From 40394cc11a826278cef2e205313f9339ca90d16d Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 25 Mar 2018 16:42:34 +0100 Subject: Add non-mtp source info to ${authres } --- doc/doc-docbook/spec.xfpt | 6 ++++++ src/src/expand.c | 16 ++++++++++++++++ src/src/globals.c | 1 + src/src/globals.h | 1 + src/src/receive.c | 9 +++++---- test/confs/0571 | 4 ++-- test/log/0571 | 1 + test/scripts/0000-Basic/0571 | 2 +- 8 files changed, 33 insertions(+), 7 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 7d5b3b3cf..b65b6fe5b 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -11595,10 +11595,15 @@ preserve some of the authentication information in the variable user/password authenticator configuration might preserve the user name for use in the routers. Note that this is not the same information that is saved in &$sender_host_authenticated$&. + When a message is submitted locally (that is, not over a TCP connection) the value of &$authenticated_id$& is normally the login name of the calling process. However, a trusted user can override this by means of the &%-oMai%& command line option. +.new +This second case also sets up inforamtion used by the +&$authresults$& expansion item. +.wen .vitem &$authenticated_fail_id$& .cindex "authentication" "fail" "id" @@ -38939,6 +38944,7 @@ openssl rsa -in dkim_rsa.private -out /dev/stdout -pubout -outform PEM .endd Take the base-64 lines from the output of the second command, concatenated, for the DNS TXT record. +See section 3.6 of RFC6376 for the record specification. Under GnuTLS: .code diff --git a/src/src/expand.c b/src/src/expand.c index a1ac7d198..f878e7b7f 100644 --- a/src/src/expand.c +++ b/src/src/expand.c @@ -1662,6 +1662,21 @@ return yield; +/* Append a "local" element to an Autherntication-Results: header +if this was a non-smtp message. +*/ + +static gstring * +authres_local(gstring * g, const uschar * sysname) +{ +if (!authentication_local) + return g; +g = string_append(g, 3, US";\n\tlocal=pass (non-smtp, ", sysname, US")"); +if (authenticated_id) g = string_append(g, 2, " u=", authenticated_id); +return g; +} + + /* Append an "iprev" element to an Autherntication-Results: header if we have attempted to get the calling host's name. */ @@ -4141,6 +4156,7 @@ while (*s != 0) US"Authentication-Results: ", sub_arg[0], US"; none"); yield->ptr -= 6; + yield = authres_local(yield, sub_arg[0]); yield = authres_iprev(yield); yield = authres_smtpauth(yield); #ifdef SUPPORT_SPF diff --git a/src/src/globals.c b/src/src/globals.c index aed695066..7d18b38b5 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -434,6 +434,7 @@ uschar *authenticated_fail_id = NULL; uschar *authenticated_id = NULL; uschar *authenticated_sender = NULL; BOOL authentication_failed = FALSE; +BOOL authentication_local = FALSE; auth_instance *auths = NULL; uschar *auth_advertise_hosts = US"*"; auth_instance auth_defaults = { diff --git a/src/src/globals.h b/src/src/globals.h index 66d6c26be..da1230b7f 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -228,6 +228,7 @@ extern uschar *authenticated_fail_id; /* ID that failed authentication */ extern uschar *authenticated_id; /* ID that was authenticated */ extern uschar *authenticated_sender; /* From AUTH on MAIL */ extern BOOL authentication_failed; /* TRUE if AUTH was tried and failed */ +extern BOOL authentication_local; /* TRUE if non-smtp (implicit authentication) */ extern uschar *auth_advertise_hosts; /* Only advertise to these */ extern auth_info auths_available[]; /* Vector of available auth mechanisms */ extern auth_instance *auths; /* Chain of instantiated auths */ diff --git a/src/src/receive.c b/src/src/receive.c index 6a534dc87..4cc43eb3a 100644 --- a/src/src/receive.c +++ b/src/src/receive.c @@ -3572,15 +3572,16 @@ else goto TIDYUP; #endif /* WITH_CONTENT_SCAN */ - if (acl_not_smtp != NULL) + if (acl_not_smtp) { uschar *user_msg, *log_msg; + authentication_local = TRUE; rc = acl_check(ACL_WHERE_NOTSMTP, NULL, acl_not_smtp, &user_msg, &log_msg); if (rc == DISCARD) { recipients_count = 0; blackholed_by = US"non-SMTP ACL"; - if (log_msg != NULL) + if (log_msg) blackhole_log_msg = string_sprintf(": %s", log_msg); } else if (rc != OK) @@ -3595,11 +3596,11 @@ else /* The ACL can specify where rejections are to be logged, possibly nowhere. The default is main and reject logs. */ - if (log_reject_target != 0) + if (log_reject_target) log_write(0, log_reject_target, "F=<%s> rejected by non-SMTP ACL: %s", sender_address, log_msg); - if (user_msg == NULL) user_msg = US"local configuration problem"; + if (!user_msg) user_msg = US"local configuration problem"; if (smtp_batched_input) { moan_smtp_batch(NULL, "%d %s", 550, user_msg); diff --git a/test/confs/0571 b/test/confs/0571 index cf4881a0a..a818257f5 100644 --- a/test/confs/0571 +++ b/test/confs/0571 @@ -27,8 +27,8 @@ acl_not_smtp = ${if def:sender_address \ begin acl acl_29_29_29: - deny dnslists = test.ex/$sender_address_domain - accept + deny dnslists = test.ex/$sender_address_domain + accept logwrite = authresults: ${authresults {$primary_hostname}} acl_29_29_0: deny dnslists = test.ex diff --git a/test/log/0571 b/test/log/0571 index afae80f19..e402d75a0 100644 --- a/test/log/0571 +++ b/test/log/0571 @@ -1,4 +1,5 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 F= rejected by non-SMTP ACL: cannot test auto-keyed dnslists condition in non-SMTP ACL 1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> R=10HmaX-0005vi-00 U=EXIMUSER P=local S=sss 1999-03-02 09:44:33 10HmaY-0005vi-00 no immediate delivery: queued by ACL +1999-03-02 09:44:33 10HmaZ-0005vi-00 authresults: Authentication-Results: myhost.test.ex;\n local=pass (non-smtp, myhost.test.ex) u=CALLER 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= bill@29.29.29.com U=CALLER P=local S=sss diff --git a/test/scripts/0000-Basic/0571 b/test/scripts/0000-Basic/0571 index 3eab04cbf..f8422c8b9 100644 --- a/test/scripts/0000-Basic/0571 +++ b/test/scripts/0000-Basic/0571 @@ -6,7 +6,7 @@ should fail . **** # -exim -f bill@29.29.29.com -odq ok1@test.ex +exim -oMai CALLER -f bill@29.29.29.com -odq ok1@test.ex should pass . **** -- cgit v1.2.3