summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPhilip Hazel <ph10@hermes.cam.ac.uk>2006-10-16 15:44:36 +0000
committerPhilip Hazel <ph10@hermes.cam.ac.uk>2006-10-16 15:44:36 +0000
commit16ff981e58427ae8bd5e8420411a9978678841e4 (patch)
tree9916eeb066e23a2922dcd9d036e156560880571e
parent7befa435e5664f43d90bf5a2703fcf4f2a26139e (diff)
Add server_condition to all authenticators, to allow for additional
conditions (and thereby implement authorization).
-rw-r--r--doc/doc-txt/ChangeLog7
-rw-r--r--doc/doc-txt/NewStuff9
-rw-r--r--doc/doc-txt/OptionLists.txt4
-rwxr-xr-xsrc/scripts/MakeLinks3
-rw-r--r--src/src/auths/Makefile47
-rw-r--r--src/src/auths/README4
-rw-r--r--src/src/auths/check_serv_cond.c99
-rw-r--r--src/src/auths/cram_md5.c5
-rw-r--r--src/src/auths/cyrus_sasl.c10
-rw-r--r--src/src/auths/dovecot.c6
-rw-r--r--src/src/auths/plaintext.c66
-rw-r--r--src/src/auths/plaintext.h3
-rw-r--r--src/src/auths/spa.c11
-rw-r--r--src/src/functions.h3
-rw-r--r--src/src/globals.c5
-rw-r--r--src/src/structs.h3
-rw-r--r--test/confs/35003
-rw-r--r--test/scripts/3500-CRAM-MD5/350011
-rw-r--r--test/stderr/350043
-rw-r--r--test/stdout/34078
-rw-r--r--test/stdout/350023
21 files changed, 261 insertions, 112 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 124101d78..19a3ae0dd 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -1,4 +1,4 @@
-$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.409 2006/10/16 13:43:21 ph10 Exp $
+$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.410 2006/10/16 15:44:36 ph10 Exp $
Change log file for Exim from version 4.21
-------------------------------------------
@@ -150,6 +150,11 @@ PH/21 On the advice of Timo Sirainen, added a check to the dovecot
local IP, and the "valid-client-cert option" if a client certificate has
been verified.
+PH/22 As suggested by Denis Davies, added a server_condition option to *all*
+ authenticators. This can be used for authorization after authentication
+ succeeds. (In the case of plaintext, it servers for both authentication
+ and authorization.)
+
Exim version 4.63
-----------------
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index b66cfb593..267fc9adc 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -1,4 +1,4 @@
-$Cambridge: exim/doc/doc-txt/NewStuff,v 1.116 2006/10/16 13:43:21 ph10 Exp $
+$Cambridge: exim/doc/doc-txt/NewStuff,v 1.117 2006/10/16 15:44:36 ph10 Exp $
New Features in Exim
--------------------
@@ -124,6 +124,13 @@ Version 4.64
values matches (or if no record is found), this is the only lookup that is
done. Only if there is a match is one of the more specific lists consulted.
+6. All authenticators now have a server_condition option. Previously, only
+ plaintext had this, and this has not changed: it must be set to the
+ authenticator as a server. For the others, if server_condition is set, it is
+ expanded if authentication is successful, and treated exactly as it is in
+ plaintext. This can serve as a means of adding authorization to an
+ authenticator.
+
Version 4.63
------------
diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt
index 2d0f160a2..69f2370e0 100644
--- a/doc/doc-txt/OptionLists.txt
+++ b/doc/doc-txt/OptionLists.txt
@@ -1,4 +1,4 @@
-$Cambridge: exim/doc/doc-txt/OptionLists.txt,v 1.24 2006/09/22 14:01:12 ph10 Exp $
+$Cambridge: exim/doc/doc-txt/OptionLists.txt,v 1.25 2006/10/16 15:44:36 ph10 Exp $
LISTS OF EXIM OPTIONS
---------------------
@@ -442,7 +442,7 @@ sender_unqualified_hosts host list unset main
senders address list unset routers 4.00
serialize_hosts host list unset smtp 1.60
server_advertise_condition string* unset authenticators 4.14
-server_condition string* unset plaintext 3.10
+server_condition string* unset authenticators 3.10 (plaintext) 4.64 (others)
server_hostname string* "$primary_hostname" cyrus_sasl 4.43
server_mail_auth_condition string* unset authenticators 3.22
server_mech string public_name cyrus_sasl 4.43
diff --git a/src/scripts/MakeLinks b/src/scripts/MakeLinks
index d38f8b00c..b0b513c8b 100755
--- a/src/scripts/MakeLinks
+++ b/src/scripts/MakeLinks
@@ -1,5 +1,5 @@
#!/bin/sh
-# $Cambridge: exim/src/scripts/MakeLinks,v 1.7 2006/10/02 13:38:18 ph10 Exp $
+# $Cambridge: exim/src/scripts/MakeLinks,v 1.8 2006/10/16 15:44:36 ph10 Exp $
# Script to build links for all the exim source files from the system-
# specific build directory. It should be run from within that directory.
@@ -162,6 +162,7 @@ ln -s ../../src/auths/b64decode.c b64decode.c
ln -s ../../src/auths/call_pam.c call_pam.c
ln -s ../../src/auths/call_pwcheck.c call_pwcheck.c
ln -s ../../src/auths/call_radius.c call_radius.c
+ln -s ../../src/auths/check_serv_cond.c check_serv_cond.c
ln -s ../../src/auths/cyrus_sasl.c cyrus_sasl.c
ln -s ../../src/auths/cyrus_sasl.h cyrus_sasl.h
ln -s ../../src/auths/get_data.c get_data.c
diff --git a/src/src/auths/Makefile b/src/src/auths/Makefile
index 889e24b8c..3df035dd3 100644
--- a/src/src/auths/Makefile
+++ b/src/src/auths/Makefile
@@ -1,4 +1,4 @@
-# $Cambridge: exim/src/src/auths/Makefile,v 1.4 2006/10/02 13:38:18 ph10 Exp $
+# $Cambridge: exim/src/src/auths/Makefile,v 1.5 2006/10/16 15:44:36 ph10 Exp $
# Make file for building a library containing all the available authorization
# methods, and calling it auths.a. In addition, there are functions that are
@@ -7,10 +7,10 @@
# after cd'ing to the auths subdirectory. When the relevant AUTH_ macros are
# defined, the equivalent modules herein is not included in the final binary.
-OBJ = b64encode.o b64decode.o call_pam.o call_pwcheck.o call_radius.o \
- xtextencode.o xtextdecode.o get_data.o get_no64_data.o md5.o \
- cram_md5.o cyrus_sasl.o dovecot.o plaintext.o pwcheck.o sha1.o \
- auth-spa.o spa.o
+OBJ = auth-spa.o b64decode.o b64encode.o call_pam.o call_pwcheck.o \
+ call_radius.o check_serv_cond.o cram_md5.o cyrus_sasl.o dovecot.o \
+ get_data.o get_no64_data.o md5.o plaintext.o pwcheck.o sha1.o \
+ spa.o xtextdecode.o xtextencode.o
auths.a: $(OBJ)
@$(RM_COMMAND) -f auths.a
@@ -23,24 +23,25 @@ auths.a: $(OBJ)
.c.o:; @echo "$(CC) $*.c"
$(FE)$(CC) -c $(CFLAGS) $(INCLUDE) $*.c
-auth-spa.o: $(HDRS) auth-spa.c
-b64encode.o: $(HDRS) b64encode.c
-b64decode.o: $(HDRS) b64decode.c
-call_pam.o: $(HDRS) call_pam.c
-call_pwcheck.o: $(HDRS) call_pwcheck.c pwcheck.h
-call_radius.o: $(HDRS) call_radius.c
-get_data.o: $(HDRS) get_data.c
-get_no64_data.o: $(HDRS) get_no64_data.c
-md5.o: $(HDRS) md5.c
-pwcheck.o: $(HDRS) pwcheck.c pwcheck.h
-sha1.o: $(HDRS) sha1.c
-xtextencode.o: $(HDRS) xtextencode.c
-xtextdecode.o: $(HDRS) xtextdecode.c
+auth-spa.o: $(HDRS) auth-spa.c
+b64encode.o: $(HDRS) b64encode.c
+b64decode.o: $(HDRS) b64decode.c
+call_pam.o: $(HDRS) call_pam.c
+call_pwcheck.o: $(HDRS) call_pwcheck.c pwcheck.h
+call_radius.o: $(HDRS) call_radius.c
+check_serv_cond.o: $(HDRS) check_serv_cond.c
+get_data.o: $(HDRS) get_data.c
+get_no64_data.o: $(HDRS) get_no64_data.c
+md5.o: $(HDRS) md5.c
+pwcheck.o: $(HDRS) pwcheck.c pwcheck.h
+sha1.o: $(HDRS) sha1.c
+xtextdecode.o: $(HDRS) xtextdecode.c
+xtextencode.o: $(HDRS) xtextencode.c
-cram_md5.o: $(HDRS) cram_md5.c cram_md5.h
-cyrus_sasl.o: $(HDRS) cyrus_sasl.c cyrus_sasl.h
-dovecot.o: $(HDRS) dovecot.c dovecot.h
-plaintext.o: $(HDRS) plaintext.c plaintext.h
-spa.o: $(HDRS) spa.c spa.h
+cram_md5.o: $(HDRS) cram_md5.c cram_md5.h
+cyrus_sasl.o: $(HDRS) cyrus_sasl.c cyrus_sasl.h
+dovecot.o: $(HDRS) dovecot.c dovecot.h
+plaintext.o: $(HDRS) plaintext.c plaintext.h
+spa.o: $(HDRS) spa.c spa.h
# End
diff --git a/src/src/auths/README b/src/src/auths/README
index 780e15dc4..83fcab448 100644
--- a/src/src/auths/README
+++ b/src/src/auths/README
@@ -1,4 +1,4 @@
-$Cambridge: exim/src/src/auths/README,v 1.5 2006/02/23 12:41:22 ph10 Exp $
+$Cambridge: exim/src/src/auths/README,v 1.6 2006/10/16 15:44:36 ph10 Exp $
AUTHS
@@ -59,7 +59,7 @@ The yield of a server authentication check must be one of:
DEFER couldn't complete the check
FAIL authentication failed
CANCELLED authentication forced to fail by "*" response to challenge,
- or by a forced string expansion failure
+ or by certain forced string expansion failures
BAD64 bad base64 data received
UNEXPECTED unexpected data received
diff --git a/src/src/auths/check_serv_cond.c b/src/src/auths/check_serv_cond.c
new file mode 100644
index 000000000..1e775300c
--- /dev/null
+++ b/src/src/auths/check_serv_cond.c
@@ -0,0 +1,99 @@
+/* $Cambridge: exim/src/src/auths/check_serv_cond.c,v 1.1 2006/10/16 15:44:36 ph10 Exp $ */
+
+/*************************************************
+* Exim - an Internet mail transport agent *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2006 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "../exim.h"
+
+/* This module contains the function server_condition(), which is used
+by all authenticators. */
+
+
+/*************************************************
+* Check server_condition *
+*************************************************/
+
+/* This function is called from the server code of all authenticators. For
+plaintext, it is always called: the argument cannot be empty, because for
+plaintext, setting server_condition is what enables it as a server
+authenticator. For all the other authenticators, this function is called after
+they have authenticated, to enable additional authorization to be done.
+
+Argument: the authenticator's instance block
+
+Returns:
+ OK NULL argument, or success
+ DEFER couldn't complete the check
+ FAIL authentication failed
+*/
+
+int
+auth_check_serv_cond(auth_instance *ablock)
+{
+uschar *cond;
+
+HDEBUG(D_auth)
+ {
+ int i;
+ debug_printf("%s authenticator:\n", ablock->name);
+ for (i = 0; i < AUTH_VARS; i++)
+ {
+ if (auth_vars[i] != NULL)
+ debug_printf(" $auth%d = %s\n", i + 1, auth_vars[i]);
+ }
+ for (i = 1; i <= expand_nmax; i++)
+ debug_printf(" $%d = %.*s\n", i, expand_nlength[i], expand_nstring[i]);
+ debug_print_string(ablock->server_debug_string); /* customized debug */
+ }
+
+/* For the plaintext authenticator, server_condition is never NULL. For the
+rest, an unset condition lets everything through. */
+
+if (ablock->server_condition == NULL) return OK;
+cond = expand_string(ablock->server_condition);
+
+HDEBUG(D_auth)
+ {
+ if (cond == NULL)
+ debug_printf("expansion failed: %s\n", expand_string_message);
+ else
+ debug_printf("expanded string: %s\n", cond);
+ }
+
+/* A forced expansion failure causes authentication to fail. Other expansion
+failures yield DEFER, which will cause a temporary error code to be returned to
+the AUTH command. The problem is at the server end, so the client should try
+again later. */
+
+if (cond == NULL)
+ {
+ if (expand_string_forcedfail) return FAIL;
+ auth_defer_msg = expand_string_message;
+ return DEFER;
+ }
+
+/* Return FAIL for empty string, "0", "no", and "false"; return OK for
+"1", "yes", and "true"; return DEFER for anything else, with the string
+available as an error text for the user. */
+
+if (*cond == 0 ||
+ Ustrcmp(cond, "0") == 0 ||
+ strcmpic(cond, US"no") == 0 ||
+ strcmpic(cond, US"false") == 0)
+ return FAIL;
+
+if (Ustrcmp(cond, "1") == 0 ||
+ strcmpic(cond, US"yes") == 0 ||
+ strcmpic(cond, US"true") == 0)
+ return OK;
+
+auth_defer_msg = cond;
+auth_defer_user_msg = string_sprintf(": %s", cond);
+return DEFER;
+}
+
+/* End of check_serv_cond.c */
diff --git a/src/src/auths/cram_md5.c b/src/src/auths/cram_md5.c
index 26521fbe9..6686d5f1c 100644
--- a/src/src/auths/cram_md5.c
+++ b/src/src/auths/cram_md5.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/auths/cram_md5.c,v 1.5 2006/02/23 12:41:22 ph10 Exp $ */
+/* $Cambridge: exim/src/src/auths/cram_md5.c,v 1.6 2006/10/16 15:44:36 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -233,7 +233,8 @@ for (i = 0; i < 16; i++)
((b >= 'a')? b - 'a' + 10 : b - '0')) != digest[i]) return FAIL;
}
-return OK;
+/* Expand server_condition as an authorization check */
+return auth_check_serv_cond(ablock);
}
diff --git a/src/src/auths/cyrus_sasl.c b/src/src/auths/cyrus_sasl.c
index 7e6603988..284194e00 100644
--- a/src/src/auths/cyrus_sasl.c
+++ b/src/src/auths/cyrus_sasl.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/auths/cyrus_sasl.c,v 1.4 2006/02/10 14:25:43 ph10 Exp $ */
+/* $Cambridge: exim/src/src/auths/cyrus_sasl.c,v 1.5 2006/10/16 15:44:36 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -53,7 +53,7 @@ address can appear in the tables drtables.c. */
int auth_cyrus_sasl_options_count =
sizeof(auth_cyrus_sasl_options)/sizeof(optionlist);
-/* Default private options block for the contidion authentication method. */
+/* Default private options block for the cyrus_sasl authentication method. */
auth_cyrus_sasl_options_block auth_cyrus_sasl_option_defaults = {
US"smtp", /* server_service */
@@ -332,11 +332,13 @@ while(rc==SASL_CONTINUE)
expand_nmax = 1;
HDEBUG(D_auth)
- debug_printf("Cyrus SASL %s authentiction succeeded for %s\n", ob->server_mech, out2);
+ debug_printf("Cyrus SASL %s authentication succeeded for %s\n", ob->server_mech, out2);
/* close down the connection, freeing up library's memory */
sasl_dispose(&conn);
sasl_done();
- return OK;
+
+ /* Expand server_condition as an authorization check */
+ return auth_check_serv_cond(ablock);
}
}
/* NOTREACHED */
diff --git a/src/src/auths/dovecot.c b/src/src/auths/dovecot.c
index c11b2fe9b..e040bcf93 100644
--- a/src/src/auths/dovecot.c
+++ b/src/src/auths/dovecot.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/auths/dovecot.c,v 1.2 2006/10/16 13:43:22 ph10 Exp $ */
+/* $Cambridge: exim/src/src/auths/dovecot.c,v 1.3 2006/10/16 15:44:36 ph10 Exp $ */
/*
* Copyright (c) 2004 Andrey Panin <pazke@donpac.ru>
@@ -309,5 +309,7 @@ int auth_dovecot_server(auth_instance *ablock, uschar *data)
}
out: close(fd);
- return ret;
+
+ /* Expand server_condition as an authorization check */
+ return (ret == OK)? auth_check_serv_cond(ablock) : ret;
}
diff --git a/src/src/auths/plaintext.c b/src/src/auths/plaintext.c
index 2aea4a492..e4fec348e 100644
--- a/src/src/auths/plaintext.c
+++ b/src/src/auths/plaintext.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/auths/plaintext.c,v 1.5 2006/02/23 12:41:22 ph10 Exp $ */
+/* $Cambridge: exim/src/src/auths/plaintext.c,v 1.6 2006/10/16 15:44:36 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -18,8 +18,6 @@ optionlist auth_plaintext_options[] = {
(void *)(offsetof(auth_plaintext_options_block, client_ignore_invalid_base64)) },
{ "client_send", opt_stringptr,
(void *)(offsetof(auth_plaintext_options_block, client_send)) },
- { "server_condition", opt_stringptr,
- (void *)(offsetof(auth_plaintext_options_block, server_condition)) },
{ "server_prompts", opt_stringptr,
(void *)(offsetof(auth_plaintext_options_block, server_prompts)) }
};
@@ -33,7 +31,6 @@ int auth_plaintext_options_count =
/* Default private options block for the plaintext authentication method. */
auth_plaintext_options_block auth_plaintext_option_defaults = {
- NULL, /* server_condition */
NULL, /* server_prompts */
NULL, /* client_send */
FALSE /* client_ignore_invalid_base64 */
@@ -54,7 +51,7 @@ auth_plaintext_init(auth_instance *ablock)
auth_plaintext_options_block *ob =
(auth_plaintext_options_block *)(ablock->options_block);
if (ablock->public_name == NULL) ablock->public_name = ablock->name;
-if (ob->server_condition != NULL) ablock->server = TRUE;
+if (ablock->server_condition != NULL) ablock->server = TRUE;
if (ob->client_send != NULL) ablock->client = TRUE;
}
@@ -72,7 +69,7 @@ auth_plaintext_server(auth_instance *ablock, uschar *data)
auth_plaintext_options_block *ob =
(auth_plaintext_options_block *)(ablock->options_block);
uschar *prompts = ob->server_prompts;
-uschar *clear, *cond, *end, *s;
+uschar *clear, *end, *s;
int number = 1;
int len, rc;
int sep = 0;
@@ -141,59 +138,12 @@ while ((s = string_nextinlist(&prompts, &sep, big_buffer, big_buffer_size))
}
/* We now have a number of items of data in $auth1, $auth2, etc (and also, for
-compatibility, in $1, $2, etc). Match against the decoded data by expanding the
-condition. */
+compatibility, in $1, $2, etc). Authentication and authorization are handled
+together for this authenticator by expanding the server_condition option. Note
+that ablock->server_condition is always non-NULL because that's what configures
+this authenticator as a server. */
-cond = expand_string(ob->server_condition);
-
-HDEBUG(D_auth)
- {
- int i;
- debug_printf("%s authenticator:\n", ablock->name);
- for (i = 0; i < AUTH_VARS; i++)
- {
- if (auth_vars[i] != NULL)
- debug_printf(" $auth%d = %s\n", i + 1, auth_vars[i]);
- }
- for (i = 1; i <= expand_nmax; i++)
- debug_printf(" $%d = %.*s\n", i, expand_nlength[i], expand_nstring[i]);
- debug_print_string(ablock->server_debug_string); /* customized debug */
- if (cond == NULL)
- debug_printf("expansion failed: %s\n", expand_string_message);
- else
- debug_printf("expanded string: %s\n", cond);
- }
-
-/* A forced expansion failure causes authentication to fail. Other expansion
-failures yield DEFER, which will cause a temporary error code to be returned to
-the AUTH command. The problem is at the server end, so the client should try
-again later. */
-
-if (cond == NULL)
- {
- if (expand_string_forcedfail) return FAIL;
- auth_defer_msg = expand_string_message;
- return DEFER;
- }
-
-/* Return FAIL for empty string, "0", "no", and "false"; return OK for
-"1", "yes", and "true"; return DEFER for anything else, with the string
-available as an error text for the user. */
-
-if (*cond == 0 ||
- Ustrcmp(cond, "0") == 0 ||
- strcmpic(cond, US"no") == 0 ||
- strcmpic(cond, US"false") == 0)
- return FAIL;
-
-if (Ustrcmp(cond, "1") == 0 ||
- strcmpic(cond, US"yes") == 0 ||
- strcmpic(cond, US"true") == 0)
- return OK;
-
-auth_defer_msg = cond;
-auth_defer_user_msg = string_sprintf(": %s", cond);
-return DEFER;
+return auth_check_serv_cond(ablock);
}
diff --git a/src/src/auths/plaintext.h b/src/src/auths/plaintext.h
index 7499a01d8..c35f3e498 100644
--- a/src/src/auths/plaintext.h
+++ b/src/src/auths/plaintext.h
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/auths/plaintext.h,v 1.4 2006/02/23 12:41:22 ph10 Exp $ */
+/* $Cambridge: exim/src/src/auths/plaintext.h,v 1.5 2006/10/16 15:44:36 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -10,7 +10,6 @@
/* Private structure for the private options. */
typedef struct {
- uschar *server_condition;
uschar *server_prompts;
uschar *client_send;
BOOL client_ignore_invalid_base64;
diff --git a/src/src/auths/spa.c b/src/src/auths/spa.c
index 3fd4bde6a..6cc281a1b 100644
--- a/src/src/auths/spa.c
+++ b/src/src/auths/spa.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/auths/spa.c,v 1.7 2006/02/23 12:41:22 ph10 Exp $ */
+/* $Cambridge: exim/src/src/auths/spa.c,v 1.8 2006/10/16 15:44:36 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -25,8 +25,9 @@ References:
* typedef unsigned uint32;
* typedef unsigned char uint8;
-07-August-2003: PH: Patched up the code to avoid assert bombouts for stupid
- input data. Find appropriate comment by grepping for "PH".
+07-August-2003: PH: Patched up the code to avoid assert bombouts for stupid
+ input data. Find appropriate comment by grepping for "PH".
+16-October-2006: PH: Added a call to auth_check_serv_cond() at the end
*/
@@ -231,7 +232,9 @@ if (memcmp(ntRespData,
((unsigned char*)responseptr)+IVAL(&responseptr->ntResponse.offset,0),
24) == 0)
/* success. we have a winner. */
- return OK;
+
+ /* Expand server_condition as an authorization check (PH) */
+ return auth_check_serv_cond(ablock);
return FAIL;
}
diff --git a/src/src/functions.h b/src/src/functions.h
index 302f8b6d1..170a84411 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/functions.h,v 1.28 2006/10/09 14:36:25 ph10 Exp $ */
+/* $Cambridge: exim/src/src/functions.h,v 1.29 2006/10/16 15:44:36 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -49,6 +49,7 @@ extern int auth_call_pwcheck(uschar *, uschar **);
extern int auth_call_radius(uschar *, uschar **);
extern int auth_call_saslauthd(uschar *, uschar *, uschar *, uschar *,
uschar **);
+extern int auth_check_serv_cond(auth_instance *);
extern int auth_get_data(uschar **, uschar *, int);
extern int auth_get_no64_data(uschar **, uschar *);
extern uschar *auth_xtextencode(uschar *, int);
diff --git a/src/src/globals.c b/src/src/globals.c
index 7c3f8e9f1..35cac0f6f 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/globals.c,v 1.59 2006/09/25 10:14:20 ph10 Exp $ */
+/* $Cambridge: exim/src/src/globals.c,v 1.60 2006/10/16 15:44:36 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -38,6 +38,8 @@ optionlist optionlist_auths[] = {
(void *)(offsetof(auth_instance, public_name)) },
{ "server_advertise_condition", opt_stringptr | opt_public,
(void *)(offsetof(auth_instance, advertise_condition))},
+ { "server_condition", opt_stringptr | opt_public,
+ (void *)(offsetof(auth_instance, server_condition)) },
{ "server_debug_print", opt_stringptr | opt_public,
(void *)(offsetof(auth_instance, server_debug_string)) },
{ "server_mail_auth_condition", opt_stringptr | opt_public,
@@ -325,6 +327,7 @@ auth_instance auth_defaults = {
NULL, /* set_id */
NULL, /* server_mail_auth_condition */
NULL, /* server_debug_string */
+ NULL, /* server_condition */
FALSE, /* client */
FALSE, /* server */
FALSE /* advertised */
diff --git a/src/src/structs.h b/src/src/structs.h
index c5bb3b321..d160aee4a 100644
--- a/src/src/structs.h
+++ b/src/src/structs.h
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/structs.h,v 1.12 2006/09/25 11:25:37 ph10 Exp $ */
+/* $Cambridge: exim/src/src/structs.h,v 1.13 2006/10/16 15:44:36 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -367,6 +367,7 @@ typedef struct auth_instance {
uschar *set_id; /* String to set as authenticated id */
uschar *mail_auth_condition; /* Condition for AUTH on MAIL command */
uschar *server_debug_string; /* Debugging output */
+ uschar *server_condition; /* Authorization condition */
BOOL client; /* TRUE if client option(s) set */
BOOL server; /* TRUE if server options(s) set */
BOOL advertised; /* Set TRUE when advertised */
diff --git a/test/confs/3500 b/test/confs/3500
index b83b1c33f..343a0b3e1 100644
--- a/test/confs/3500
+++ b/test/confs/3500
@@ -13,7 +13,7 @@ gecos_name = CALLER_NAME
domainlist local_domains = test.ex : *.test.ex
-hostlist auth_hosts = 10.0.0.1
+hostlist auth_hosts = 10.0.0.1 : 10.0.0.5
hostlist relay_hosts = 10.0.0.4
hostlist auth_relay_hosts = 10.0.0.3 : 10.0.0.4
@@ -80,6 +80,7 @@ cram_md5:
server_secret = "${if eq{$auth1}{tim}{tanstaaftanstaaf}\
{${if eq{$auth1}{userx}{secret}fail}}}"
server_set_id = $auth1
+ server_condition = ${if !eq {$sender_host_address}{10.0.0.5}}
diff --git a/test/scripts/3500-CRAM-MD5/3500 b/test/scripts/3500-CRAM-MD5/3500
index b3d2c05aa..637852f64 100644
--- a/test/scripts/3500-CRAM-MD5/3500
+++ b/test/scripts/3500-CRAM-MD5/3500
@@ -32,4 +32,15 @@ Testing authenticated CRAM-MD5.
.
quit
****
+exim -bh 10.0.0.5
+ehlo test.host
+AUTH CRAM-MD5
+dGltIGI5MTNhNjAyYzdlZGE3YTQ5NWI0ZTZlNzMzNGQzODkw
+mail from:<userx@some.domain>
+rcpt to:<userx@test.ex>
+data
+Testing authenticated CRAM-MD5.
+.
+quit
+****
no_msglog_check
diff --git a/test/stderr/3500 b/test/stderr/3500
index b0432c58c..87179790d 100644
--- a/test/stderr/3500
+++ b/test/stderr/3500
@@ -8,7 +8,7 @@
>>> host in helo_accept_junk_hosts? no (option unset)
>>> test.host in helo_lookup_domains? no (end of list)
>>> host in pipelining_advertise_hosts? yes (matched "*")
->>> host in "10.0.0.1"? no (end of list)
+>>> host in "10.0.0.1 : 10.0.0.5"? no (end of list)
>>> host in "10.0.0.4"? yes (matched "10.0.0.4")
>>> host in auth_advertise_hosts? no (matched "!+relay_hosts")
>>> host in hosts_connection_nolog? no (option unset)
@@ -21,13 +21,18 @@
>>> host in helo_accept_junk_hosts? no (option unset)
>>> test.host in helo_lookup_domains? no (end of list)
>>> host in pipelining_advertise_hosts? yes (matched "*")
->>> host in "10.0.0.1"? yes (matched "10.0.0.1")
+>>> host in "10.0.0.1 : 10.0.0.5"? yes (matched "10.0.0.1")
>>> host in auth_advertise_hosts? yes (matched "+auth_hosts")
>>> +++CRAM-MD5 $auth1="tim" $auth2="" $auth3=""
>>> CRAM-MD5: user name = tim
>>> challenge = <1896.697170952@postoffice.reston.mci.net>
>>> received = b913a602c7eda7a495b4e6e7334d3890
>>> digest = b913a602c7eda7a495b4e6e7334d3890
+>>> cram_md5 authenticator:
+>>> $auth1 = tim
+>>> $1 = tim
+>>> +++CRAM-MD5 $auth1="tim" $auth2="" $auth3=""
+>>> expanded string: true
>>> using ACL "check_recipient"
>>> processing "warn"
>>> check hosts = 10.0.0.5
@@ -54,3 +59,37 @@
>>> accept: condition test succeeded
>>> host in ignore_fromline_hosts? no (option unset)
LOG: 10HmaY-0005vi-00 <= userx@some.domain H=(test.host) [10.0.0.1] P=esmtpa A=cram_md5:tim S=sss
+>>> host in hosts_connection_nolog? no (option unset)
+>>> host in host_lookup? no (option unset)
+>>> host in host_reject_connection? no (option unset)
+>>> host in sender_unqualified_hosts? no (option unset)
+>>> host in recipient_unqualified_hosts? no (option unset)
+>>> host in helo_verify_hosts? no (option unset)
+>>> host in helo_try_verify_hosts? no (option unset)
+>>> host in helo_accept_junk_hosts? no (option unset)
+>>> test.host in helo_lookup_domains? no (end of list)
+>>> host in pipelining_advertise_hosts? yes (matched "*")
+>>> host in "10.0.0.1 : 10.0.0.5"? yes (matched "10.0.0.5")
+>>> host in auth_advertise_hosts? yes (matched "+auth_hosts")
+>>> +++CRAM-MD5 $auth1="tim" $auth2="" $auth3=""
+>>> CRAM-MD5: user name = tim
+>>> challenge = <1896.697170952@postoffice.reston.mci.net>
+>>> received = b913a602c7eda7a495b4e6e7334d3890
+>>> digest = b913a602c7eda7a495b4e6e7334d3890
+>>> cram_md5 authenticator:
+>>> $auth1 = tim
+>>> $1 = tim
+>>> +++CRAM-MD5 $auth1="tim" $auth2="" $auth3=""
+>>> expanded string:
+LOG: cram_md5 authenticator failed for (test.host) [10.0.0.5]: 535 Incorrect authentication data (set_id=tim)
+>>> using ACL "check_recipient"
+>>> processing "warn"
+>>> check hosts = 10.0.0.5
+>>> host in "10.0.0.5"? yes (matched "10.0.0.5")
+>>> warn: condition test succeeded
+>>> processing "accept"
+>>> check hosts = 10.0.0.5
+>>> host in "10.0.0.5"? yes (matched "10.0.0.5")
+>>> accept: condition test succeeded
+>>> host in ignore_fromline_hosts? no (option unset)
+LOG: 10HmaZ-0005vi-00 <= userx@some.domain H=(test.host) [10.0.0.5] P=esmtp S=sss
diff --git a/test/stdout/3407 b/test/stdout/3407
index d08999e28..274c68c1a 100644
--- a/test/stdout/3407
+++ b/test/stdout/3407
@@ -3,46 +3,46 @@ a1 authenticator:
driver = plaintext
public_name = PLAIN
server_advertise_condition =
+server_condition = xxx
server_debug_print =
server_mail_auth_condition =
server_set_id =
no_client_ignore_invalid_base64
client_send =
-server_condition = xxx
server_prompts =
a2 authenticator:
driver = plaintext
public_name = PLAIN
server_advertise_condition =
+server_condition =
server_debug_print =
server_mail_auth_condition =
server_set_id =
no_client_ignore_invalid_base64
client_send =
-server_condition =
server_prompts =
a3 authenticator:
driver = plaintext
public_name = LOGIN
server_advertise_condition =
+server_condition =
server_debug_print =
server_mail_auth_condition =
server_set_id =
no_client_ignore_invalid_base64
client_send =
-server_condition =
server_prompts =
a4 authenticator:
driver = plaintext
public_name = LOGIN
server_advertise_condition =
+server_condition =
server_debug_print =
server_mail_auth_condition =
server_set_id =
no_client_ignore_invalid_base64
client_send =
-server_condition =
server_prompts =
diff --git a/test/stdout/3500 b/test/stdout/3500
index deaae921b..87377d644 100644
--- a/test/stdout/3500
+++ b/test/stdout/3500
@@ -60,3 +60,26 @@
**** SMTP testing: that is not a real message id!
221 myhost.test.ex closing connection
+
+**** SMTP testing session as if from host 10.0.0.5
+**** but without any ident (RFC 1413) callback.
+**** This is not for real!
+
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+250-myhost.test.ex Hello test.host [10.0.0.5]
+250-SIZE 52428800
+250-ETRN
+250-EXPN
+250-PIPELINING
+250-AUTH CRAM-MD5
+250 HELP
+334 PDE4OTYuNjk3MTcwOTUyQHBvc3RvZmZpY2UucmVzdG9uLm1jaS5uZXQ+
+535 Incorrect authentication data
+250 OK
+250 Accepted
+354 Enter message, ending with "." on a line by itself
+250 OK id=10HmaZ-0005vi-00
+
+**** SMTP testing: that is not a real message id!
+
+221 myhost.test.ex closing connection