From c44ff8bea951faba4aae92b868b69e221bf7b52b Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 25 Feb 2018 15:24:26 +0000 Subject: [PATCH] Auths: for A-R header, and SMTP auth, note the public-name not the authenticator name Also, for TLS auth use a custom propspec --- src/src/acl.c | 5 ++--- src/src/globals.c | 1 + src/src/globals.h | 1 + src/src/smtp_in.c | 21 +++++++++++++++------ test/confs/3700 | 20 +++++++++++++++++--- test/log/3700 | 10 ++++++++-- test/mail/3403.userx | 2 +- test/mail/3700.smtps | 19 +++++++++++++++++++ test/mail/3700.x | 19 +++++++++++++++++++ test/scripts/3700-TLS-auth/3700 | 2 ++ 10 files changed, 85 insertions(+), 15 deletions(-) create mode 100644 test/mail/3700.smtps create mode 100644 test/mail/3700.x diff --git a/src/src/acl.c b/src/src/acl.c index fb8b75bc7..61316a81e 100644 --- a/src/src/acl.c +++ b/src/src/acl.c @@ -2970,9 +2970,8 @@ for (; cb != NULL; cb = cb->next) break; case ACLC_AUTHENTICATED: - rc = (sender_host_authenticated == NULL)? FAIL : - match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING, - TRUE, NULL); + rc = sender_host_authenticated ? match_isinlist(sender_host_authenticated, + &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL) : FAIL; break; #ifdef EXPERIMENTAL_BRIGHTMAIL diff --git a/src/src/globals.c b/src/src/globals.c index 7e228d098..5f1c87fc0 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -1277,6 +1277,7 @@ uschar *sender_helo_name = NULL; uschar **sender_host_aliases = &no_aliases; uschar *sender_host_address = NULL; uschar *sender_host_authenticated = NULL; +uschar *sender_host_auth_pubname = NULL; unsigned int sender_host_cache[(MAX_NAMED_LIST * 2)/32]; BOOL sender_host_dnssec = FALSE; uschar *sender_host_name = NULL; diff --git a/src/src/globals.h b/src/src/globals.h index b5cb6407b..801a00fb3 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -786,6 +786,7 @@ extern uschar *sender_fullhost; /* Sender host name + address */ extern BOOL sender_helo_dnssec; /* True if HELO verify used DNS and was DNSSEC */ extern uschar *sender_helo_name; /* Host name from HELO/EHLO */ extern uschar **sender_host_aliases; /* Points to list of alias names */ +extern uschar *sender_host_auth_pubname; /* Public-name of authentication method */ extern unsigned int sender_host_cache[(MAX_NAMED_LIST * 2)/32]; /* Cache bits for incoming host */ extern BOOL sender_host_dnssec; /* true if sender_host_name verified in DNSSEC */ extern BOOL sender_host_notsocket; /* Set for -bs and -bS */ diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index c45e7e26f..03dcad73e 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -2375,7 +2375,8 @@ smtp_exit_function_called = FALSE; /* For avoiding loop in not-quit exit */ /* If receiving by -bs from a trusted user, or testing with -bh, we allow authentication settings from -oMaa to remain in force. */ -if (!host_checking && !sender_host_notsocket) sender_host_authenticated = NULL; +if (!host_checking && !sender_host_notsocket) + sender_host_auth_pubname = sender_host_authenticated = NULL; authenticated_by = NULL; #ifdef SUPPORT_TLS @@ -3625,6 +3626,7 @@ switch(rc) { if (set_id) authenticated_id = string_copy_malloc(set_id); sender_host_authenticated = au->name; + sender_host_auth_pubname = au->public_name; authentication_failed = FALSE; authenticated_fail_id = NULL; /* Impossible to already be set? */ @@ -4556,10 +4558,10 @@ while (done <= 0) US"invalid data for AUTH"); goto COMMAND_LOOP; } - if (acl_smtp_mailauth == NULL) + if (!acl_smtp_mailauth) { ignore_msg = US"client not authenticated"; - rc = (sender_host_authenticated != NULL)? OK : FAIL; + rc = sender_host_authenticated ? OK : FAIL; } else { @@ -5356,7 +5358,7 @@ while (done <= 0) + (tls_in.active >= 0 ? pcrpted : 0) ]; - sender_host_authenticated = NULL; + sender_host_auth_pubname = sender_host_authenticated = NULL; authenticated_id = NULL; sync_cmd_limit = NON_SYNC_CMD_NON_PIPELINING; DEBUG(D_tls) debug_printf("TLS active\n"); @@ -5751,8 +5753,15 @@ authres_smtpauth(gstring * g) if (!sender_host_authenticated) return g; -g = string_append(g, 4, US";\n\tauth=pass" - " (", sender_host_authenticated, US") smtp.auth=", authenticated_id); +g = string_append(g, 2, US";\n\tauth=pass (", sender_host_auth_pubname); + +if (Ustrcmp(sender_host_auth_pubname, "tls") != 0) + g = string_append(g, 2, US") smtp.auth=", authenticated_id); +else if (authenticated_id) + g = string_append(g, 2, US") x509.auth=", authenticated_id); +else + g = string_catn(g, US") reason=x509.auth", 17); + if (authenticated_sender) g = string_append(g, 2, US" smtp.mailfrom=", authenticated_sender); return g; diff --git a/test/confs/3700 b/test/confs/3700 index 00a17b497..6578ecb2d 100644 --- a/test/confs/3700 +++ b/test/confs/3700 @@ -12,6 +12,8 @@ log_selector = +received_recipients +outgoing_port acl_smtp_auth = log_call acl_smtp_mail = check_authd acl_smtp_rcpt = check_authd +acl_smtp_data = ar_header + queue_only queue_run_in_order trusted_users = CALLER @@ -36,6 +38,8 @@ check_authd: !authenticated = * accept +ar_header: + accept add_header = :at_start:${authresults {$primary_hostname}} # ----- Authentication ----- @@ -54,9 +58,14 @@ tls: begin routers -r1: - driver = accept - transport = ${if eq {$local_part}{smtps} {t2}{t1}} +server_r: + driver = accept + condition = ${if eq {server}{SERVER}} + transport = file + +client_r1: + driver = accept + transport = ${if eq {$local_part}{smtps} {t2}{t1}} # ----- Transports ----- @@ -82,4 +91,9 @@ t2: tls_verify_certificates = DIR/aux-fixed/cert1 tls_verify_cert_hostnames = : +file: + driver = appendfile + file = DIR/test-mail/$local_part + user = CALLER + # End diff --git a/test/log/3700 b/test/log/3700 index 82c09850e..d81b944d7 100644 --- a/test/log/3700 +++ b/test/log/3700 @@ -1,9 +1,9 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= ok@test.ex U=CALLER P=local S=sss for x@y 1999-03-02 09:44:33 10HmaY-0005vi-00 <= ok@test.ex U=CALLER P=local S=sss for smtps@y 1999-03-02 09:44:33 Start queue run: pid=pppp -1999-03-02 09:44:33 10HmaX-0005vi-00 => x@y R=r1 T=t1 H=127.0.0.1 [127.0.0.1]:1225 X=TLS_proto_and_cipher CV=yes C="250 OK id=10HmaZ-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 => x@y R=client_r1 T=t1 H=127.0.0.1 [127.0.0.1]:1225 X=TLS_proto_and_cipher CV=yes C="250 OK id=10HmaZ-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed -1999-03-02 09:44:33 10HmaY-0005vi-00 => smtps@y R=r1 T=t2 H=127.0.0.1 [127.0.0.1]:1224 X=TLS_proto_and_cipher CV=yes C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 => smtps@y R=client_r1 T=t2 H=127.0.0.1 [127.0.0.1]:1224 X=TLS_proto_and_cipher CV=yes C="250 OK id=10HmbA-0005vi-00" 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp @@ -13,3 +13,9 @@ 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= ok@test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLS_proto_and_cipher CV=yes A=tls:"Phil Pennock" S=sss id=E10HmaX-0005vi-00@myhost.test.ex for x@y 1999-03-02 09:44:33 Auth ACL called, after smtp cmd "" 1999-03-02 09:44:33 10HmbA-0005vi-00 <= ok@test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLS_proto_and_cipher CV=yes A=tls:"Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex for smtps@y +1999-03-02 09:44:33 Start queue run: pid=pppp +1999-03-02 09:44:33 10HmaZ-0005vi-00 => x R=server_r T=file +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 10HmbA-0005vi-00 => smtps R=server_r T=file +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 End queue run: pid=pppp diff --git a/test/mail/3403.userx b/test/mail/3403.userx index c344d9b70..08cdf9a31 100644 --- a/test/mail/3403.userx +++ b/test/mail/3403.userx @@ -1,6 +1,6 @@ From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999 Authentication-Results: myhost.test.ex; - auth=pass (plain1) smtp.auth=userx + auth=pass (PLAIN) smtp.auth=userx Received: from CALLER (helo=testing.ex) by myhost.test.ex with local-esmtpa (Exim x.yz) (envelope-from ) diff --git a/test/mail/3700.smtps b/test/mail/3700.smtps new file mode 100644 index 000000000..60a3d234b --- /dev/null +++ b/test/mail/3700.smtps @@ -0,0 +1,19 @@ +From ok@test.ex Tue Mar 02 09:44:33 1999 +Authentication-Results: myhost.test.ex; + iprev=pass (localhost); + auth=pass (tls) x509.auth="Phil Pennock" +Received: from localhost ([127.0.0.1] helo=myhost.test.ex) + by myhost.test.ex with esmtpsa (TLSv1:ke-RSA-AES256-SHA:xxx) + (Exim x.yz) + (envelope-from ) + id 10HmbA-0005vi-00 + for smtps@y; Tue, 2 Mar 1999 09:44:33 +0000 +Received: from CALLER by myhost.test.ex with local (Exim x.yz) + (envelope-from ) + id 10HmaY-0005vi-00 + for smtps@y; Tue, 2 Mar 1999 09:44:33 +0000 +Message-Id: +From: ok@test.ex +Date: Tue, 2 Mar 1999 09:44:33 +0000 + + diff --git a/test/mail/3700.x b/test/mail/3700.x new file mode 100644 index 000000000..81544998d --- /dev/null +++ b/test/mail/3700.x @@ -0,0 +1,19 @@ +From ok@test.ex Tue Mar 02 09:44:33 1999 +Authentication-Results: myhost.test.ex; + iprev=pass (localhost); + auth=pass (tls) x509.auth="Phil Pennock" +Received: from localhost ([127.0.0.1] helo=myhost.test.ex) + by myhost.test.ex with esmtpsa (TLSv1:ke-RSA-AES256-SHA:xxx) + (Exim x.yz) + (envelope-from ) + id 10HmaZ-0005vi-00 + for x@y; Tue, 2 Mar 1999 09:44:33 +0000 +Received: from CALLER by myhost.test.ex with local (Exim x.yz) + (envelope-from ) + id 10HmaX-0005vi-00 + for x@y; Tue, 2 Mar 1999 09:44:33 +0000 +Message-Id: +From: ok@test.ex +Date: Tue, 2 Mar 1999 09:44:33 +0000 + + diff --git a/test/scripts/3700-TLS-auth/3700 b/test/scripts/3700-TLS-auth/3700 index e4b68607a..f9b41d31c 100644 --- a/test/scripts/3700-TLS-auth/3700 +++ b/test/scripts/3700-TLS-auth/3700 @@ -10,4 +10,6 @@ exim -f ok@test.ex smtps@y exim -q **** killdaemon +exim -DSERVER=server -DNOTDAEMON -q +**** no_msglog_check -- 2.25.1