2012-05-04 21:20:48 +02:00
|
|
|
package Qpsmtpd::Auth;
|
2013-04-21 06:08:43 +02:00
|
|
|
|
|
|
|
|
# See the documentation in 'perldoc docs/authentication.pod'
|
2004-06-29 23:45:35 +02:00
|
|
|
|
2012-05-04 21:20:48 +02:00
|
|
|
use strict;
|
|
|
|
|
use warnings;
|
|
|
|
|
|
|
|
|
|
use Qpsmtpd::Constants;
|
2004-06-29 23:45:35 +02:00
|
|
|
|
2012-05-09 00:04:10 +02:00
|
|
|
use Digest::HMAC_MD5 qw(hmac_md5_hex);
|
|
|
|
|
use MIME::Base64;
|
|
|
|
|
|
2012-05-04 21:20:48 +02:00
|
|
|
sub e64 {
|
2013-04-21 06:08:43 +02:00
|
|
|
my ($arg) = @_;
|
|
|
|
|
my $res = encode_base64($arg);
|
|
|
|
|
chomp($res);
|
2014-09-18 03:28:51 +02:00
|
|
|
return $res;
|
2004-07-29 16:40:32 +02:00
|
|
|
}
|
|
|
|
|
|
2004-06-29 23:45:35 +02:00
|
|
|
sub SASL {
|
|
|
|
|
|
|
|
|
|
# $DB::single = 1;
|
2013-04-21 06:08:43 +02:00
|
|
|
my ($session, $mechanism, $prekey) = @_;
|
|
|
|
|
my ($user, $passClear, $passHash, $ticket, $loginas);
|
2004-06-29 23:45:35 +02:00
|
|
|
|
2013-04-21 06:08:43 +02:00
|
|
|
if ($mechanism eq 'plain') {
|
|
|
|
|
($loginas, $user, $passClear) =
|
|
|
|
|
get_auth_details_plain($session, $prekey);
|
|
|
|
|
return DECLINED if !$user || !$passClear;
|
2004-06-29 23:45:35 +02:00
|
|
|
}
|
2013-04-21 06:08:43 +02:00
|
|
|
elsif ($mechanism eq 'login') {
|
|
|
|
|
($user, $passClear) = get_auth_details_login($session, $prekey);
|
|
|
|
|
return DECLINED if !$user || !$passClear;
|
2004-07-29 16:40:32 +02:00
|
|
|
}
|
2013-04-21 06:08:43 +02:00
|
|
|
elsif ($mechanism eq 'cram-md5') {
|
|
|
|
|
($ticket, $user, $passHash) = get_auth_details_cram_md5($session);
|
|
|
|
|
return DECLINED if !$user || !$passHash;
|
2004-06-29 23:45:35 +02:00
|
|
|
}
|
|
|
|
|
else {
|
2006-09-22 17:31:28 +02:00
|
|
|
#this error is now caught in SMTP.pm's sub auth
|
2013-04-21 06:08:43 +02:00
|
|
|
$session->respond(500, "Internal server error");
|
2004-06-29 23:45:35 +02:00
|
|
|
return DECLINED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# try running the specific hooks first
|
2013-04-21 06:08:43 +02:00
|
|
|
my ($rc, $msg) =
|
|
|
|
|
$session->run_hooks("auth-$mechanism", $mechanism, $user, $passClear,
|
|
|
|
|
$passHash, $ticket);
|
2004-06-29 23:45:35 +02:00
|
|
|
|
|
|
|
|
# try running the polymorphous hooks next
|
2013-04-21 06:08:43 +02:00
|
|
|
if (!$rc || $rc == DECLINED) {
|
|
|
|
|
($rc, $msg) =
|
|
|
|
|
$session->run_hooks("auth", $mechanism, $user,
|
|
|
|
|
$passClear, $passHash, $ticket);
|
2004-06-29 23:45:35 +02:00
|
|
|
}
|
|
|
|
|
|
2013-04-21 06:08:43 +02:00
|
|
|
if ($rc == OK) {
|
|
|
|
|
$msg =
|
|
|
|
|
uc($mechanism)
|
|
|
|
|
. " authentication successful for $user"
|
|
|
|
|
. ($msg ? " - $msg" : '');
|
|
|
|
|
$session->respond(235, $msg);
|
2004-09-22 18:01:16 +02:00
|
|
|
$session->connection->relay_client(1);
|
2013-04-21 06:08:43 +02:00
|
|
|
if ($session->connection->notes('naughty')) {
|
|
|
|
|
$session->log(LOGINFO, "auth success cleared naughty");
|
|
|
|
|
$session->connection->notes('naughty', 0);
|
|
|
|
|
}
|
|
|
|
|
$session->log(LOGDEBUG, $msg); # already logged by $session->respond
|
Changes by jpeacock@cpan.org (John Peacock)
o plugins/check_badmailfromto
- New plugin in the style of check_badmailfrom, which matches a pair
of FROM/TO and makes it seem like the recipient's address no longer
exists (but only from the matching sender's point of view). Useful
for stalkers and other harassment cases.
o plugins/dns_whitelist_soft
- New plugin to provide a DNS-based whitelist (good for distributed
sites).
o various files
- Replaced tab character with 8 spaces and adjusted line breaks for
better readability.
Changes by mct@toren.net (Michael C. Toren)
o lib/Qpsmtpd/SMTP.pm
- Assumes a MAIL FROM value of "<#@[]>" (utilized by qmail to
indicate a null sender when generating a doublebounce message)
is equivalent to "<>". Previously qpsmtpd complained that the
value could not be parsed.
- Adds LOGIN to the default list of supported auth mechanisms.
The documentation in Auth.pm indicated that auth-login was not
currently supported due to lack of functionality, however I can
confirm that LOGIN appears to work fine as tested by using msmtp
(http://msmtp.sourceforge.net/). Are there any indications that
LOGIN support is actually broken in the current implementation?
- Removes the "X-Qpsmtpd-Auth: True" header appended when a message
has been sent by an authenticated user. One problem with such a
header is that it's impossible to say which SMTP hop added it,
and it provides no information which could be used to backtrack
the transaction. I grepped through my mail archives a bit
looking for how other MTAs handled the problem, and decided it
would be best to place this information in the Received: header:
Received: from remotehost (HELO remotehost) (192.168.42.42)
(smtp-auth username foo, mechanism cram-md5)
by mail.netisland.net (qpsmtpd/0.28) with ESMTP; <date>
o lib/Qpsmtpd/Auth.pm:
- Documentation update for the arguments passed to an auth
handler; previously the $mechanism argument was not mentioned,
which threw off the argument offsets.
- Documentation update for auth-login removing the warning
that auth-login is not currently supported due to lack of
functionality.
- Fix to execute a generic auth hook when a more specific
auth-$mechanism hook does not exist. (Previously posted
to the list last week.)
- Upon authentication, sets $session->{_auth_user} and
$session->{_auth_mechanism} so that SMTP.pm can include them
in the Received: header.
o plugins/queue/qmail-queue
- Added a timestamp and the qmail-queue qp identifier to the
"Queued!" 250 message, for compatibility with qmail-smtpd, which
can be very useful for tracking message delivery from machine to
machine. For example, the new 250 message might be:
250 Queued! 1105927468 qp 3210 <1105927457@netisland.net>
qmail-smtpd returns:
250 ok 1106546213 qp 7129
Additionally, for consistency angle brackets are placed around
the Message-ID displayed in the 250 if they were missing in the
message header.
o plugins/check_badmailfrom:
- Changed the error message from "Mail from $bad not accepted
here" to "sorry, your envelope sender is in my badmailfrom
list", for compatibility with qmail-smtpd. I didn't see any
reason to share with the sender the value of $bad, especially
for situations where the sender was rejected resulting from a
wildcard.
o plugins/check_earlytalker:
o plugins/require_resolvable_fromhost:
- No longer checks for earlytalkers or resolvable senders if the
connection note "whitelistclient" is set, which is nice for
helping backup MX hosts empty their queue faster.
o plugins/count_unrecognized_commands:
- Return code changed from DENY_DISCONNECT, which isn't valid in
an unrecognized_command hook, to DENY, which in this context
drops the connection anyway. (Previously posted to the list
last week.)
git-svn-id: https://svn.perl.org/qpsmtpd/trunk@356 958fd67b-6ff1-0310-b445-bb7760255be9
2005-01-28 04:30:50 +01:00
|
|
|
|
2013-04-21 06:08:43 +02:00
|
|
|
$session->{_auth_user} = $user;
|
Changes by jpeacock@cpan.org (John Peacock)
o plugins/check_badmailfromto
- New plugin in the style of check_badmailfrom, which matches a pair
of FROM/TO and makes it seem like the recipient's address no longer
exists (but only from the matching sender's point of view). Useful
for stalkers and other harassment cases.
o plugins/dns_whitelist_soft
- New plugin to provide a DNS-based whitelist (good for distributed
sites).
o various files
- Replaced tab character with 8 spaces and adjusted line breaks for
better readability.
Changes by mct@toren.net (Michael C. Toren)
o lib/Qpsmtpd/SMTP.pm
- Assumes a MAIL FROM value of "<#@[]>" (utilized by qmail to
indicate a null sender when generating a doublebounce message)
is equivalent to "<>". Previously qpsmtpd complained that the
value could not be parsed.
- Adds LOGIN to the default list of supported auth mechanisms.
The documentation in Auth.pm indicated that auth-login was not
currently supported due to lack of functionality, however I can
confirm that LOGIN appears to work fine as tested by using msmtp
(http://msmtp.sourceforge.net/). Are there any indications that
LOGIN support is actually broken in the current implementation?
- Removes the "X-Qpsmtpd-Auth: True" header appended when a message
has been sent by an authenticated user. One problem with such a
header is that it's impossible to say which SMTP hop added it,
and it provides no information which could be used to backtrack
the transaction. I grepped through my mail archives a bit
looking for how other MTAs handled the problem, and decided it
would be best to place this information in the Received: header:
Received: from remotehost (HELO remotehost) (192.168.42.42)
(smtp-auth username foo, mechanism cram-md5)
by mail.netisland.net (qpsmtpd/0.28) with ESMTP; <date>
o lib/Qpsmtpd/Auth.pm:
- Documentation update for the arguments passed to an auth
handler; previously the $mechanism argument was not mentioned,
which threw off the argument offsets.
- Documentation update for auth-login removing the warning
that auth-login is not currently supported due to lack of
functionality.
- Fix to execute a generic auth hook when a more specific
auth-$mechanism hook does not exist. (Previously posted
to the list last week.)
- Upon authentication, sets $session->{_auth_user} and
$session->{_auth_mechanism} so that SMTP.pm can include them
in the Received: header.
o plugins/queue/qmail-queue
- Added a timestamp and the qmail-queue qp identifier to the
"Queued!" 250 message, for compatibility with qmail-smtpd, which
can be very useful for tracking message delivery from machine to
machine. For example, the new 250 message might be:
250 Queued! 1105927468 qp 3210 <1105927457@netisland.net>
qmail-smtpd returns:
250 ok 1106546213 qp 7129
Additionally, for consistency angle brackets are placed around
the Message-ID displayed in the 250 if they were missing in the
message header.
o plugins/check_badmailfrom:
- Changed the error message from "Mail from $bad not accepted
here" to "sorry, your envelope sender is in my badmailfrom
list", for compatibility with qmail-smtpd. I didn't see any
reason to share with the sender the value of $bad, especially
for situations where the sender was rejected resulting from a
wildcard.
o plugins/check_earlytalker:
o plugins/require_resolvable_fromhost:
- No longer checks for earlytalkers or resolvable senders if the
connection note "whitelistclient" is set, which is nice for
helping backup MX hosts empty their queue faster.
o plugins/count_unrecognized_commands:
- Return code changed from DENY_DISCONNECT, which isn't valid in
an unrecognized_command hook, to DENY, which in this context
drops the connection anyway. (Previously posted to the list
last week.)
git-svn-id: https://svn.perl.org/qpsmtpd/trunk@356 958fd67b-6ff1-0310-b445-bb7760255be9
2005-01-28 04:30:50 +01:00
|
|
|
$session->{_auth_mechanism} = $mechanism;
|
2013-04-21 06:08:43 +02:00
|
|
|
s/[\r\n].*//s for ($session->{_auth_user}, $session->{_auth_mechanism});
|
Changes by jpeacock@cpan.org (John Peacock)
o plugins/check_badmailfromto
- New plugin in the style of check_badmailfrom, which matches a pair
of FROM/TO and makes it seem like the recipient's address no longer
exists (but only from the matching sender's point of view). Useful
for stalkers and other harassment cases.
o plugins/dns_whitelist_soft
- New plugin to provide a DNS-based whitelist (good for distributed
sites).
o various files
- Replaced tab character with 8 spaces and adjusted line breaks for
better readability.
Changes by mct@toren.net (Michael C. Toren)
o lib/Qpsmtpd/SMTP.pm
- Assumes a MAIL FROM value of "<#@[]>" (utilized by qmail to
indicate a null sender when generating a doublebounce message)
is equivalent to "<>". Previously qpsmtpd complained that the
value could not be parsed.
- Adds LOGIN to the default list of supported auth mechanisms.
The documentation in Auth.pm indicated that auth-login was not
currently supported due to lack of functionality, however I can
confirm that LOGIN appears to work fine as tested by using msmtp
(http://msmtp.sourceforge.net/). Are there any indications that
LOGIN support is actually broken in the current implementation?
- Removes the "X-Qpsmtpd-Auth: True" header appended when a message
has been sent by an authenticated user. One problem with such a
header is that it's impossible to say which SMTP hop added it,
and it provides no information which could be used to backtrack
the transaction. I grepped through my mail archives a bit
looking for how other MTAs handled the problem, and decided it
would be best to place this information in the Received: header:
Received: from remotehost (HELO remotehost) (192.168.42.42)
(smtp-auth username foo, mechanism cram-md5)
by mail.netisland.net (qpsmtpd/0.28) with ESMTP; <date>
o lib/Qpsmtpd/Auth.pm:
- Documentation update for the arguments passed to an auth
handler; previously the $mechanism argument was not mentioned,
which threw off the argument offsets.
- Documentation update for auth-login removing the warning
that auth-login is not currently supported due to lack of
functionality.
- Fix to execute a generic auth hook when a more specific
auth-$mechanism hook does not exist. (Previously posted
to the list last week.)
- Upon authentication, sets $session->{_auth_user} and
$session->{_auth_mechanism} so that SMTP.pm can include them
in the Received: header.
o plugins/queue/qmail-queue
- Added a timestamp and the qmail-queue qp identifier to the
"Queued!" 250 message, for compatibility with qmail-smtpd, which
can be very useful for tracking message delivery from machine to
machine. For example, the new 250 message might be:
250 Queued! 1105927468 qp 3210 <1105927457@netisland.net>
qmail-smtpd returns:
250 ok 1106546213 qp 7129
Additionally, for consistency angle brackets are placed around
the Message-ID displayed in the 250 if they were missing in the
message header.
o plugins/check_badmailfrom:
- Changed the error message from "Mail from $bad not accepted
here" to "sorry, your envelope sender is in my badmailfrom
list", for compatibility with qmail-smtpd. I didn't see any
reason to share with the sender the value of $bad, especially
for situations where the sender was rejected resulting from a
wildcard.
o plugins/check_earlytalker:
o plugins/require_resolvable_fromhost:
- No longer checks for earlytalkers or resolvable senders if the
connection note "whitelistclient" is set, which is nice for
helping backup MX hosts empty their queue faster.
o plugins/count_unrecognized_commands:
- Return code changed from DENY_DISCONNECT, which isn't valid in
an unrecognized_command hook, to DENY, which in this context
drops the connection anyway. (Previously posted to the list
last week.)
git-svn-id: https://svn.perl.org/qpsmtpd/trunk@356 958fd67b-6ff1-0310-b445-bb7760255be9
2005-01-28 04:30:50 +01:00
|
|
|
|
2004-06-29 23:45:35 +02:00
|
|
|
return OK;
|
|
|
|
|
}
|
|
|
|
|
else {
|
2013-04-21 06:08:43 +02:00
|
|
|
$msg =
|
|
|
|
|
uc($mechanism)
|
|
|
|
|
. " authentication failed for $user"
|
|
|
|
|
. ($msg ? " - $msg" : '');
|
|
|
|
|
$session->respond(535, $msg);
|
|
|
|
|
$session->log(LOGDEBUG, $msg); # already logged by $session->respond
|
2004-06-29 23:45:35 +02:00
|
|
|
return DENY;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2012-05-04 21:20:48 +02:00
|
|
|
sub get_auth_details_plain {
|
2013-04-21 06:08:43 +02:00
|
|
|
my ($session, $prekey) = @_;
|
2012-05-04 21:20:48 +02:00
|
|
|
|
2013-04-21 06:08:43 +02:00
|
|
|
if (!$prekey) {
|
|
|
|
|
$session->respond(334, ' ');
|
|
|
|
|
$prekey = <STDIN>;
|
2012-05-04 21:20:48 +02:00
|
|
|
}
|
|
|
|
|
|
2013-04-21 06:08:43 +02:00
|
|
|
my ($loginas, $user, $passClear) = split /\x0/, decode_base64($prekey);
|
2012-05-04 21:20:48 +02:00
|
|
|
|
2013-04-21 06:08:43 +02:00
|
|
|
if (!$user) {
|
|
|
|
|
if ($loginas) {
|
2012-05-04 21:20:48 +02:00
|
|
|
$session->respond(535, "Authentication invalid ($loginas)");
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
$session->respond(535, "Authentication invalid");
|
|
|
|
|
}
|
|
|
|
|
return;
|
2013-04-21 06:08:43 +02:00
|
|
|
}
|
2012-05-04 21:20:48 +02:00
|
|
|
|
|
|
|
|
# Authorization ID must not be different from Authentication ID
|
2013-04-21 06:08:43 +02:00
|
|
|
if ($loginas ne '' && $loginas ne $user) {
|
2012-05-04 21:20:48 +02:00
|
|
|
$session->respond(535, "Authentication invalid for $user");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2014-09-18 03:28:51 +02:00
|
|
|
return $loginas, $user, $passClear;
|
2013-04-21 06:08:43 +02:00
|
|
|
}
|
2012-05-04 21:20:48 +02:00
|
|
|
|
|
|
|
|
sub get_auth_details_login {
|
2013-04-21 06:08:43 +02:00
|
|
|
my ($session, $prekey) = @_;
|
2012-05-04 21:20:48 +02:00
|
|
|
|
|
|
|
|
my $user;
|
|
|
|
|
|
2013-04-21 06:08:43 +02:00
|
|
|
if ($prekey) {
|
2012-05-04 21:20:48 +02:00
|
|
|
$user = decode_base64($prekey);
|
|
|
|
|
}
|
|
|
|
|
else {
|
2013-04-21 06:08:43 +02:00
|
|
|
$user = get_base64_response($session, 'Username:') or return;
|
2012-05-04 21:20:48 +02:00
|
|
|
}
|
|
|
|
|
|
2013-04-21 06:08:43 +02:00
|
|
|
my $passClear = get_base64_response($session, 'Password:') or return;
|
2012-05-04 21:20:48 +02:00
|
|
|
|
2014-09-18 03:28:51 +02:00
|
|
|
return $user, $passClear;
|
2013-04-21 06:08:43 +02:00
|
|
|
}
|
2012-05-04 21:20:48 +02:00
|
|
|
|
|
|
|
|
sub get_auth_details_cram_md5 {
|
2013-04-21 06:08:43 +02:00
|
|
|
my ($session, $ticket) = @_;
|
|
|
|
|
|
|
|
|
|
if (!$ticket) { # ticket is only passed in during testing
|
|
|
|
|
# rand() is not cryptographic, but we only need to generate a globally
|
|
|
|
|
# unique number. The rand() is there in case the user logs in more than
|
|
|
|
|
# once in the same second, or if the clock is skewed.
|
|
|
|
|
$ticket =
|
|
|
|
|
sprintf('<%x.%x@%s>', rand(1000000), time(), $session->config('me'));
|
|
|
|
|
}
|
2012-05-04 21:20:48 +02:00
|
|
|
|
|
|
|
|
# send the base64 encoded ticket
|
2013-04-21 06:08:43 +02:00
|
|
|
$session->respond(334, encode_base64($ticket, ''));
|
2012-05-04 21:20:48 +02:00
|
|
|
my $line = <STDIN>;
|
|
|
|
|
|
2013-04-21 06:08:43 +02:00
|
|
|
if ($line eq '*') {
|
|
|
|
|
$session->respond(501, "Authentication canceled");
|
2012-05-04 21:20:48 +02:00
|
|
|
return;
|
2013-04-21 06:08:43 +02:00
|
|
|
}
|
2012-05-04 21:20:48 +02:00
|
|
|
|
2013-04-21 06:08:43 +02:00
|
|
|
my ($user, $passHash) = split(/ /, decode_base64($line));
|
|
|
|
|
unless ($user && $passHash) {
|
2012-05-04 21:20:48 +02:00
|
|
|
$session->respond(504, "Invalid authentication string");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2012-05-09 00:04:10 +02:00
|
|
|
$session->{auth}{ticket} = $ticket;
|
2014-09-18 03:28:51 +02:00
|
|
|
return $ticket, $user, $passHash;
|
2013-04-21 06:08:43 +02:00
|
|
|
}
|
2012-05-04 21:20:48 +02:00
|
|
|
|
|
|
|
|
sub get_base64_response {
|
|
|
|
|
my ($session, $question) = @_;
|
|
|
|
|
|
|
|
|
|
$session->respond(334, e64($question));
|
2013-04-21 06:08:43 +02:00
|
|
|
my $answer = decode_base64(<STDIN>);
|
2012-05-04 21:20:48 +02:00
|
|
|
if ($answer eq '*') {
|
|
|
|
|
$session->respond(501, "Authentication canceled");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
return $answer;
|
2013-04-21 06:08:43 +02:00
|
|
|
}
|
2012-05-04 21:20:48 +02:00
|
|
|
|
2012-05-09 00:04:10 +02:00
|
|
|
sub validate_password {
|
2013-04-21 06:08:43 +02:00
|
|
|
my ($self, %a) = @_;
|
2012-05-09 00:04:10 +02:00
|
|
|
|
|
|
|
|
my ($pkg, $file, $line) = caller();
|
2013-04-21 06:08:43 +02:00
|
|
|
$file = (split /\//, $file)[-1]; # strip off the path
|
2012-05-09 00:04:10 +02:00
|
|
|
|
|
|
|
|
my $src_clear = $a{src_clear};
|
|
|
|
|
my $src_crypt = $a{src_crypt};
|
|
|
|
|
my $attempt_clear = $a{attempt_clear};
|
|
|
|
|
my $attempt_hash = $a{attempt_hash};
|
|
|
|
|
my $method = $a{method} or die "missing method";
|
|
|
|
|
my $ticket = $a{ticket} || $self->{auth}{ticket};
|
|
|
|
|
my $deny = $a{deny} || DENY;
|
|
|
|
|
|
2013-04-21 06:08:43 +02:00
|
|
|
if (!$src_crypt && !$src_clear) {
|
2012-05-09 00:04:10 +02:00
|
|
|
$self->log(LOGINFO, "fail: missing password");
|
2014-09-18 03:28:51 +02:00
|
|
|
return $deny, "$file - no such user";
|
2013-04-21 06:08:43 +02:00
|
|
|
}
|
2012-05-09 00:04:10 +02:00
|
|
|
|
2013-04-21 06:08:43 +02:00
|
|
|
if (!$src_clear && $method =~ /CRAM-MD5/i) {
|
2012-05-09 00:04:10 +02:00
|
|
|
$self->log(LOGINFO, "skip: cram-md5 not supported w/o clear pass");
|
2014-09-18 03:28:51 +02:00
|
|
|
return DECLINED, $file;
|
2012-05-09 00:04:10 +02:00
|
|
|
}
|
|
|
|
|
|
2013-04-21 06:08:43 +02:00
|
|
|
if (defined $attempt_clear) {
|
|
|
|
|
if ($src_clear && $src_clear eq $attempt_clear) {
|
2012-05-09 00:04:10 +02:00
|
|
|
$self->log(LOGINFO, "pass: clear match");
|
2014-09-18 03:28:51 +02:00
|
|
|
return OK, $file;
|
2013-04-21 06:08:43 +02:00
|
|
|
}
|
2012-05-09 00:04:10 +02:00
|
|
|
|
2013-04-21 06:08:43 +02:00
|
|
|
if ($src_crypt && $src_crypt eq crypt($attempt_clear, $src_crypt)) {
|
2012-05-09 00:04:10 +02:00
|
|
|
$self->log(LOGINFO, "pass: crypt match");
|
2014-09-18 03:28:51 +02:00
|
|
|
return OK, $file;
|
2012-05-09 00:04:10 +02:00
|
|
|
}
|
2013-04-21 06:08:43 +02:00
|
|
|
}
|
2012-05-09 00:04:10 +02:00
|
|
|
|
2013-04-21 06:08:43 +02:00
|
|
|
if (defined $attempt_hash && $src_clear) {
|
|
|
|
|
if (!$ticket) {
|
2012-05-09 00:04:10 +02:00
|
|
|
$self->log(LOGERROR, "skip: missing ticket");
|
2014-09-18 03:28:51 +02:00
|
|
|
return DECLINED, $file;
|
2013-04-21 06:08:43 +02:00
|
|
|
}
|
2012-05-09 00:04:10 +02:00
|
|
|
|
2013-04-21 06:08:43 +02:00
|
|
|
if ($attempt_hash eq hmac_md5_hex($ticket, $src_clear)) {
|
2012-05-09 00:04:10 +02:00
|
|
|
$self->log(LOGINFO, "pass: hash match");
|
2014-09-18 03:28:51 +02:00
|
|
|
return OK, $file;
|
2013-04-21 06:08:43 +02:00
|
|
|
}
|
|
|
|
|
}
|
2012-05-09 00:04:10 +02:00
|
|
|
|
|
|
|
|
$self->log(LOGINFO, "fail: wrong password");
|
2014-09-18 03:28:51 +02:00
|
|
|
return $deny, "$file - wrong password";
|
2013-04-21 06:08:43 +02:00
|
|
|
}
|
2012-05-09 00:04:10 +02:00
|
|
|
|
|
|
|
|
# tag: qpsmtpd plugin that sets RELAYCLIENT when the user authenticates
|
2004-06-29 23:45:35 +02:00
|
|
|
|
|
|
|
|
1;
|
