Auths: for A-R header, and SMTP auth, note the public-name not the authenticator name

       Also, for TLS auth use a custom propspec

10 files changed, 85 insertions, 15 deletions

diff --git a/src/src/acl.c b/src/src/acl.c
index fb8b75bc7..61316a81e 100644
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -2970,9 +2970,8 @@ for (; cb != NULL; cb = cb->next)
     break;
 
     case ACLC_AUTHENTICATED:
-    rc = (sender_host_authenticated == NULL)? FAIL :
-      match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
-        TRUE, NULL);
+      rc = sender_host_authenticated ? match_isinlist(sender_host_authenticated,
+	      &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL) : FAIL;
     break;
 
     #ifdef EXPERIMENTAL_BRIGHTMAIL
diff --git a/src/src/globals.c b/src/src/globals.c
index 7e228d098..5f1c87fc0 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -1277,6 +1277,7 @@ uschar *sender_helo_name       = NULL;
 uschar **sender_host_aliases   = &no_aliases;
 uschar *sender_host_address    = NULL;
 uschar *sender_host_authenticated = NULL;
+uschar *sender_host_auth_pubname  = NULL;
 unsigned int sender_host_cache[(MAX_NAMED_LIST * 2)/32];
 BOOL    sender_host_dnssec     = FALSE;
 uschar *sender_host_name       = NULL;
diff --git a/src/src/globals.h b/src/src/globals.h
index b5cb6407b..801a00fb3 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -786,6 +786,7 @@ extern uschar *sender_fullhost;        /* Sender host name + address */
 extern BOOL    sender_helo_dnssec;     /* True if HELO verify used DNS and was DNSSEC */
 extern uschar *sender_helo_name;       /* Host name from HELO/EHLO */
 extern uschar **sender_host_aliases;   /* Points to list of alias names */
+extern uschar *sender_host_auth_pubname; /* Public-name of authentication method */
 extern unsigned int sender_host_cache[(MAX_NAMED_LIST * 2)/32]; /* Cache bits for incoming host */
 extern BOOL    sender_host_dnssec;     /* true if sender_host_name verified in DNSSEC */
 extern BOOL    sender_host_notsocket;  /* Set for -bs and -bS */
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index c45e7e26f..03dcad73e 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -2375,7 +2375,8 @@ smtp_exit_function_called = FALSE;    /* For avoiding loop in not-quit exit */
 /* If receiving by -bs from a trusted user, or testing with -bh, we allow
 authentication settings from -oMaa to remain in force. */
 
-if (!host_checking && !sender_host_notsocket) sender_host_authenticated = NULL;
+if (!host_checking && !sender_host_notsocket)
+  sender_host_auth_pubname = sender_host_authenticated = NULL;
 authenticated_by = NULL;
 
 #ifdef SUPPORT_TLS
@@ -3625,6 +3626,7 @@ switch(rc)
     {
     if (set_id) authenticated_id = string_copy_malloc(set_id);
     sender_host_authenticated = au->name;
+    sender_host_auth_pubname  = au->public_name;
     authentication_failed = FALSE;
     authenticated_fail_id = NULL;   /* Impossible to already be set? */
 
@@ -4556,10 +4558,10 @@ while (done <= 0)
                 US"invalid data for AUTH");
               goto COMMAND_LOOP;
               }
-            if (acl_smtp_mailauth == NULL)
+            if (!acl_smtp_mailauth)
               {
               ignore_msg = US"client not authenticated";
-              rc = (sender_host_authenticated != NULL)? OK : FAIL;
+              rc = sender_host_authenticated ? OK : FAIL;
               }
             else
               {
@@ -5356,7 +5358,7 @@ while (done <= 0)
 	  + (tls_in.active >= 0 ? pcrpted : 0)
 	  ];
 
-      sender_host_authenticated = NULL;
+      sender_host_auth_pubname = sender_host_authenticated = NULL;
       authenticated_id = NULL;
       sync_cmd_limit = NON_SYNC_CMD_NON_PIPELINING;
       DEBUG(D_tls) debug_printf("TLS active\n");
@@ -5751,8 +5753,15 @@ authres_smtpauth(gstring * g)
 if (!sender_host_authenticated)
   return g;
 
-g = string_append(g, 4, US";\n\tauth=pass"
-	" (", sender_host_authenticated, US") smtp.auth=", authenticated_id);
+g = string_append(g, 2, US";\n\tauth=pass (", sender_host_auth_pubname);
+
+if (Ustrcmp(sender_host_auth_pubname, "tls") != 0)
+  g = string_append(g, 2, US") smtp.auth=", authenticated_id);
+else if (authenticated_id)
+  g = string_append(g, 2, US") x509.auth=", authenticated_id);
+else
+  g = string_catn(g, US") reason=x509.auth", 17);
+
 if (authenticated_sender)
   g = string_append(g, 2, US" smtp.mailfrom=", authenticated_sender);
 return g;
diff --git a/test/confs/3700 b/test/confs/3700
index 00a17b497..6578ecb2d 100644
--- a/test/confs/3700
+++ b/test/confs/3700
@@ -12,6 +12,8 @@ log_selector = +received_recipients +outgoing_port
 acl_smtp_auth = log_call
 acl_smtp_mail = check_authd
 acl_smtp_rcpt = check_authd
+acl_smtp_data = ar_header
+
 queue_only
 queue_run_in_order
 trusted_users = CALLER
@@ -36,6 +38,8 @@ check_authd:
           !authenticated = *
   accept
 
+ar_header:
+  accept  add_header = :at_start:${authresults {$primary_hostname}}
 
 # ----- Authentication -----
 
@@ -54,9 +58,14 @@ tls:
 
 begin routers
 
-r1:
-  driver = accept
-  transport = ${if eq {$local_part}{smtps} {t2}{t1}}
+server_r:
+  driver =	accept
+  condition =	${if eq {server}{SERVER}}
+  transport =	file
+
+client_r1:
+  driver =	accept
+  transport =	${if eq {$local_part}{smtps} {t2}{t1}}
 
 
 # ----- Transports -----
@@ -82,4 +91,9 @@ t2:
   tls_verify_certificates = DIR/aux-fixed/cert1
   tls_verify_cert_hostnames = :
 
+file:
+  driver = appendfile
+  file = DIR/test-mail/$local_part
+  user = CALLER
+
 # End
diff --git a/test/log/3700 b/test/log/3700
index 82c09850e..d81b944d7 100644
--- a/test/log/3700
+++ b/test/log/3700
@@ -1,9 +1,9 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= ok@test.ex U=CALLER P=local S=sss for x@y
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= ok@test.ex U=CALLER P=local S=sss for smtps@y
 1999-03-02 09:44:33 Start queue run: pid=pppp
-1999-03-02 09:44:33 10HmaX-0005vi-00 => x@y R=r1 T=t1 H=127.0.0.1 [127.0.0.1]:1225 X=TLS_proto_and_cipher CV=yes C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => x@y R=client_r1 T=t1 H=127.0.0.1 [127.0.0.1]:1225 X=TLS_proto_and_cipher CV=yes C="250 OK id=10HmaZ-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => smtps@y R=r1 T=t2 H=127.0.0.1 [127.0.0.1]:1224 X=TLS_proto_and_cipher CV=yes C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => smtps@y R=client_r1 T=t2 H=127.0.0.1 [127.0.0.1]:1224 X=TLS_proto_and_cipher CV=yes C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp
 
@@ -13,3 +13,9 @@
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= ok@test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLS_proto_and_cipher CV=yes A=tls:"Phil Pennock" S=sss id=E10HmaX-0005vi-00@myhost.test.ex for x@y
 1999-03-02 09:44:33 Auth ACL called, after smtp cmd ""
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= ok@test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLS_proto_and_cipher CV=yes A=tls:"Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex for smtps@y
+1999-03-02 09:44:33 Start queue run: pid=pppp
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => x <x@y> R=server_r T=file
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbA-0005vi-00 => smtps <smtps@y> R=server_r T=file
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 End queue run: pid=pppp
diff --git a/test/mail/3403.userx b/test/mail/3403.userx
index c344d9b70..08cdf9a31 100644
--- a/test/mail/3403.userx
+++ b/test/mail/3403.userx
@@ -1,6 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
 Authentication-Results: myhost.test.ex;
-	auth=pass (plain1) smtp.auth=userx
+	auth=pass (PLAIN) smtp.auth=userx
 Received: from CALLER (helo=testing.ex)
 	by myhost.test.ex with local-esmtpa (Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
diff --git a/test/mail/3700.smtps b/test/mail/3700.smtps
new file mode 100644
index 000000000..60a3d234b
--- /dev/null
+++ b/test/mail/3700.smtps
@@ -0,0 +1,19 @@
+From ok@test.ex Tue Mar 02 09:44:33 1999
+Authentication-Results: myhost.test.ex;
+	iprev=pass (localhost);
+	auth=pass (tls) x509.auth="Phil Pennock"
+Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
+	by myhost.test.ex with esmtpsa (TLSv1:ke-RSA-AES256-SHA:xxx)
+	(Exim x.yz)
+	(envelope-from <ok@test.ex>)
+	id 10HmbA-0005vi-00
+	for smtps@y; Tue, 2 Mar 1999 09:44:33 +0000
+Received: from CALLER by myhost.test.ex with local (Exim x.yz)
+	(envelope-from <ok@test.ex>)
+	id 10HmaY-0005vi-00
+	for smtps@y; Tue, 2 Mar 1999 09:44:33 +0000
+Message-Id: <E10HmaY-0005vi-00@myhost.test.ex>
+From: ok@test.ex
+Date: Tue, 2 Mar 1999 09:44:33 +0000
+
+
diff --git a/test/mail/3700.x b/test/mail/3700.x
new file mode 100644
index 000000000..81544998d
--- /dev/null
+++ b/test/mail/3700.x
@@ -0,0 +1,19 @@
+From ok@test.ex Tue Mar 02 09:44:33 1999
+Authentication-Results: myhost.test.ex;
+	iprev=pass (localhost);
+	auth=pass (tls) x509.auth="Phil Pennock"
+Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
+	by myhost.test.ex with esmtpsa (TLSv1:ke-RSA-AES256-SHA:xxx)
+	(Exim x.yz)
+	(envelope-from <ok@test.ex>)
+	id 10HmaZ-0005vi-00
+	for x@y; Tue, 2 Mar 1999 09:44:33 +0000
+Received: from CALLER by myhost.test.ex with local (Exim x.yz)
+	(envelope-from <ok@test.ex>)
+	id 10HmaX-0005vi-00
+	for x@y; Tue, 2 Mar 1999 09:44:33 +0000
+Message-Id: <E10HmaX-0005vi-00@myhost.test.ex>
+From: ok@test.ex
+Date: Tue, 2 Mar 1999 09:44:33 +0000
+
+
diff --git a/test/scripts/3700-TLS-auth/3700 b/test/scripts/3700-TLS-auth/3700
index e4b68607a..f9b41d31c 100644
--- a/test/scripts/3700-TLS-auth/3700
+++ b/test/scripts/3700-TLS-auth/3700
@@ -10,4 +10,6 @@ exim -f ok@test.ex smtps@y
 exim -q
 ****
 killdaemon
+exim -DSERVER=server -DNOTDAEMON -q
+****
 no_msglog_check