Auth info from transports must be tracked per-address.

4 files changed, 20 insertions, 12 deletions

diff --git a/src/src/deliver.c b/src/src/deliver.c
index af39448c5..eef91036a 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -774,14 +774,14 @@ else
       string_printing(addr->peerdn), US"\"");
   #endif
 
-  if (smtp_authenticated)
+  if (addr->authenticator)
     {
-    s = string_append(s, &size, &ptr, 2, US" A=", client_authenticator);
-    if (client_authenticated_id)
+    s = string_append(s, &size, &ptr, 2, US" A=", addr->authenticator);
+    if (addr->auth_id)
       {
-      s = string_append(s, &size, &ptr, 2, US":", client_authenticated_id);
-      if (log_extra_selector & LX_smtp_mailauth  &&  client_authenticated_sender)
-        s = string_append(s, &size, &ptr, 2, US":", client_authenticated_sender);
+      s = string_append(s, &size, &ptr, 2, US":", addr->auth_id);
+      if (log_extra_selector & LX_smtp_mailauth  &&  addr->auth_sndr)
+        s = string_append(s, &size, &ptr, 2, US":", addr->auth_sndr);
       }
     }
 
@@ -2928,14 +2928,13 @@ while (!done)
     switch (*ptr++)
     {
     case '1':
-      smtp_authenticated = TRUE;
-      client_authenticator = (*ptr)? string_copy(ptr) : NULL;
+      addr->authenticator = (*ptr)? string_copy(ptr) : NULL;
       break;
     case '2':
-      client_authenticated_id = (*ptr)? string_copy(ptr) : NULL;
+      addr->auth_id = (*ptr)? string_copy(ptr) : NULL;
       break;
     case '3':
-      client_authenticated_sender = (*ptr)? string_copy(ptr) : NULL;
+      addr->auth_sndr = (*ptr)? string_copy(ptr) : NULL;
       break;
     }
     while (*ptr++);
@@ -3682,6 +3681,9 @@ for (delivery_count = 0; addr_remote != NULL; delivery_count++)
 
   deliver_set_expansions(addr);
 
+  /* Ensure any transport-set auth info is fresh */
+  addr->authenticator = addr->auth_id = addr->auth_sndr = NULL;
+
   /* Compute the return path, expanding a new one if required. The old one
   must be set first, as it might be referred to in the expansion. */
 
diff --git a/src/src/globals.c b/src/src/globals.c
index 9645504f5..616a2350d 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -315,6 +315,9 @@ address_item address_defaults = {
   NULL,                 /* cipher */
   NULL,                 /* peerdn */
   #endif
+  NULL,			/* authenticator */
+  NULL,			/* auth_id */
+  NULL,			/* auth_sndr */
   (uid_t)(-1),          /* uid */
   (gid_t)(-1),          /* gid */
   0,                    /* flags */
diff --git a/src/src/structs.h b/src/src/structs.h
index 1ad5d9b7e..5fc01e9e5 100644
--- a/src/src/structs.h
+++ b/src/src/structs.h
@@ -536,6 +536,10 @@ typedef struct address_item {
   uschar *peerdn;                 /* DN of server's certificate */
   #endif
 
+  uschar *authenticator;	  /* auth driver name used by transport */
+  uschar *auth_id;		  /* auth "login" name used by transport */
+  uschar *auth_sndr;		  /* AUTH arg to SMTP MAIL, used by transport */
+
   uid_t   uid;                    /* uid for transporting */
   gid_t   gid;                    /* gid for transporting */
 
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index b4ef7cf4d..6c3507609 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -1272,6 +1272,7 @@ if (continue_hostname == NULL
   authenticator's client driver is running. */
 
   smtp_authenticated = FALSE;
+  client_authenticator = client_authenticated_id = client_authenticated_sender = NULL;
   require_auth = verify_check_this_host(&(ob->hosts_require_auth), NULL,
     host->name, host->address, NULL);
 
@@ -1501,8 +1502,6 @@ if ((smtp_authenticated || ob->authenticated_sender_force) &&
     Ustrlen(local_authenticated_sender)));
   client_authenticated_sender = string_copy(local_authenticated_sender);
   }
-else
-  client_authenticated_sender = NULL;
 
 /* From here until we send the DATA command, we can make use of PIPELINING
 if the server host supports it. The code has to be able to check the responses