X-Git-Url: https://git.distorted.org.uk/~mdw/exim-config/blobdiff_plain/185b5456076ca86959643ce2f19c98c0f82f281e..61295d9c46bb3639fe3140ed645da5313d95e66f:/auth.m4 diff --git a/auth.m4 b/auth.m4 index d4729c0..93b25c0 100644 --- a/auth.m4 +++ b/auth.m4 @@ -30,9 +30,25 @@ m4_define(<:CHECK_PASSWD:>, {false}}:>) m4_define(<:ALLOW_PLAINTEXT_AUTH_P:>, -<:or {{match_ip {$sender_host_address}{+localnet}} \ +<:or {{match_ip {$sender_host_address}{+thishost}} \ {and {{def:tls_cipher} {eq{$acl_c_mode}{submission}}}}}:>) +m4_define(<:CLIENT_SECRETS_FILE:>, <:CONF_sysconf_dir/client-secrets:>) + +m4_define(<:CLIENT_SECRET_GET:>, +<:${if exists {CLIENT_SECRETS_FILE} \ + {${lookup {$domain} partial0-lsearch {CLIENT_SECRETS_FILE} \ + {${extract {$1}{$value}$2$3}} \ + {${lookup {$host} partial0-lsearch {CLIENT_SECRETS_FILE} \ + {${extract {$1}{$value}$2$3}} $3}}}} \ + $3}:>) + +m4_define(<:CLIENT_SECRET_EXISTSP:>, +<:CLIENT_SECRET_GET($1, {true}, {false}):>) + +m4_define(<:CLIENT_SECRET:>, +<:CLIENT_SECRET_GET($1, {${expand:$value}}, fail):>) + SECTION(auth)m4_dnl plain: driver = plaintext @@ -41,6 +57,8 @@ plain: server_prompts = : server_condition = CHECK_PASSWD($auth2, $auth3) server_set_id = $auth2 + client_condition = CLIENT_SECRET_EXISTSP(plain) + client_send = <; CLIENT_SECRET(plain) login: driver = plaintext @@ -49,62 +67,17 @@ login: server_prompts = <; Username: ; Password: server_condition = CHECK_PASSWD($auth1, $auth2) server_set_id = $auth1 - -DIVERT(null) -###-------------------------------------------------------------------------- -### Verification of sender address. - -SECTION(global, acl)m4_dnl -acl_not_smtp_start = not_smtp_start -SECTION(acl, misc)m4_dnl -not_smtp_start: - ## Record the user's name. - warn set acl_c_user = $sender_ident - -SECTION(acl, mail-hooks)m4_dnl - ## Check that a submitted message's sender address is allowable. - require acl = mail_check_auth - -SECTION(acl, misc)m4_dnl -mail_check_auth: - - ## If this isn't a submission then it doesn't need checking. - accept condition = ${if !eq{$acl_c_mode}{submission}} - - ## If the caller hasn't formally authenticated, but this is a - ## loopback connection, then we can trust identd to tell us the right - ## answer. So we should stash the right name somewhere consistent. - warn set acl_c_user = $authenticated_id - hosts = +localnet - !authenticated = * - set acl_c_user = $sender_ident - - ## User must be authenticated. - deny message = Sender not authenticated - !hosts = +localnet - !authenticated = * - - ## Make sure that the local part is one that the authenticated sender - ## is allowed to claim. - deny message = Sender address forbidden to calling user - !condition = ${LOOKUP_DOMAIN($sender_address_domain, - {${if and {{match_local_part \ - {$acl_c_user} \ - {+dom_users}} \ - {match_local_part \ - {$sender_address_local_part} \ - {+dom_locals}}}}}, - {${if and {{match_local_part \ - {$sender_address_local_part} \ - {+user_extaddr}} \ - {or {{eq {$sender_address_domain} \ - {}} \ - {match_domain \ - {$sender_address_domain} \ - {+public}}}}}}})} - - ## All done. - accept + client_condition = CLIENT_SECRET_EXISTSP(login-passwd) + client_send = <; \ + ; CLIENT_SECRET(login-name) \ + ; CLIENT_SECRET(login-passwd) + +cram_md5: + driver = cram_md5 + public_name = CRAM-MD5 + client_condition = CLIENT_SECRET_EXISTSP(cram-md5-secret) + client_name = CLIENT_SECRET(cram-md5-name) + client_secret = CLIENT_SECRET(cram-md5-secret) DIVERT(null) ###--------------------------------------------------------------------------