Add non-mtp source info to ${authres }

8 files changed, 33 insertions, 7 deletions

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 7d5b3b3cf..b65b6fe5b 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -11595,10 +11595,15 @@ preserve some of the authentication information in the variable
 user/password authenticator configuration might preserve the user name for use
 in the routers. Note that this is not the same information that is saved in
 &$sender_host_authenticated$&.
+
 When a message is submitted locally (that is, not over a TCP connection)
 the value of &$authenticated_id$& is normally the login name of the calling
 process. However, a trusted user can override this by means of the &%-oMai%&
 command line option.
+.new
+This second case also sets up inforamtion used by the
+&$authresults$& expansion item.
+.wen
 
 .vitem &$authenticated_fail_id$&
 .cindex "authentication" "fail" "id"
@@ -38939,6 +38944,7 @@ openssl rsa -in dkim_rsa.private -out /dev/stdout -pubout -outform PEM
 .endd
 Take the base-64 lines from the output of the second command, concatenated,
 for the DNS TXT record.
+See section 3.6 of RFC6376 for the record specification.
 
 Under GnuTLS:
 .code
diff --git a/src/src/expand.c b/src/src/expand.c
index a1ac7d198..f878e7b7f 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -1662,6 +1662,21 @@ return yield;
 
 
 
+/* Append a "local" element to an Autherntication-Results: header
+if this was a non-smtp message.
+*/
+
+static gstring *
+authres_local(gstring * g, const uschar * sysname)
+{
+if (!authentication_local)
+  return g;
+g = string_append(g, 3, US";\n\tlocal=pass (non-smtp, ", sysname, US")");
+if (authenticated_id) g = string_append(g, 2, " u=", authenticated_id);
+return g;
+}
+
+
 /* Append an "iprev" element to an Autherntication-Results: header
 if we have attempted to get the calling host's name.
 */
@@ -4141,6 +4156,7 @@ while (*s != 0)
 			US"Authentication-Results: ", sub_arg[0], US"; none");
       yield->ptr -= 6;
 
+      yield = authres_local(yield, sub_arg[0]);
       yield = authres_iprev(yield);
       yield = authres_smtpauth(yield);
 #ifdef SUPPORT_SPF
diff --git a/src/src/globals.c b/src/src/globals.c
index aed695066..7d18b38b5 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -434,6 +434,7 @@ uschar *authenticated_fail_id  = NULL;
 uschar *authenticated_id       = NULL;
 uschar *authenticated_sender   = NULL;
 BOOL    authentication_failed  = FALSE;
+BOOL    authentication_local   = FALSE;
 auth_instance  *auths          = NULL;
 uschar *auth_advertise_hosts   = US"*";
 auth_instance auth_defaults    = {
diff --git a/src/src/globals.h b/src/src/globals.h
index 66d6c26be..da1230b7f 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -228,6 +228,7 @@ extern uschar *authenticated_fail_id;  /* ID that failed authentication */
 extern uschar *authenticated_id;       /* ID that was authenticated */
 extern uschar *authenticated_sender;   /* From AUTH on MAIL */
 extern BOOL    authentication_failed;  /* TRUE if AUTH was tried and failed */
+extern BOOL    authentication_local;   /* TRUE if non-smtp (implicit authentication) */
 extern uschar *auth_advertise_hosts;   /* Only advertise to these */
 extern auth_info auths_available[];    /* Vector of available auth mechanisms */
 extern auth_instance *auths;           /* Chain of instantiated auths */
diff --git a/src/src/receive.c b/src/src/receive.c
index 6a534dc87..4cc43eb3a 100644
--- a/src/src/receive.c
+++ b/src/src/receive.c
@@ -3572,15 +3572,16 @@ else
       goto TIDYUP;
 #endif /* WITH_CONTENT_SCAN */
 
-    if (acl_not_smtp != NULL)
+    if (acl_not_smtp)
       {
       uschar *user_msg, *log_msg;
+      authentication_local = TRUE;
       rc = acl_check(ACL_WHERE_NOTSMTP, NULL, acl_not_smtp, &user_msg, &log_msg);
       if (rc == DISCARD)
         {
         recipients_count = 0;
         blackholed_by = US"non-SMTP ACL";
-        if (log_msg != NULL)
+        if (log_msg)
           blackhole_log_msg = string_sprintf(": %s", log_msg);
         }
       else if (rc != OK)
@@ -3595,11 +3596,11 @@ else
         /* The ACL can specify where rejections are to be logged, possibly
         nowhere. The default is main and reject logs. */
 
-        if (log_reject_target != 0)
+        if (log_reject_target)
           log_write(0, log_reject_target, "F=<%s> rejected by non-SMTP ACL: %s",
             sender_address, log_msg);
 
-        if (user_msg == NULL) user_msg = US"local configuration problem";
+        if (!user_msg) user_msg = US"local configuration problem";
         if (smtp_batched_input)
           {
           moan_smtp_batch(NULL, "%d %s", 550, user_msg);
diff --git a/test/confs/0571 b/test/confs/0571
index cf4881a0a..a818257f5 100644
--- a/test/confs/0571
+++ b/test/confs/0571
@@ -27,8 +27,8 @@ acl_not_smtp =  ${if def:sender_address \
 begin acl
 
 acl_29_29_29:
-  deny    dnslists = test.ex/$sender_address_domain
-  accept
+  deny    dnslists =	test.ex/$sender_address_domain
+  accept  logwrite =	authresults: ${authresults {$primary_hostname}}
 
 acl_29_29_0:
   deny    dnslists = test.ex
diff --git a/test/log/0571 b/test/log/0571
index afae80f19..e402d75a0 100644
--- a/test/log/0571
+++ b/test/log/0571
@@ -1,4 +1,5 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 F=<ted@29.29.0.com> rejected by non-SMTP ACL: cannot test auto-keyed dnslists condition in non-SMTP ACL
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> R=10HmaX-0005vi-00 U=EXIMUSER P=local S=sss
 1999-03-02 09:44:33 10HmaY-0005vi-00 no immediate delivery: queued by ACL
+1999-03-02 09:44:33 10HmaZ-0005vi-00 authresults: Authentication-Results: myhost.test.ex;\n	local=pass (non-smtp, myhost.test.ex) u=CALLER
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= bill@29.29.29.com U=CALLER P=local S=sss
diff --git a/test/scripts/0000-Basic/0571 b/test/scripts/0000-Basic/0571
index 3eab04cbf..f8422c8b9 100644
--- a/test/scripts/0000-Basic/0571
+++ b/test/scripts/0000-Basic/0571
@@ -6,7 +6,7 @@ should fail
 .
 ****
 #
-exim -f bill@29.29.29.com -odq ok1@test.ex
+exim -oMai CALLER -f bill@29.29.29.com -odq ok1@test.ex
 should pass
 .
 ****