From 16ff981e58427ae8bd5e8420411a9978678841e4 Mon Sep 17 00:00:00 2001 From: Philip Hazel Date: Mon, 16 Oct 2006 15:44:36 +0000 Subject: [PATCH] Add server_condition to all authenticators, to allow for additional conditions (and thereby implement authorization). --- doc/doc-txt/ChangeLog | 7 ++- doc/doc-txt/NewStuff | 9 ++- doc/doc-txt/OptionLists.txt | 4 +- src/scripts/MakeLinks | 3 +- src/src/auths/Makefile | 47 ++++++++-------- src/src/auths/README | 4 +- src/src/auths/check_serv_cond.c | 99 +++++++++++++++++++++++++++++++++ src/src/auths/cram_md5.c | 5 +- src/src/auths/cyrus_sasl.c | 10 ++-- src/src/auths/dovecot.c | 6 +- src/src/auths/plaintext.c | 66 +++------------------- src/src/auths/plaintext.h | 3 +- src/src/auths/spa.c | 11 ++-- src/src/functions.h | 3 +- src/src/globals.c | 5 +- src/src/structs.h | 3 +- test/confs/3500 | 3 +- test/scripts/3500-CRAM-MD5/3500 | 11 ++++ test/stderr/3500 | 43 +++++++++++++- test/stdout/3407 | 8 +-- test/stdout/3500 | 23 ++++++++ 21 files changed, 261 insertions(+), 112 deletions(-) create mode 100644 src/src/auths/check_serv_cond.c diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 124101d78..19a3ae0dd 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -1,4 +1,4 @@ -$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.409 2006/10/16 13:43:21 ph10 Exp $ +$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.410 2006/10/16 15:44:36 ph10 Exp $ Change log file for Exim from version 4.21 ------------------------------------------- @@ -150,6 +150,11 @@ PH/21 On the advice of Timo Sirainen, added a check to the dovecot local IP, and the "valid-client-cert option" if a client certificate has been verified. +PH/22 As suggested by Denis Davies, added a server_condition option to *all* + authenticators. This can be used for authorization after authentication + succeeds. (In the case of plaintext, it servers for both authentication + and authorization.) + Exim version 4.63 ----------------- diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index b66cfb593..267fc9adc 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -1,4 +1,4 @@ -$Cambridge: exim/doc/doc-txt/NewStuff,v 1.116 2006/10/16 13:43:21 ph10 Exp $ +$Cambridge: exim/doc/doc-txt/NewStuff,v 1.117 2006/10/16 15:44:36 ph10 Exp $ New Features in Exim -------------------- @@ -124,6 +124,13 @@ Version 4.64 values matches (or if no record is found), this is the only lookup that is done. Only if there is a match is one of the more specific lists consulted. +6. All authenticators now have a server_condition option. Previously, only + plaintext had this, and this has not changed: it must be set to the + authenticator as a server. For the others, if server_condition is set, it is + expanded if authentication is successful, and treated exactly as it is in + plaintext. This can serve as a means of adding authorization to an + authenticator. + Version 4.63 ------------ diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt index 2d0f160a2..69f2370e0 100644 --- a/doc/doc-txt/OptionLists.txt +++ b/doc/doc-txt/OptionLists.txt @@ -1,4 +1,4 @@ -$Cambridge: exim/doc/doc-txt/OptionLists.txt,v 1.24 2006/09/22 14:01:12 ph10 Exp $ +$Cambridge: exim/doc/doc-txt/OptionLists.txt,v 1.25 2006/10/16 15:44:36 ph10 Exp $ LISTS OF EXIM OPTIONS --------------------- @@ -442,7 +442,7 @@ sender_unqualified_hosts host list unset main senders address list unset routers 4.00 serialize_hosts host list unset smtp 1.60 server_advertise_condition string* unset authenticators 4.14 -server_condition string* unset plaintext 3.10 +server_condition string* unset authenticators 3.10 (plaintext) 4.64 (others) server_hostname string* "$primary_hostname" cyrus_sasl 4.43 server_mail_auth_condition string* unset authenticators 3.22 server_mech string public_name cyrus_sasl 4.43 diff --git a/src/scripts/MakeLinks b/src/scripts/MakeLinks index d38f8b00c..b0b513c8b 100755 --- a/src/scripts/MakeLinks +++ b/src/scripts/MakeLinks @@ -1,5 +1,5 @@ #!/bin/sh -# $Cambridge: exim/src/scripts/MakeLinks,v 1.7 2006/10/02 13:38:18 ph10 Exp $ +# $Cambridge: exim/src/scripts/MakeLinks,v 1.8 2006/10/16 15:44:36 ph10 Exp $ # Script to build links for all the exim source files from the system- # specific build directory. It should be run from within that directory. @@ -162,6 +162,7 @@ ln -s ../../src/auths/b64decode.c b64decode.c ln -s ../../src/auths/call_pam.c call_pam.c ln -s ../../src/auths/call_pwcheck.c call_pwcheck.c ln -s ../../src/auths/call_radius.c call_radius.c +ln -s ../../src/auths/check_serv_cond.c check_serv_cond.c ln -s ../../src/auths/cyrus_sasl.c cyrus_sasl.c ln -s ../../src/auths/cyrus_sasl.h cyrus_sasl.h ln -s ../../src/auths/get_data.c get_data.c diff --git a/src/src/auths/Makefile b/src/src/auths/Makefile index 889e24b8c..3df035dd3 100644 --- a/src/src/auths/Makefile +++ b/src/src/auths/Makefile @@ -1,4 +1,4 @@ -# $Cambridge: exim/src/src/auths/Makefile,v 1.4 2006/10/02 13:38:18 ph10 Exp $ +# $Cambridge: exim/src/src/auths/Makefile,v 1.5 2006/10/16 15:44:36 ph10 Exp $ # Make file for building a library containing all the available authorization # methods, and calling it auths.a. In addition, there are functions that are @@ -7,10 +7,10 @@ # after cd'ing to the auths subdirectory. When the relevant AUTH_ macros are # defined, the equivalent modules herein is not included in the final binary. -OBJ = b64encode.o b64decode.o call_pam.o call_pwcheck.o call_radius.o \ - xtextencode.o xtextdecode.o get_data.o get_no64_data.o md5.o \ - cram_md5.o cyrus_sasl.o dovecot.o plaintext.o pwcheck.o sha1.o \ - auth-spa.o spa.o +OBJ = auth-spa.o b64decode.o b64encode.o call_pam.o call_pwcheck.o \ + call_radius.o check_serv_cond.o cram_md5.o cyrus_sasl.o dovecot.o \ + get_data.o get_no64_data.o md5.o plaintext.o pwcheck.o sha1.o \ + spa.o xtextdecode.o xtextencode.o auths.a: $(OBJ) @$(RM_COMMAND) -f auths.a @@ -23,24 +23,25 @@ auths.a: $(OBJ) .c.o:; @echo "$(CC) $*.c" $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) $*.c -auth-spa.o: $(HDRS) auth-spa.c -b64encode.o: $(HDRS) b64encode.c -b64decode.o: $(HDRS) b64decode.c -call_pam.o: $(HDRS) call_pam.c -call_pwcheck.o: $(HDRS) call_pwcheck.c pwcheck.h -call_radius.o: $(HDRS) call_radius.c -get_data.o: $(HDRS) get_data.c -get_no64_data.o: $(HDRS) get_no64_data.c -md5.o: $(HDRS) md5.c -pwcheck.o: $(HDRS) pwcheck.c pwcheck.h -sha1.o: $(HDRS) sha1.c -xtextencode.o: $(HDRS) xtextencode.c -xtextdecode.o: $(HDRS) xtextdecode.c +auth-spa.o: $(HDRS) auth-spa.c +b64encode.o: $(HDRS) b64encode.c +b64decode.o: $(HDRS) b64decode.c +call_pam.o: $(HDRS) call_pam.c +call_pwcheck.o: $(HDRS) call_pwcheck.c pwcheck.h +call_radius.o: $(HDRS) call_radius.c +check_serv_cond.o: $(HDRS) check_serv_cond.c +get_data.o: $(HDRS) get_data.c +get_no64_data.o: $(HDRS) get_no64_data.c +md5.o: $(HDRS) md5.c +pwcheck.o: $(HDRS) pwcheck.c pwcheck.h +sha1.o: $(HDRS) sha1.c +xtextdecode.o: $(HDRS) xtextdecode.c +xtextencode.o: $(HDRS) xtextencode.c -cram_md5.o: $(HDRS) cram_md5.c cram_md5.h -cyrus_sasl.o: $(HDRS) cyrus_sasl.c cyrus_sasl.h -dovecot.o: $(HDRS) dovecot.c dovecot.h -plaintext.o: $(HDRS) plaintext.c plaintext.h -spa.o: $(HDRS) spa.c spa.h +cram_md5.o: $(HDRS) cram_md5.c cram_md5.h +cyrus_sasl.o: $(HDRS) cyrus_sasl.c cyrus_sasl.h +dovecot.o: $(HDRS) dovecot.c dovecot.h +plaintext.o: $(HDRS) plaintext.c plaintext.h +spa.o: $(HDRS) spa.c spa.h # End diff --git a/src/src/auths/README b/src/src/auths/README index 780e15dc4..83fcab448 100644 --- a/src/src/auths/README +++ b/src/src/auths/README @@ -1,4 +1,4 @@ -$Cambridge: exim/src/src/auths/README,v 1.5 2006/02/23 12:41:22 ph10 Exp $ +$Cambridge: exim/src/src/auths/README,v 1.6 2006/10/16 15:44:36 ph10 Exp $ AUTHS @@ -59,7 +59,7 @@ The yield of a server authentication check must be one of: DEFER couldn't complete the check FAIL authentication failed CANCELLED authentication forced to fail by "*" response to challenge, - or by a forced string expansion failure + or by certain forced string expansion failures BAD64 bad base64 data received UNEXPECTED unexpected data received diff --git a/src/src/auths/check_serv_cond.c b/src/src/auths/check_serv_cond.c new file mode 100644 index 000000000..1e775300c --- /dev/null +++ b/src/src/auths/check_serv_cond.c @@ -0,0 +1,99 @@ +/* $Cambridge: exim/src/src/auths/check_serv_cond.c,v 1.1 2006/10/16 15:44:36 ph10 Exp $ */ + +/************************************************* +* Exim - an Internet mail transport agent * +*************************************************/ + +/* Copyright (c) University of Cambridge 1995 - 2006 */ +/* See the file NOTICE for conditions of use and distribution. */ + +#include "../exim.h" + +/* This module contains the function server_condition(), which is used +by all authenticators. */ + + +/************************************************* +* Check server_condition * +*************************************************/ + +/* This function is called from the server code of all authenticators. For +plaintext, it is always called: the argument cannot be empty, because for +plaintext, setting server_condition is what enables it as a server +authenticator. For all the other authenticators, this function is called after +they have authenticated, to enable additional authorization to be done. + +Argument: the authenticator's instance block + +Returns: + OK NULL argument, or success + DEFER couldn't complete the check + FAIL authentication failed +*/ + +int +auth_check_serv_cond(auth_instance *ablock) +{ +uschar *cond; + +HDEBUG(D_auth) + { + int i; + debug_printf("%s authenticator:\n", ablock->name); + for (i = 0; i < AUTH_VARS; i++) + { + if (auth_vars[i] != NULL) + debug_printf(" $auth%d = %s\n", i + 1, auth_vars[i]); + } + for (i = 1; i <= expand_nmax; i++) + debug_printf(" $%d = %.*s\n", i, expand_nlength[i], expand_nstring[i]); + debug_print_string(ablock->server_debug_string); /* customized debug */ + } + +/* For the plaintext authenticator, server_condition is never NULL. For the +rest, an unset condition lets everything through. */ + +if (ablock->server_condition == NULL) return OK; +cond = expand_string(ablock->server_condition); + +HDEBUG(D_auth) + { + if (cond == NULL) + debug_printf("expansion failed: %s\n", expand_string_message); + else + debug_printf("expanded string: %s\n", cond); + } + +/* A forced expansion failure causes authentication to fail. Other expansion +failures yield DEFER, which will cause a temporary error code to be returned to +the AUTH command. The problem is at the server end, so the client should try +again later. */ + +if (cond == NULL) + { + if (expand_string_forcedfail) return FAIL; + auth_defer_msg = expand_string_message; + return DEFER; + } + +/* Return FAIL for empty string, "0", "no", and "false"; return OK for +"1", "yes", and "true"; return DEFER for anything else, with the string +available as an error text for the user. */ + +if (*cond == 0 || + Ustrcmp(cond, "0") == 0 || + strcmpic(cond, US"no") == 0 || + strcmpic(cond, US"false") == 0) + return FAIL; + +if (Ustrcmp(cond, "1") == 0 || + strcmpic(cond, US"yes") == 0 || + strcmpic(cond, US"true") == 0) + return OK; + +auth_defer_msg = cond; +auth_defer_user_msg = string_sprintf(": %s", cond); +return DEFER; +} + +/* End of check_serv_cond.c */ diff --git a/src/src/auths/cram_md5.c b/src/src/auths/cram_md5.c index 26521fbe9..6686d5f1c 100644 --- a/src/src/auths/cram_md5.c +++ b/src/src/auths/cram_md5.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/auths/cram_md5.c,v 1.5 2006/02/23 12:41:22 ph10 Exp $ */ +/* $Cambridge: exim/src/src/auths/cram_md5.c,v 1.6 2006/10/16 15:44:36 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -233,7 +233,8 @@ for (i = 0; i < 16; i++) ((b >= 'a')? b - 'a' + 10 : b - '0')) != digest[i]) return FAIL; } -return OK; +/* Expand server_condition as an authorization check */ +return auth_check_serv_cond(ablock); } diff --git a/src/src/auths/cyrus_sasl.c b/src/src/auths/cyrus_sasl.c index 7e6603988..284194e00 100644 --- a/src/src/auths/cyrus_sasl.c +++ b/src/src/auths/cyrus_sasl.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/auths/cyrus_sasl.c,v 1.4 2006/02/10 14:25:43 ph10 Exp $ */ +/* $Cambridge: exim/src/src/auths/cyrus_sasl.c,v 1.5 2006/10/16 15:44:36 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -53,7 +53,7 @@ address can appear in the tables drtables.c. */ int auth_cyrus_sasl_options_count = sizeof(auth_cyrus_sasl_options)/sizeof(optionlist); -/* Default private options block for the contidion authentication method. */ +/* Default private options block for the cyrus_sasl authentication method. */ auth_cyrus_sasl_options_block auth_cyrus_sasl_option_defaults = { US"smtp", /* server_service */ @@ -332,11 +332,13 @@ while(rc==SASL_CONTINUE) expand_nmax = 1; HDEBUG(D_auth) - debug_printf("Cyrus SASL %s authentiction succeeded for %s\n", ob->server_mech, out2); + debug_printf("Cyrus SASL %s authentication succeeded for %s\n", ob->server_mech, out2); /* close down the connection, freeing up library's memory */ sasl_dispose(&conn); sasl_done(); - return OK; + + /* Expand server_condition as an authorization check */ + return auth_check_serv_cond(ablock); } } /* NOTREACHED */ diff --git a/src/src/auths/dovecot.c b/src/src/auths/dovecot.c index c11b2fe9b..e040bcf93 100644 --- a/src/src/auths/dovecot.c +++ b/src/src/auths/dovecot.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/auths/dovecot.c,v 1.2 2006/10/16 13:43:22 ph10 Exp $ */ +/* $Cambridge: exim/src/src/auths/dovecot.c,v 1.3 2006/10/16 15:44:36 ph10 Exp $ */ /* * Copyright (c) 2004 Andrey Panin @@ -309,5 +309,7 @@ int auth_dovecot_server(auth_instance *ablock, uschar *data) } out: close(fd); - return ret; + + /* Expand server_condition as an authorization check */ + return (ret == OK)? auth_check_serv_cond(ablock) : ret; } diff --git a/src/src/auths/plaintext.c b/src/src/auths/plaintext.c index 2aea4a492..e4fec348e 100644 --- a/src/src/auths/plaintext.c +++ b/src/src/auths/plaintext.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/auths/plaintext.c,v 1.5 2006/02/23 12:41:22 ph10 Exp $ */ +/* $Cambridge: exim/src/src/auths/plaintext.c,v 1.6 2006/10/16 15:44:36 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -18,8 +18,6 @@ optionlist auth_plaintext_options[] = { (void *)(offsetof(auth_plaintext_options_block, client_ignore_invalid_base64)) }, { "client_send", opt_stringptr, (void *)(offsetof(auth_plaintext_options_block, client_send)) }, - { "server_condition", opt_stringptr, - (void *)(offsetof(auth_plaintext_options_block, server_condition)) }, { "server_prompts", opt_stringptr, (void *)(offsetof(auth_plaintext_options_block, server_prompts)) } }; @@ -33,7 +31,6 @@ int auth_plaintext_options_count = /* Default private options block for the plaintext authentication method. */ auth_plaintext_options_block auth_plaintext_option_defaults = { - NULL, /* server_condition */ NULL, /* server_prompts */ NULL, /* client_send */ FALSE /* client_ignore_invalid_base64 */ @@ -54,7 +51,7 @@ auth_plaintext_init(auth_instance *ablock) auth_plaintext_options_block *ob = (auth_plaintext_options_block *)(ablock->options_block); if (ablock->public_name == NULL) ablock->public_name = ablock->name; -if (ob->server_condition != NULL) ablock->server = TRUE; +if (ablock->server_condition != NULL) ablock->server = TRUE; if (ob->client_send != NULL) ablock->client = TRUE; } @@ -72,7 +69,7 @@ auth_plaintext_server(auth_instance *ablock, uschar *data) auth_plaintext_options_block *ob = (auth_plaintext_options_block *)(ablock->options_block); uschar *prompts = ob->server_prompts; -uschar *clear, *cond, *end, *s; +uschar *clear, *end, *s; int number = 1; int len, rc; int sep = 0; @@ -141,59 +138,12 @@ while ((s = string_nextinlist(&prompts, &sep, big_buffer, big_buffer_size)) } /* We now have a number of items of data in $auth1, $auth2, etc (and also, for -compatibility, in $1, $2, etc). Match against the decoded data by expanding the -condition. */ +compatibility, in $1, $2, etc). Authentication and authorization are handled +together for this authenticator by expanding the server_condition option. Note +that ablock->server_condition is always non-NULL because that's what configures +this authenticator as a server. */ -cond = expand_string(ob->server_condition); - -HDEBUG(D_auth) - { - int i; - debug_printf("%s authenticator:\n", ablock->name); - for (i = 0; i < AUTH_VARS; i++) - { - if (auth_vars[i] != NULL) - debug_printf(" $auth%d = %s\n", i + 1, auth_vars[i]); - } - for (i = 1; i <= expand_nmax; i++) - debug_printf(" $%d = %.*s\n", i, expand_nlength[i], expand_nstring[i]); - debug_print_string(ablock->server_debug_string); /* customized debug */ - if (cond == NULL) - debug_printf("expansion failed: %s\n", expand_string_message); - else - debug_printf("expanded string: %s\n", cond); - } - -/* A forced expansion failure causes authentication to fail. Other expansion -failures yield DEFER, which will cause a temporary error code to be returned to -the AUTH command. The problem is at the server end, so the client should try -again later. */ - -if (cond == NULL) - { - if (expand_string_forcedfail) return FAIL; - auth_defer_msg = expand_string_message; - return DEFER; - } - -/* Return FAIL for empty string, "0", "no", and "false"; return OK for -"1", "yes", and "true"; return DEFER for anything else, with the string -available as an error text for the user. */ - -if (*cond == 0 || - Ustrcmp(cond, "0") == 0 || - strcmpic(cond, US"no") == 0 || - strcmpic(cond, US"false") == 0) - return FAIL; - -if (Ustrcmp(cond, "1") == 0 || - strcmpic(cond, US"yes") == 0 || - strcmpic(cond, US"true") == 0) - return OK; - -auth_defer_msg = cond; -auth_defer_user_msg = string_sprintf(": %s", cond); -return DEFER; +return auth_check_serv_cond(ablock); } diff --git a/src/src/auths/plaintext.h b/src/src/auths/plaintext.h index 7499a01d8..c35f3e498 100644 --- a/src/src/auths/plaintext.h +++ b/src/src/auths/plaintext.h @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/auths/plaintext.h,v 1.4 2006/02/23 12:41:22 ph10 Exp $ */ +/* $Cambridge: exim/src/src/auths/plaintext.h,v 1.5 2006/10/16 15:44:36 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -10,7 +10,6 @@ /* Private structure for the private options. */ typedef struct { - uschar *server_condition; uschar *server_prompts; uschar *client_send; BOOL client_ignore_invalid_base64; diff --git a/src/src/auths/spa.c b/src/src/auths/spa.c index 3fd4bde6a..6cc281a1b 100644 --- a/src/src/auths/spa.c +++ b/src/src/auths/spa.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/auths/spa.c,v 1.7 2006/02/23 12:41:22 ph10 Exp $ */ +/* $Cambridge: exim/src/src/auths/spa.c,v 1.8 2006/10/16 15:44:36 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -25,8 +25,9 @@ References: * typedef unsigned uint32; * typedef unsigned char uint8; -07-August-2003: PH: Patched up the code to avoid assert bombouts for stupid - input data. Find appropriate comment by grepping for "PH". +07-August-2003: PH: Patched up the code to avoid assert bombouts for stupid + input data. Find appropriate comment by grepping for "PH". +16-October-2006: PH: Added a call to auth_check_serv_cond() at the end */ @@ -231,7 +232,9 @@ if (memcmp(ntRespData, ((unsigned char*)responseptr)+IVAL(&responseptr->ntResponse.offset,0), 24) == 0) /* success. we have a winner. */ - return OK; + + /* Expand server_condition as an authorization check (PH) */ + return auth_check_serv_cond(ablock); return FAIL; } diff --git a/src/src/functions.h b/src/src/functions.h index 302f8b6d1..170a84411 100644 --- a/src/src/functions.h +++ b/src/src/functions.h @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/functions.h,v 1.28 2006/10/09 14:36:25 ph10 Exp $ */ +/* $Cambridge: exim/src/src/functions.h,v 1.29 2006/10/16 15:44:36 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -49,6 +49,7 @@ extern int auth_call_pwcheck(uschar *, uschar **); extern int auth_call_radius(uschar *, uschar **); extern int auth_call_saslauthd(uschar *, uschar *, uschar *, uschar *, uschar **); +extern int auth_check_serv_cond(auth_instance *); extern int auth_get_data(uschar **, uschar *, int); extern int auth_get_no64_data(uschar **, uschar *); extern uschar *auth_xtextencode(uschar *, int); diff --git a/src/src/globals.c b/src/src/globals.c index 7c3f8e9f1..35cac0f6f 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/globals.c,v 1.59 2006/09/25 10:14:20 ph10 Exp $ */ +/* $Cambridge: exim/src/src/globals.c,v 1.60 2006/10/16 15:44:36 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -38,6 +38,8 @@ optionlist optionlist_auths[] = { (void *)(offsetof(auth_instance, public_name)) }, { "server_advertise_condition", opt_stringptr | opt_public, (void *)(offsetof(auth_instance, advertise_condition))}, + { "server_condition", opt_stringptr | opt_public, + (void *)(offsetof(auth_instance, server_condition)) }, { "server_debug_print", opt_stringptr | opt_public, (void *)(offsetof(auth_instance, server_debug_string)) }, { "server_mail_auth_condition", opt_stringptr | opt_public, @@ -325,6 +327,7 @@ auth_instance auth_defaults = { NULL, /* set_id */ NULL, /* server_mail_auth_condition */ NULL, /* server_debug_string */ + NULL, /* server_condition */ FALSE, /* client */ FALSE, /* server */ FALSE /* advertised */ diff --git a/src/src/structs.h b/src/src/structs.h index c5bb3b321..d160aee4a 100644 --- a/src/src/structs.h +++ b/src/src/structs.h @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/structs.h,v 1.12 2006/09/25 11:25:37 ph10 Exp $ */ +/* $Cambridge: exim/src/src/structs.h,v 1.13 2006/10/16 15:44:36 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -367,6 +367,7 @@ typedef struct auth_instance { uschar *set_id; /* String to set as authenticated id */ uschar *mail_auth_condition; /* Condition for AUTH on MAIL command */ uschar *server_debug_string; /* Debugging output */ + uschar *server_condition; /* Authorization condition */ BOOL client; /* TRUE if client option(s) set */ BOOL server; /* TRUE if server options(s) set */ BOOL advertised; /* Set TRUE when advertised */ diff --git a/test/confs/3500 b/test/confs/3500 index b83b1c33f..343a0b3e1 100644 --- a/test/confs/3500 +++ b/test/confs/3500 @@ -13,7 +13,7 @@ gecos_name = CALLER_NAME domainlist local_domains = test.ex : *.test.ex -hostlist auth_hosts = 10.0.0.1 +hostlist auth_hosts = 10.0.0.1 : 10.0.0.5 hostlist relay_hosts = 10.0.0.4 hostlist auth_relay_hosts = 10.0.0.3 : 10.0.0.4 @@ -80,6 +80,7 @@ cram_md5: server_secret = "${if eq{$auth1}{tim}{tanstaaftanstaaf}\ {${if eq{$auth1}{userx}{secret}fail}}}" server_set_id = $auth1 + server_condition = ${if !eq {$sender_host_address}{10.0.0.5}} diff --git a/test/scripts/3500-CRAM-MD5/3500 b/test/scripts/3500-CRAM-MD5/3500 index b3d2c05aa..637852f64 100644 --- a/test/scripts/3500-CRAM-MD5/3500 +++ b/test/scripts/3500-CRAM-MD5/3500 @@ -32,4 +32,15 @@ Testing authenticated CRAM-MD5. . quit **** +exim -bh 10.0.0.5 +ehlo test.host +AUTH CRAM-MD5 +dGltIGI5MTNhNjAyYzdlZGE3YTQ5NWI0ZTZlNzMzNGQzODkw +mail from: +rcpt to: +data +Testing authenticated CRAM-MD5. +. +quit +**** no_msglog_check diff --git a/test/stderr/3500 b/test/stderr/3500 index b0432c58c..87179790d 100644 --- a/test/stderr/3500 +++ b/test/stderr/3500 @@ -8,7 +8,7 @@ >>> host in helo_accept_junk_hosts? no (option unset) >>> test.host in helo_lookup_domains? no (end of list) >>> host in pipelining_advertise_hosts? yes (matched "*") ->>> host in "10.0.0.1"? no (end of list) +>>> host in "10.0.0.1 : 10.0.0.5"? no (end of list) >>> host in "10.0.0.4"? yes (matched "10.0.0.4") >>> host in auth_advertise_hosts? no (matched "!+relay_hosts") >>> host in hosts_connection_nolog? no (option unset) @@ -21,13 +21,18 @@ >>> host in helo_accept_junk_hosts? no (option unset) >>> test.host in helo_lookup_domains? no (end of list) >>> host in pipelining_advertise_hosts? yes (matched "*") ->>> host in "10.0.0.1"? yes (matched "10.0.0.1") +>>> host in "10.0.0.1 : 10.0.0.5"? yes (matched "10.0.0.1") >>> host in auth_advertise_hosts? yes (matched "+auth_hosts") >>> +++CRAM-MD5 $auth1="tim" $auth2="" $auth3="" >>> CRAM-MD5: user name = tim >>> challenge = <1896.697170952@postoffice.reston.mci.net> >>> received = b913a602c7eda7a495b4e6e7334d3890 >>> digest = b913a602c7eda7a495b4e6e7334d3890 +>>> cram_md5 authenticator: +>>> $auth1 = tim +>>> $1 = tim +>>> +++CRAM-MD5 $auth1="tim" $auth2="" $auth3="" +>>> expanded string: true >>> using ACL "check_recipient" >>> processing "warn" >>> check hosts = 10.0.0.5 @@ -54,3 +59,37 @@ >>> accept: condition test succeeded >>> host in ignore_fromline_hosts? no (option unset) LOG: 10HmaY-0005vi-00 <= userx@some.domain H=(test.host) [10.0.0.1] P=esmtpa A=cram_md5:tim S=sss +>>> host in hosts_connection_nolog? no (option unset) +>>> host in host_lookup? no (option unset) +>>> host in host_reject_connection? no (option unset) +>>> host in sender_unqualified_hosts? no (option unset) +>>> host in recipient_unqualified_hosts? no (option unset) +>>> host in helo_verify_hosts? no (option unset) +>>> host in helo_try_verify_hosts? no (option unset) +>>> host in helo_accept_junk_hosts? no (option unset) +>>> test.host in helo_lookup_domains? no (end of list) +>>> host in pipelining_advertise_hosts? yes (matched "*") +>>> host in "10.0.0.1 : 10.0.0.5"? yes (matched "10.0.0.5") +>>> host in auth_advertise_hosts? yes (matched "+auth_hosts") +>>> +++CRAM-MD5 $auth1="tim" $auth2="" $auth3="" +>>> CRAM-MD5: user name = tim +>>> challenge = <1896.697170952@postoffice.reston.mci.net> +>>> received = b913a602c7eda7a495b4e6e7334d3890 +>>> digest = b913a602c7eda7a495b4e6e7334d3890 +>>> cram_md5 authenticator: +>>> $auth1 = tim +>>> $1 = tim +>>> +++CRAM-MD5 $auth1="tim" $auth2="" $auth3="" +>>> expanded string: +LOG: cram_md5 authenticator failed for (test.host) [10.0.0.5]: 535 Incorrect authentication data (set_id=tim) +>>> using ACL "check_recipient" +>>> processing "warn" +>>> check hosts = 10.0.0.5 +>>> host in "10.0.0.5"? yes (matched "10.0.0.5") +>>> warn: condition test succeeded +>>> processing "accept" +>>> check hosts = 10.0.0.5 +>>> host in "10.0.0.5"? yes (matched "10.0.0.5") +>>> accept: condition test succeeded +>>> host in ignore_fromline_hosts? no (option unset) +LOG: 10HmaZ-0005vi-00 <= userx@some.domain H=(test.host) [10.0.0.5] P=esmtp S=sss diff --git a/test/stdout/3407 b/test/stdout/3407 index d08999e28..274c68c1a 100644 --- a/test/stdout/3407 +++ b/test/stdout/3407 @@ -3,46 +3,46 @@ a1 authenticator: driver = plaintext public_name = PLAIN server_advertise_condition = +server_condition = xxx server_debug_print = server_mail_auth_condition = server_set_id = no_client_ignore_invalid_base64 client_send = -server_condition = xxx server_prompts = a2 authenticator: driver = plaintext public_name = PLAIN server_advertise_condition = +server_condition = server_debug_print = server_mail_auth_condition = server_set_id = no_client_ignore_invalid_base64 client_send = -server_condition = server_prompts = a3 authenticator: driver = plaintext public_name = LOGIN server_advertise_condition = +server_condition = server_debug_print = server_mail_auth_condition = server_set_id = no_client_ignore_invalid_base64 client_send = -server_condition = server_prompts = a4 authenticator: driver = plaintext public_name = LOGIN server_advertise_condition = +server_condition = server_debug_print = server_mail_auth_condition = server_set_id = no_client_ignore_invalid_base64 client_send = -server_condition = server_prompts = diff --git a/test/stdout/3500 b/test/stdout/3500 index deaae921b..87377d644 100644 --- a/test/stdout/3500 +++ b/test/stdout/3500 @@ -60,3 +60,26 @@ **** SMTP testing: that is not a real message id! 221 myhost.test.ex closing connection + +**** SMTP testing session as if from host 10.0.0.5 +**** but without any ident (RFC 1413) callback. +**** This is not for real! + +220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +250-myhost.test.ex Hello test.host [10.0.0.5] +250-SIZE 52428800 +250-ETRN +250-EXPN +250-PIPELINING +250-AUTH CRAM-MD5 +250 HELP +334 PDE4OTYuNjk3MTcwOTUyQHBvc3RvZmZpY2UucmVzdG9uLm1jaS5uZXQ+ +535 Incorrect authentication data +250 OK +250 Accepted +354 Enter message, ending with "." on a line by itself +250 OK id=10HmaZ-0005vi-00 + +**** SMTP testing: that is not a real message id! + +221 myhost.test.ex closing connection -- 2.30.2