From: Mark Wooding Date: Tue, 18 Mar 2014 16:32:42 +0000 (+0000) Subject: auth.m4, base.m4: Client authentication machinery. X-Git-Url: https://git.distorted.org.uk/~mdw/exim-config/commitdiff_plain/ae9744ce099209f94e7a5b73e47d99af7e712163 auth.m4, base.m4: Client authentication machinery. If the server knows secrets for authenticating to a remote server, it can use them. --- diff --git a/auth.m4 b/auth.m4 index 074c6aa..93b25c0 100644 --- a/auth.m4 +++ b/auth.m4 @@ -33,6 +33,22 @@ m4_define(<:ALLOW_PLAINTEXT_AUTH_P:>, <:or {{match_ip {$sender_host_address}{+thishost}} \ {and {{def:tls_cipher} {eq{$acl_c_mode}{submission}}}}}:>) +m4_define(<:CLIENT_SECRETS_FILE:>, <:CONF_sysconf_dir/client-secrets:>) + +m4_define(<:CLIENT_SECRET_GET:>, +<:${if exists {CLIENT_SECRETS_FILE} \ + {${lookup {$domain} partial0-lsearch {CLIENT_SECRETS_FILE} \ + {${extract {$1}{$value}$2$3}} \ + {${lookup {$host} partial0-lsearch {CLIENT_SECRETS_FILE} \ + {${extract {$1}{$value}$2$3}} $3}}}} \ + $3}:>) + +m4_define(<:CLIENT_SECRET_EXISTSP:>, +<:CLIENT_SECRET_GET($1, {true}, {false}):>) + +m4_define(<:CLIENT_SECRET:>, +<:CLIENT_SECRET_GET($1, {${expand:$value}}, fail):>) + SECTION(auth)m4_dnl plain: driver = plaintext @@ -41,6 +57,8 @@ plain: server_prompts = : server_condition = CHECK_PASSWD($auth2, $auth3) server_set_id = $auth2 + client_condition = CLIENT_SECRET_EXISTSP(plain) + client_send = <; CLIENT_SECRET(plain) login: driver = plaintext @@ -49,6 +67,17 @@ login: server_prompts = <; Username: ; Password: server_condition = CHECK_PASSWD($auth1, $auth2) server_set_id = $auth1 + client_condition = CLIENT_SECRET_EXISTSP(login-passwd) + client_send = <; \ + ; CLIENT_SECRET(login-name) \ + ; CLIENT_SECRET(login-passwd) + +cram_md5: + driver = cram_md5 + public_name = CRAM-MD5 + client_condition = CLIENT_SECRET_EXISTSP(cram-md5-secret) + client_name = CLIENT_SECRET(cram-md5-name) + client_secret = CLIENT_SECRET(cram-md5-secret) DIVERT(null) ###-------------------------------------------------------------------------- diff --git a/base.m4 b/base.m4 index 6c2dc7b..523e475 100644 --- a/base.m4 +++ b/base.m4 @@ -351,7 +351,10 @@ SECTION(transports)m4_dnl ## `domains.conf' file. smtp: driver = smtp + hosts_try_auth = * hosts_require_tls = DOMKV(tls-peer-ca, {*}{}) + hosts_require_auth = \ + ${if bool {DOMKV(require-auth, {$value}{false})} {*}{}} tls_certificate = DOMKV(tls-certificate, {${expand:$value}}fail) tls_privatekey = DOMKV(tls-private-key, {${expand:$value}}fail) tls_verify_certificates = DOMKV(tls-peer-ca, {${expand:$value}}fail)