## Make sure that the local part is one that the authenticated sender
  91         ## is allowed to claim.
  92         deny     message = Sender address forbidden to calling user
  93                 !condition = ${LOOKUP_DOMAIN($sender_address_domain,
  94                                {${if and {{match_local_part \
  95                                             {$acl_c_user} \
  96                                             {+dom_users}} \
  97                                           {match_local_part \
  98                                             {$sender_address_local_part} \
  99                                             {+dom_locals}}}}},
 100                                {${if and {{match_local_part \
 101                                             {$sender_address_local_part} \
 102                                             {+user_extaddr}} \
 103                                           {or {{eq {$sender_address_domain} \
 104                                                    {}} \
 105                                                {match_domain \
 106                                                  {$sender_address_domain} \
 107                                                  {+public}}}}}}})}
 108
 109         ## All done.
 110         accept
 111
 112 DIVERT(null)
 113 ###--------------------------------------------------------------------------
 114 ### Dealing with `AUTH' parameters and relaying.
 115
 116 SECTION(global, acl)m4_dnl
 117 acl_smtp_mailauth = mailauth
 118 SECTION(acl, misc)m4_dnl
 119 ## Check the `AUTH=...' parameter to a `MAIL' command.
 120 mailauth:
 121         ## If the client has authenticated using TLS then we're OK.  The
 122         ## sender was presumably checked upstream, and we can believe that
 123         ## the name has been transmitted honestly.
 124         accept    condition = ${if def:tls_peerdn}
 125
 126         ## If this is submission, and the client has authenticated, then we
 127         ## check that the name matches the user.
 128         accept    condition = ${if eq {$authenticated_sender} \
 129                                       {$authenticated_id@CONF_master_domain}}
 130
 131         ## Otherwise we can't tell who really sent it.
 132         deny      message = Authenticated user not authoritative for claimed sender.
 133
 134 DIVERT(null)
 135 ###----- That's all, folks --------------------------------------------------