qpsmtpd/plugins/auth/auth_vpopmail

#!perl -w

=head1 NAME

auth_vpopmail - Authenticate against libvpopmail.a

=head1 DESCRIPTION

This plugin authenticates vpopmail users using p5-vpopmail.
Using CRAM-MD5 requires that vpopmail be built with the
'--enable-clear-passwd=y' option.

=head1 CONFIGURATION

This module will only work if qpsmtpd is running as the 'vpopmail' user.

CRAM-MD5 authentication will only work with p5-vpopmail 0.09 or higher.
    http://github.com/sscanlon/vpopmail

Decide which authentication methods you are willing to support and uncomment
the lines in the register() sub. See the POD for Qspmtpd::Auth for more
details on the ramifications of supporting various authentication methods.

=head1 SEE ALSO

For an overview of the vpopmail authentication plugins and their merits,
please read the VPOPMAIL section in docs/authentication.pod

=head1 AUTHOR

Matt Simerson <msimerson@cpan.org>

=head1 COPYRIGHT AND LICENSE

Copyright (c) 2010 Matt Simerson

This plugin is licensed under the same terms as the qpsmtpd package itself.
Please see the LICENSE file included with qpsmtpd for details.

=cut

use strict;
use warnings;

use Qpsmtpd::Auth;
use Qpsmtpd::Constants;

#use vpopmail;    # we eval this in $test_vpopmail

sub register {
    my ($self, $qp) = @_;

    return (DECLINED) if ! $self->test_vpopmail_module();

    $self->register_hook("auth-plain", "auth_vpopmail" );
    $self->register_hook("auth-login", "auth_vpopmail" );
    $self->register_hook("auth-cram-md5", "auth_vpopmail");
}

sub auth_vpopmail {
    my ($self, $transaction, $method, $user, $passClear, $passHash, $ticket) =
      @_;

    my $pw              = vauth_getpw( split '@', lc($user) );
    my $pw_clear_passwd = $pw->{pw_clear_passwd};
    my $pw_passwd       = $pw->{pw_passwd};

    if (!$pw || (!$pw_clear_passwd && !$pw_passwd)) {
        $self->log(LOGINFO, "fail: invalid user $user");
        return (DENY, "auth_vpopmail - invalid user");
        # change DENY to DECLINED to support multiple auth plugins
    }

    return Qpsmtpd::Auth::validate_password( $self,
        src_clear     => $pw->{pw_clear_passwd},
        src_crypt     => $pw->{pw_passwd},
        attempt_clear => $passClear,
        attempt_hash  => $passHash,
        method        => $method,
        ticket        => $ticket,
        deny          => DENY,
    );
}

sub test_vpopmail_module {
    my $self = shift;
# vpopmail will not allow vauth_getpw to succeed unless the requesting user is vpopmail or root.
# by default, qpsmtpd runs as the user 'qpsmtpd' and does not have permission.
    eval "use vpopmail";
    if ( $@ ) {
        $self->log(LOGERROR, "skip: is vpopmail perl module installed?");
        return;
    };

    my ($domain) = vpopmail::vlistdomains();
    my $r = vauth_getpw('postmaster', $domain) or do {
            $self->log(LOGERROR, "skip: could not query vpopmail");
            return;
        };
    return 1;
}
Fix 01-syntax test failures Exclude some tests with dependencies. Remove -T from perl line in plugins This makes it harder to test with PERL5LIB/perlbrew etc 2012-04-29 10:35:59 +02:00			`#!perl -w`
added auth_vpopmail plugin added auth_vpopmail plugin, using the perl-vpopmail module added VPOPMAIL auth methods description to docs/authentication added SEE ALSO section to each module, noting the VPOPMAIL description Signed-off-by: Robert <rspier@pobox.com> 2010-05-11 08:19:05 +02:00
			`=head1 NAME`

			`auth_vpopmail - Authenticate against libvpopmail.a`

			`=head1 DESCRIPTION`

			`This plugin authenticates vpopmail users using p5-vpopmail.`
			`Using CRAM-MD5 requires that vpopmail be built with the`
			`'--enable-clear-passwd=y' option.`

			`=head1 CONFIGURATION`

			`This module will only work if qpsmtpd is running as the 'vpopmail' user.`

			`CRAM-MD5 authentication will only work with p5-vpopmail 0.09 or higher.`
			`http://github.com/sscanlon/vpopmail`

			`Decide which authentication methods you are willing to support and uncomment`
			`the lines in the register() sub. See the POD for Qspmtpd::Auth for more`
			`details on the ramifications of supporting various authentication methods.`

			`=head1 SEE ALSO`

			`For an overview of the vpopmail authentication plugins and their merits,`
			`please read the VPOPMAIL section in docs/authentication.pod`

			`=head1 AUTHOR`

			`Matt Simerson <msimerson@cpan.org>`

			`=head1 COPYRIGHT AND LICENSE`

			`Copyright (c) 2010 Matt Simerson`

			`This plugin is licensed under the same terms as the qpsmtpd package itself.`
			`Please see the LICENSE file included with qpsmtpd for details.`

			`=cut`

POD corrections, additional tests, plugin consistency on files in plugins dir: fixed a number of POD errors formatted some # comments into POD removed bare 1; (these are plugins, not perl modules) most instances of this were copy/pasted from a previous plugin that had it removed instances of # vim ts=N ... they weren't consistent, many didn't match .perltidyrc on modules that failed perl -c tests, added 'use Qpsmtpd::Constants;' Conflicts: plugins/async/check_earlytalker plugins/async/dns_whitelist_soft plugins/async/dnsbl plugins/async/queue/smtp-forward plugins/async/require_resolvable_fromhost plugins/async/rhsbl plugins/async/uribl plugins/auth/auth_checkpassword plugins/auth/auth_cvm_unix_local plugins/auth/auth_flat_file plugins/auth/auth_ldap_bind plugins/auth/auth_vpopmail plugins/auth/auth_vpopmail_sql plugins/auth/authdeny plugins/check_badmailfromto plugins/check_badrcptto_patterns plugins/check_bogus_bounce plugins/check_earlytalker plugins/check_norelay plugins/check_spamhelo plugins/connection_time plugins/dns_whitelist_soft plugins/dnsbl plugins/domainkeys plugins/greylisting plugins/hosts_allow plugins/http_config plugins/logging/adaptive plugins/logging/apache plugins/logging/connection_id plugins/logging/transaction_id plugins/logging/warn plugins/milter plugins/queue/exim-bsmtp plugins/queue/maildir plugins/queue/postfix-queue plugins/queue/smtp-forward plugins/quit_fortune plugins/random_error plugins/rcpt_map plugins/rcpt_regexp plugins/relay_only plugins/require_resolvable_fromhost plugins/rhsbl plugins/sender_permitted_from plugins/spamassassin plugins/tls plugins/tls_cert plugins/uribl plugins/virus/aveclient plugins/virus/bitdefender plugins/virus/clamav plugins/virus/clamdscan plugins/virus/hbedv plugins/virus/kavscanner plugins/virus/klez_filter plugins/virus/sophie plugins/virus/uvscan 2012-04-08 02:11:16 +02:00			`use strict;`
Altered SASL method to include the mechanism in log entries. removed auth method from return calls in all auth plugins. The caller knows the mechanism already. In the code, the difference looks like this: before: or return (DENY, "authcvm/$method"); after: or return (DENY, "authcvm"); Added debug level log entries in auth_vpopmaild Conflicts: plugins/auth/auth_vpopmail_sql 2012-05-04 22:04:28 +02:00			`use warnings;`
POD corrections, additional tests, plugin consistency on files in plugins dir: fixed a number of POD errors formatted some # comments into POD removed bare 1; (these are plugins, not perl modules) most instances of this were copy/pasted from a previous plugin that had it removed instances of # vim ts=N ... they weren't consistent, many didn't match .perltidyrc on modules that failed perl -c tests, added 'use Qpsmtpd::Constants;' Conflicts: plugins/async/check_earlytalker plugins/async/dns_whitelist_soft plugins/async/dnsbl plugins/async/queue/smtp-forward plugins/async/require_resolvable_fromhost plugins/async/rhsbl plugins/async/uribl plugins/auth/auth_checkpassword plugins/auth/auth_cvm_unix_local plugins/auth/auth_flat_file plugins/auth/auth_ldap_bind plugins/auth/auth_vpopmail plugins/auth/auth_vpopmail_sql plugins/auth/authdeny plugins/check_badmailfromto plugins/check_badrcptto_patterns plugins/check_bogus_bounce plugins/check_earlytalker plugins/check_norelay plugins/check_spamhelo plugins/connection_time plugins/dns_whitelist_soft plugins/dnsbl plugins/domainkeys plugins/greylisting plugins/hosts_allow plugins/http_config plugins/logging/adaptive plugins/logging/apache plugins/logging/connection_id plugins/logging/transaction_id plugins/logging/warn plugins/milter plugins/queue/exim-bsmtp plugins/queue/maildir plugins/queue/postfix-queue plugins/queue/smtp-forward plugins/quit_fortune plugins/random_error plugins/rcpt_map plugins/rcpt_regexp plugins/relay_only plugins/require_resolvable_fromhost plugins/rhsbl plugins/sender_permitted_from plugins/spamassassin plugins/tls plugins/tls_cert plugins/uribl plugins/virus/aveclient plugins/virus/bitdefender plugins/virus/clamav plugins/virus/clamdscan plugins/virus/hbedv plugins/virus/kavscanner plugins/virus/klez_filter plugins/virus/sophie plugins/virus/uvscan 2012-04-08 02:11:16 +02:00
consolidate auth logic into Qpsmtpd::Auth These 3 auth plugins all have a data store they fetch the reference password or hash from. They then match the attemped password or hash against the reference. This consolidates the latter portion (validating the password/hash) into Auth.pm. * less duplicated code in the plugins. * Pass validation consistently handled for these 3 plugins. * less work to create new auth plugins Also caches the CRAM-MD5 ticket. It could also cache user/pass info if this was desirable. 2012-05-09 00:04:10 +02:00			`use Qpsmtpd::Auth;`
POD corrections, additional tests, plugin consistency on files in plugins dir: fixed a number of POD errors formatted some # comments into POD removed bare 1; (these are plugins, not perl modules) most instances of this were copy/pasted from a previous plugin that had it removed instances of # vim ts=N ... they weren't consistent, many didn't match .perltidyrc on modules that failed perl -c tests, added 'use Qpsmtpd::Constants;' Conflicts: plugins/async/check_earlytalker plugins/async/dns_whitelist_soft plugins/async/dnsbl plugins/async/queue/smtp-forward plugins/async/require_resolvable_fromhost plugins/async/rhsbl plugins/async/uribl plugins/auth/auth_checkpassword plugins/auth/auth_cvm_unix_local plugins/auth/auth_flat_file plugins/auth/auth_ldap_bind plugins/auth/auth_vpopmail plugins/auth/auth_vpopmail_sql plugins/auth/authdeny plugins/check_badmailfromto plugins/check_badrcptto_patterns plugins/check_bogus_bounce plugins/check_earlytalker plugins/check_norelay plugins/check_spamhelo plugins/connection_time plugins/dns_whitelist_soft plugins/dnsbl plugins/domainkeys plugins/greylisting plugins/hosts_allow plugins/http_config plugins/logging/adaptive plugins/logging/apache plugins/logging/connection_id plugins/logging/transaction_id plugins/logging/warn plugins/milter plugins/queue/exim-bsmtp plugins/queue/maildir plugins/queue/postfix-queue plugins/queue/smtp-forward plugins/quit_fortune plugins/random_error plugins/rcpt_map plugins/rcpt_regexp plugins/relay_only plugins/require_resolvable_fromhost plugins/rhsbl plugins/sender_permitted_from plugins/spamassassin plugins/tls plugins/tls_cert plugins/uribl plugins/virus/aveclient plugins/virus/bitdefender plugins/virus/clamav plugins/virus/clamdscan plugins/virus/hbedv plugins/virus/kavscanner plugins/virus/klez_filter plugins/virus/sophie plugins/virus/uvscan 2012-04-08 02:11:16 +02:00			`use Qpsmtpd::Constants;`

auth_vpopmail: refactored, added tests, logging added more logging standard log prefixes tests run a pretest to make sure tests have a chance to succeed 2012-05-07 09:35:58 +02:00			`#use vpopmail; # we eval this in $test_vpopmail`
Altered SASL method to include the mechanism in log entries. removed auth method from return calls in all auth plugins. The caller knows the mechanism already. In the code, the difference looks like this: before: or return (DENY, "authcvm/$method"); after: or return (DENY, "authcvm"); Added debug level log entries in auth_vpopmaild Conflicts: plugins/auth/auth_vpopmail_sql 2012-05-04 22:04:28 +02:00
added auth_vpopmail plugin added auth_vpopmail plugin, using the perl-vpopmail module added VPOPMAIL auth methods description to docs/authentication added SEE ALSO section to each module, noting the VPOPMAIL description Signed-off-by: Robert <rspier@pobox.com> 2010-05-11 08:19:05 +02:00			`sub register {`
			`my ($self, $qp) = @_;`

auth_vpopmail: refactored, added tests, logging added more logging standard log prefixes tests run a pretest to make sure tests have a chance to succeed 2012-05-07 09:35:58 +02:00			`return (DECLINED) if ! $self->test_vpopmail_module();`

added auth_vpopmail plugin added auth_vpopmail plugin, using the perl-vpopmail module added VPOPMAIL auth methods description to docs/authentication added SEE ALSO section to each module, noting the VPOPMAIL description Signed-off-by: Robert <rspier@pobox.com> 2010-05-11 08:19:05 +02:00			`$self->register_hook("auth-plain", "auth_vpopmail" );`
			`$self->register_hook("auth-login", "auth_vpopmail" );`
			`$self->register_hook("auth-cram-md5", "auth_vpopmail");`
			`}`

			`sub auth_vpopmail {`
			`my ($self, $transaction, $method, $user, $passClear, $passHash, $ticket) =`
			`@_;`

consolidate auth logic into Qpsmtpd::Auth These 3 auth plugins all have a data store they fetch the reference password or hash from. They then match the attemped password or hash against the reference. This consolidates the latter portion (validating the password/hash) into Auth.pm. * less duplicated code in the plugins. * Pass validation consistently handled for these 3 plugins. * less work to create new auth plugins Also caches the CRAM-MD5 ticket. It could also cache user/pass info if this was desirable. 2012-05-09 00:04:10 +02:00			`my $pw = vauth_getpw( split '@', lc($user) );`
added auth_vpopmail plugin added auth_vpopmail plugin, using the perl-vpopmail module added VPOPMAIL auth methods description to docs/authentication added SEE ALSO section to each module, noting the VPOPMAIL description Signed-off-by: Robert <rspier@pobox.com> 2010-05-11 08:19:05 +02:00			`my $pw_clear_passwd = $pw->{pw_clear_passwd};`
			`my $pw_passwd = $pw->{pw_passwd};`

			`if (!$pw \|\| (!$pw_clear_passwd && !$pw_passwd)) {`
consolidate auth logic into Qpsmtpd::Auth These 3 auth plugins all have a data store they fetch the reference password or hash from. They then match the attemped password or hash against the reference. This consolidates the latter portion (validating the password/hash) into Auth.pm. * less duplicated code in the plugins. * Pass validation consistently handled for these 3 plugins. * less work to create new auth plugins Also caches the CRAM-MD5 ticket. It could also cache user/pass info if this was desirable. 2012-05-09 00:04:10 +02:00			`$self->log(LOGINFO, "fail: invalid user $user");`
Altered SASL method to include the mechanism in log entries. removed auth method from return calls in all auth plugins. The caller knows the mechanism already. In the code, the difference looks like this: before: or return (DENY, "authcvm/$method"); after: or return (DENY, "authcvm"); Added debug level log entries in auth_vpopmaild Conflicts: plugins/auth/auth_vpopmail_sql 2012-05-04 22:04:28 +02:00			`return (DENY, "auth_vpopmail - invalid user");`
added auth_vpopmail plugin added auth_vpopmail plugin, using the perl-vpopmail module added VPOPMAIL auth methods description to docs/authentication added SEE ALSO section to each module, noting the VPOPMAIL description Signed-off-by: Robert <rspier@pobox.com> 2010-05-11 08:19:05 +02:00			`# change DENY to DECLINED to support multiple auth plugins`
			`}`

consolidate auth logic into Qpsmtpd::Auth These 3 auth plugins all have a data store they fetch the reference password or hash from. They then match the attemped password or hash against the reference. This consolidates the latter portion (validating the password/hash) into Auth.pm. * less duplicated code in the plugins. * Pass validation consistently handled for these 3 plugins. * less work to create new auth plugins Also caches the CRAM-MD5 ticket. It could also cache user/pass info if this was desirable. 2012-05-09 00:04:10 +02:00			`return Qpsmtpd::Auth::validate_password( $self,`
			`src_clear => $pw->{pw_clear_passwd},`
			`src_crypt => $pw->{pw_passwd},`
			`attempt_clear => $passClear,`
			`attempt_hash => $passHash,`
			`method => $method,`
			`ticket => $ticket,`
			`deny => DENY,`
			`);`
added auth_vpopmail plugin added auth_vpopmail plugin, using the perl-vpopmail module added VPOPMAIL auth methods description to docs/authentication added SEE ALSO section to each module, noting the VPOPMAIL description Signed-off-by: Robert <rspier@pobox.com> 2010-05-11 08:19:05 +02:00			`}`

auth_vpopmail: refactored, added tests, logging added more logging standard log prefixes tests run a pretest to make sure tests have a chance to succeed 2012-05-07 09:35:58 +02:00			`sub test_vpopmail_module {`
			`my $self = shift;`
added auth_vpopmail plugin added auth_vpopmail plugin, using the perl-vpopmail module added VPOPMAIL auth methods description to docs/authentication added SEE ALSO section to each module, noting the VPOPMAIL description Signed-off-by: Robert <rspier@pobox.com> 2010-05-11 08:19:05 +02:00			`# vpopmail will not allow vauth_getpw to succeed unless the requesting user is vpopmail or root.`
			`# by default, qpsmtpd runs as the user 'qpsmtpd' and does not have permission.`
fixed failing auths to auth/vpopmaild, added tests Apparently the format of vpopmaild responses has been expanded and the responses are conditional. * Replaced the 'sometimes works' eq comparison with a regexp that always works. * added tests for all 3 vpopmail plugins * added cram-md5 auth support to auth_vpopmaild. 2012-04-07 23:52:44 +02:00			`eval "use vpopmail";`
			`if ( $@ ) {`
auth_vpopmail: refactored, added tests, logging added more logging standard log prefixes tests run a pretest to make sure tests have a chance to succeed 2012-05-07 09:35:58 +02:00			`$self->log(LOGERROR, "skip: is vpopmail perl module installed?");`
fixed failing auths to auth/vpopmaild, added tests Apparently the format of vpopmaild responses has been expanded and the responses are conditional. * Replaced the 'sometimes works' eq comparison with a regexp that always works. * added tests for all 3 vpopmail plugins * added cram-md5 auth support to auth_vpopmaild. 2012-04-07 23:52:44 +02:00			`return;`
			`};`
auth_vpopmail: refactored, added tests, logging added more logging standard log prefixes tests run a pretest to make sure tests have a chance to succeed 2012-05-07 09:35:58 +02:00
added auth_vpopmail plugin added auth_vpopmail plugin, using the perl-vpopmail module added VPOPMAIL auth methods description to docs/authentication added SEE ALSO section to each module, noting the VPOPMAIL description Signed-off-by: Robert <rspier@pobox.com> 2010-05-11 08:19:05 +02:00			`my ($domain) = vpopmail::vlistdomains();`
auth_vpopmail: refactored, added tests, logging added more logging standard log prefixes tests run a pretest to make sure tests have a chance to succeed 2012-05-07 09:35:58 +02:00			`my $r = vauth_getpw('postmaster', $domain) or do {`
			`$self->log(LOGERROR, "skip: could not query vpopmail");`
			`return;`
			`};`
added auth_vpopmail plugin added auth_vpopmail plugin, using the perl-vpopmail module added VPOPMAIL auth methods description to docs/authentication added SEE ALSO section to each module, noting the VPOPMAIL description Signed-off-by: Robert <rspier@pobox.com> 2010-05-11 08:19:05 +02:00			`return 1;`
			`}`