Auths: for A-R header, and SMTP auth, note the public-name not the authenticator...
authorJeremy Harris <jgh146exb@wizmail.org>
Sun, 25 Feb 2018 15:24:26 +0000 (15:24 +0000)
committerJeremy Harris <jgh146exb@wizmail.org>
Sun, 25 Feb 2018 16:30:55 +0000 (16:30 +0000)
       Also, for TLS auth use a custom propspec

src/src/acl.c
src/src/globals.c
src/src/globals.h
src/src/smtp_in.c
test/confs/3700
test/log/3700
test/mail/3403.userx
test/mail/3700.smtps [new file with mode: 0644]
test/mail/3700.x [new file with mode: 0644]
test/scripts/3700-TLS-auth/3700

index fb8b75b..61316a8 100644 (file)
@@ -2970,9 +2970,8 @@ for (; cb != NULL; cb = cb->next)
     break;
 
     case ACLC_AUTHENTICATED:
-    rc = (sender_host_authenticated == NULL)? FAIL :
-      match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
-        TRUE, NULL);
+      rc = sender_host_authenticated ? match_isinlist(sender_host_authenticated,
+             &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL) : FAIL;
     break;
 
     #ifdef EXPERIMENTAL_BRIGHTMAIL
index 7e228d0..5f1c87f 100644 (file)
@@ -1277,6 +1277,7 @@ uschar *sender_helo_name       = NULL;
 uschar **sender_host_aliases   = &no_aliases;
 uschar *sender_host_address    = NULL;
 uschar *sender_host_authenticated = NULL;
+uschar *sender_host_auth_pubname  = NULL;
 unsigned int sender_host_cache[(MAX_NAMED_LIST * 2)/32];
 BOOL    sender_host_dnssec     = FALSE;
 uschar *sender_host_name       = NULL;
index b5cb640..801a00f 100644 (file)
@@ -786,6 +786,7 @@ extern uschar *sender_fullhost;        /* Sender host name + address */
 extern BOOL    sender_helo_dnssec;     /* True if HELO verify used DNS and was DNSSEC */
 extern uschar *sender_helo_name;       /* Host name from HELO/EHLO */
 extern uschar **sender_host_aliases;   /* Points to list of alias names */
+extern uschar *sender_host_auth_pubname; /* Public-name of authentication method */
 extern unsigned int sender_host_cache[(MAX_NAMED_LIST * 2)/32]; /* Cache bits for incoming host */
 extern BOOL    sender_host_dnssec;     /* true if sender_host_name verified in DNSSEC */
 extern BOOL    sender_host_notsocket;  /* Set for -bs and -bS */
index c45e7e2..03dcad7 100644 (file)
@@ -2375,7 +2375,8 @@ smtp_exit_function_called = FALSE;    /* For avoiding loop in not-quit exit */
 /* If receiving by -bs from a trusted user, or testing with -bh, we allow
 authentication settings from -oMaa to remain in force. */
 
-if (!host_checking && !sender_host_notsocket) sender_host_authenticated = NULL;
+if (!host_checking && !sender_host_notsocket)
+  sender_host_auth_pubname = sender_host_authenticated = NULL;
 authenticated_by = NULL;
 
 #ifdef SUPPORT_TLS
@@ -3625,6 +3626,7 @@ switch(rc)
     {
     if (set_id) authenticated_id = string_copy_malloc(set_id);
     sender_host_authenticated = au->name;
+    sender_host_auth_pubname  = au->public_name;
     authentication_failed = FALSE;
     authenticated_fail_id = NULL;   /* Impossible to already be set? */
 
@@ -4556,10 +4558,10 @@ while (done <= 0)
                 US"invalid data for AUTH");
               goto COMMAND_LOOP;
               }
-            if (acl_smtp_mailauth == NULL)
+            if (!acl_smtp_mailauth)
               {
               ignore_msg = US"client not authenticated";
-              rc = (sender_host_authenticated != NULL)? OK : FAIL;
+              rc = sender_host_authenticated ? OK : FAIL;
               }
             else
               {
@@ -5356,7 +5358,7 @@ while (done <= 0)
          + (tls_in.active >= 0 ? pcrpted : 0)
          ];
 
-      sender_host_authenticated = NULL;
+      sender_host_auth_pubname = sender_host_authenticated = NULL;
       authenticated_id = NULL;
       sync_cmd_limit = NON_SYNC_CMD_NON_PIPELINING;
       DEBUG(D_tls) debug_printf("TLS active\n");
@@ -5751,8 +5753,15 @@ authres_smtpauth(gstring * g)
 if (!sender_host_authenticated)
   return g;
 
-g = string_append(g, 4, US";\n\tauth=pass"
-       " (", sender_host_authenticated, US") smtp.auth=", authenticated_id);
+g = string_append(g, 2, US";\n\tauth=pass (", sender_host_auth_pubname);
+
+if (Ustrcmp(sender_host_auth_pubname, "tls") != 0)
+  g = string_append(g, 2, US") smtp.auth=", authenticated_id);
+else if (authenticated_id)
+  g = string_append(g, 2, US") x509.auth=", authenticated_id);
+else
+  g = string_catn(g, US") reason=x509.auth", 17);
+
 if (authenticated_sender)
   g = string_append(g, 2, US" smtp.mailfrom=", authenticated_sender);
 return g;
index 00a17b4..6578ecb 100644 (file)
@@ -12,6 +12,8 @@ log_selector = +received_recipients +outgoing_port
 acl_smtp_auth = log_call
 acl_smtp_mail = check_authd
 acl_smtp_rcpt = check_authd
+acl_smtp_data = ar_header
+
 queue_only
 queue_run_in_order
 trusted_users = CALLER
@@ -36,6 +38,8 @@ check_authd:
           !authenticated = *
   accept
 
+ar_header:
+  accept  add_header = :at_start:${authresults {$primary_hostname}}
 
 # ----- Authentication -----
 
@@ -54,9 +58,14 @@ tls:
 
 begin routers
 
-r1:
-  driver = accept
-  transport = ${if eq {$local_part}{smtps} {t2}{t1}}
+server_r:
+  driver =     accept
+  condition =  ${if eq {server}{SERVER}}
+  transport =  file
+
+client_r1:
+  driver =     accept
+  transport =  ${if eq {$local_part}{smtps} {t2}{t1}}
 
 
 # ----- Transports -----
@@ -82,4 +91,9 @@ t2:
   tls_verify_certificates = DIR/aux-fixed/cert1
   tls_verify_cert_hostnames = :
 
+file:
+  driver = appendfile
+  file = DIR/test-mail/$local_part
+  user = CALLER
+
 # End
index 82c0985..d81b944 100644 (file)
@@ -1,9 +1,9 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= ok@test.ex U=CALLER P=local S=sss for x@y
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= ok@test.ex U=CALLER P=local S=sss for smtps@y
 1999-03-02 09:44:33 Start queue run: pid=pppp
-1999-03-02 09:44:33 10HmaX-0005vi-00 => x@y R=r1 T=t1 H=127.0.0.1 [127.0.0.1]:1225 X=TLS_proto_and_cipher CV=yes C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => x@y R=client_r1 T=t1 H=127.0.0.1 [127.0.0.1]:1225 X=TLS_proto_and_cipher CV=yes C="250 OK id=10HmaZ-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => smtps@y R=r1 T=t2 H=127.0.0.1 [127.0.0.1]:1224 X=TLS_proto_and_cipher CV=yes C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => smtps@y R=client_r1 T=t2 H=127.0.0.1 [127.0.0.1]:1224 X=TLS_proto_and_cipher CV=yes C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp
 
@@ -13,3 +13,9 @@
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= ok@test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLS_proto_and_cipher CV=yes A=tls:"Phil Pennock" S=sss id=E10HmaX-0005vi-00@myhost.test.ex for x@y
 1999-03-02 09:44:33 Auth ACL called, after smtp cmd ""
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= ok@test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLS_proto_and_cipher CV=yes A=tls:"Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex for smtps@y
+1999-03-02 09:44:33 Start queue run: pid=pppp
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => x <x@y> R=server_r T=file
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbA-0005vi-00 => smtps <smtps@y> R=server_r T=file
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 End queue run: pid=pppp
index c344d9b..08cdf9a 100644 (file)
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Authentication-Results: myhost.test.ex;
-       auth=pass (plain1) smtp.auth=userx
+       auth=pass (PLAIN) smtp.auth=userx
 Received: from CALLER (helo=testing.ex)
        by myhost.test.ex with local-esmtpa (Exim x.yz)
        (envelope-from <CALLER@myhost.test.ex>)
diff --git a/test/mail/3700.smtps b/test/mail/3700.smtps
new file mode 100644 (file)
index 0000000..60a3d23
--- /dev/null
@@ -0,0 +1,19 @@
+From ok@test.ex Tue Mar 02 09:44:33 1999
+Authentication-Results: myhost.test.ex;
+       iprev=pass (localhost);
+       auth=pass (tls) x509.auth="Phil Pennock"
+Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
+       by myhost.test.ex with esmtpsa (TLSv1:ke-RSA-AES256-SHA:xxx)
+       (Exim x.yz)
+       (envelope-from <ok@test.ex>)
+       id 10HmbA-0005vi-00
+       for smtps@y; Tue, 2 Mar 1999 09:44:33 +0000
+Received: from CALLER by myhost.test.ex with local (Exim x.yz)
+       (envelope-from <ok@test.ex>)
+       id 10HmaY-0005vi-00
+       for smtps@y; Tue, 2 Mar 1999 09:44:33 +0000
+Message-Id: <E10HmaY-0005vi-00@myhost.test.ex>
+From: ok@test.ex
+Date: Tue, 2 Mar 1999 09:44:33 +0000
+
+
diff --git a/test/mail/3700.x b/test/mail/3700.x
new file mode 100644 (file)
index 0000000..8154499
--- /dev/null
@@ -0,0 +1,19 @@
+From ok@test.ex Tue Mar 02 09:44:33 1999
+Authentication-Results: myhost.test.ex;
+       iprev=pass (localhost);
+       auth=pass (tls) x509.auth="Phil Pennock"
+Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
+       by myhost.test.ex with esmtpsa (TLSv1:ke-RSA-AES256-SHA:xxx)
+       (Exim x.yz)
+       (envelope-from <ok@test.ex>)
+       id 10HmaZ-0005vi-00
+       for x@y; Tue, 2 Mar 1999 09:44:33 +0000
+Received: from CALLER by myhost.test.ex with local (Exim x.yz)
+       (envelope-from <ok@test.ex>)
+       id 10HmaX-0005vi-00
+       for x@y; Tue, 2 Mar 1999 09:44:33 +0000
+Message-Id: <E10HmaX-0005vi-00@myhost.test.ex>
+From: ok@test.ex
+Date: Tue, 2 Mar 1999 09:44:33 +0000
+
+
index e4b6860..f9b41d3 100644 (file)
@@ -10,4 +10,6 @@ exim -f ok@test.ex smtps@y
 exim -q
 ****
 killdaemon
+exim -DSERVER=server -DNOTDAEMON -q
+****
 no_msglog_check