3 ### Client authentication for distorted.org.uk Exim configuration
5 ### (c) 2012 Mark Wooding
8 ###----- Licensing notice ---------------------------------------------------
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
24 ###--------------------------------------------------------------------------
27 m4_define(<:CHECK_PASSWD:>,
28 <:${lookup {$1} lsearch {CONF_sysconf_dir/passwd} \
29 {${if crypteq {$2} {$value}}} \
32 m4_define(<:ALLOW_PLAINTEXT_AUTH_P:>,
33 <:or {{match_ip {$sender_host_address}{+localnet}} \
34 {and {{def:tls_cipher} {eq{$acl_c_mode}{submission}}}}}:>)
40 server_advertise_condition = ${if ALLOW_PLAINTEXT_AUTH_P}
42 server_condition = CHECK_PASSWD($auth2, $auth3)
43 server_set_id = $auth2
48 server_advertise_condition = ${if ALLOW_PLAINTEXT_AUTH_P}
49 server_prompts = <; Username: ; Password:
50 server_condition = CHECK_PASSWD($auth1, $auth2)
51 server_set_id = $auth1
54 ###--------------------------------------------------------------------------
55 ### Verification of sender address.
57 SECTION(global, acl)m4_dnl
58 acl_not_smtp_start = not_smtp_start
59 SECTION(acl, misc)m4_dnl
61 ## Record the user's name.
62 warn set acl_c_user = $sender_ident
67 SECTION(acl, mail-hooks)m4_dnl
68 ## Check that a submitted message's sender address is allowable.
69 require acl = mail_check_auth
71 SECTION(acl, misc)m4_dnl
74 ## If this isn't a submission then it doesn't need checking.
75 accept condition = ${if !eq{$acl_c_mode}{submission}}
77 ## If the caller hasn't formally authenticated, but this is a
78 ## loopback connection, then we can trust identd to tell us the right
79 ## answer. So we should stash the right name somewhere consistent.
80 warn set acl_c_user = $authenticated_id
83 set acl_c_user = $sender_ident
85 ## User must be authenticated.
86 deny message = Sender not authenticated
90 ## Make sure that the local part is one that the authenticated sender
91 ## is allowed to claim.
92 deny message = Sender address forbidden to calling user
93 !condition = ${LOOKUP_DOMAIN($sender_address_domain,
94 {${if and {{match_local_part \
98 {$sender_address_local_part} \
100 {${if and {{match_local_part \
101 {$sender_address_local_part} \
103 {or {{eq {$sender_address_domain} \
106 {$sender_address_domain} \
113 ###--------------------------------------------------------------------------
114 ### Dealing with `AUTH' parameters and relaying.
116 SECTION(global, acl)m4_dnl
117 acl_smtp_mailauth = mailauth
118 SECTION(acl, misc)m4_dnl
119 ## Check the `AUTH=...' parameter to a `MAIL' command.
121 ## If the client has authenticated using TLS then we're OK. The
122 ## sender was presumably checked upstream, and we can believe that
123 ## the name has been transmitted honestly.
124 accept condition = ${if def:tls_peerdn}
126 ## If this is submission, and the client has authenticated, then we
127 ## check that the name matches the user.
128 accept condition = ${if eq {$authenticated_sender} \
129 {$authenticated_id@CONF_master_domain}}
131 ## Otherwise we can't tell who really sent it.
132 deny message = Authenticated user not authoritative for claimed sender.
135 ###----- That's all, folks --------------------------------------------------