Commit Graph

21 Commits

Author SHA1 Message Date
Matt Simerson
35e1ce9883 consolidate auth logic into Qpsmtpd::Auth
These 3 auth plugins all have a data store they fetch the reference
password or hash from. They then match the attemped password or hash
against the reference. This consolidates the latter portion (validating
the password/hash) into Auth.pm.

* less duplicated code in the plugins.
* Pass validation consistently handled for these 3 plugins.
* less work to create new auth plugins

Also caches the CRAM-MD5 ticket. It could also cache user/pass info if
this was desirable.
2012-05-20 23:37:06 -07:00
Matt Simerson
a6e664ce83 Altered SASL method to include the mechanism in log entries.
removed auth method from return calls in all auth plugins. The caller knows the mechanism already. In the code, the difference looks like this:

before:
        or return (DENY, "authcvm/$method");
after:
        or return (DENY, "authcvm");

Added debug level log entries in auth_vpopmaild

Conflicts:

	plugins/auth/auth_vpopmail_sql
2012-05-06 16:20:25 -07:00
Matt Simerson
5285774285 refactored Qpsmtpd::Auth::SASL
unit tests for new methods are in t/auth.t

added PLAIN and LOGIN tests in auth_flat_file

Most tests are disabled unless an interactive terminal is detected and $ENV{QPSMTPD_DEVELOPER} is set.
2012-05-06 16:17:02 -07:00
Matt Simerson
983dc82203 confine duplicate Auth log entry to LOGDEBUG 2012-05-06 16:12:20 -07:00
Rick
7de104bf66 AUTH PLAIN bug with qpsmtpd and alpine
Trying to get SMTP auth working with alpine, I came across a bug.
Alpine sends AUTH PLAIN and waits for a 334 response, then sends the
auth string. According to the RFC, the server should reply with 334
and a nothing else, but in Auth.pm qpsmtpd responds with "334 Please
continue."   the "Please continue" is interpreted as a non-zero
length initial challenge which causes alpine (and maybe other
clients?) to abort the session.

Signed-off-by: Charlie Brady <charlieb@budge.apana.org.au>
Signed-off-by: Robert <rspier@pobox.com>
2009-12-24 20:36:51 -08:00
Steve Kemp
d066479a77 PATCH: Spelling fixups
According to my dictionary "Authentification" is not a real word.

Signed-off-by: Robert <rspier@pobox.com>
2009-10-17 23:38:57 -07:00
Jeff King
e4cb191047 Don't do printf interpolation on config('me')
The code feeds the results of $session->config('me') to
sprintf as part of the format string. In practice, this is
probably not a problem since hostnames don't contain percent
signs. However, it triggers a taint warning in perl 5.10,
making cram-md5 auth unusable.

This patch rewrites the sprintf to insert the 'me' value
using a %s format specifier.
2009-01-05 06:34:59 +00:00
John Peacock
d218bfea82 Correctly handle the case where a given AUTH mechanism is requested by a
[stupid] MUA, but isn't implemented with existing auth plugins.  Based on
patch from Brian Szymanski.

git-svn-id: https://svn.perl.org/qpsmtpd/branches/0.3x@660 958fd67b-6ff1-0310-b445-bb7760255be9
2006-09-22 15:31:28 +00:00
John Peacock
508be70d26 ne is for strings, != is for numbers (Leonardo Helman)
git-svn-id: https://svn.perl.org/qpsmtpd/branches/0.3x@636 958fd67b-6ff1-0310-b445-bb7760255be9
2006-04-26 15:31:03 +00:00
John Peacock
af93447e78 Redo AUTH PLAIN and AUTH LOGIN correctly(?) this time. (Michael Holzt)
git-svn-id: https://svn.perl.org/qpsmtpd/branches/0.3x@634 958fd67b-6ff1-0310-b445-bb7760255be9
2006-04-24 15:48:24 +00:00
John Peacock
ff4e92bb4e Resolve ticket #38806 (Inadequate validation of authentication data)
Charlie Brady.

git-svn-id: https://svn.perl.org/qpsmtpd/branches/0.3x@633 958fd67b-6ff1-0310-b445-bb7760255be9
2006-04-07 19:21:10 +00:00
John Peacock
7c6cbdd000 Move the Qpsmtpd::Auth POD to a top-level README to be more obvious.
git-svn-id: https://svn.perl.org/qpsmtpd/branches/0.3x@632 958fd67b-6ff1-0310-b445-bb7760255be9
2006-04-07 19:06:39 +00:00
John Peacock
6f145149ae Apparently, I never tested TLS and AUTH at the same time. It turns out
that you have to explicitely read from <STDIN> in order for IO::Socket::SSL
to correctly translate the data (i.e. reading from <> isn't sufficient).

git-svn-id: https://svn.perl.org/qpsmtpd/branches/0.3x@612 958fd67b-6ff1-0310-b445-bb7760255be9
2006-02-07 02:03:00 +00:00
John Peacock
5959cc1c32 * lib/Qpsmtpd/Auth.pm
lib/Qpsmtpd/SMTP.pm
    Take the AUTH method and put it in SMTP.pm where it belongs.

* lib/Qpsmtpd.pm
  lib/Qpsmtpd/Plugin.pm
    Expose the auth_user/auth_mechanism property to plugin writers.

git-svn-id: https://svn.perl.org/qpsmtpd/branches/0.31@556 958fd67b-6ff1-0310-b445-bb7760255be9
2005-10-31 17:12:37 +00:00
John Peacock
58ded6369d * lib/Qpsmtpd/Auth.pm
Fix some totally egregious spelling errors
 
 *  plugins/auth/auth_ldap_bind
    New plugin to authenticate against an LDAP database
    Thanks to Elliot Foster <elliotf@gratuitous.net>


git-svn-id: https://svn.perl.org/qpsmtpd/trunk@404 958fd67b-6ff1-0310-b445-bb7760255be9
2005-04-12 19:59:52 +00:00
John Peacock
c840a1d04f Changes by jpeacock@cpan.org (John Peacock)
o plugins/check_badmailfromto
    - New plugin in the style of check_badmailfrom, which matches a pair
      of FROM/TO and makes it seem like the recipient's address no longer
      exists (but only from the matching sender's point of view).  Useful
      for stalkers and other harassment cases.

o plugins/dns_whitelist_soft
    - New plugin to provide a DNS-based whitelist (good for distributed
      sites).

o various files
    - Replaced tab character with 8 spaces and adjusted line breaks for
      better readability.

Changes by mct@toren.net (Michael C. Toren)

o lib/Qpsmtpd/SMTP.pm

    - Assumes a MAIL FROM value of "<#@[]>" (utilized by qmail to
      indicate a null sender when generating a doublebounce message)
      is equivalent to "<>".  Previously qpsmtpd complained that the
      value could not be parsed.

    - Adds LOGIN to the default list of supported auth mechanisms.
      The documentation in Auth.pm indicated that auth-login was not
      currently supported due to lack of functionality, however I can
      confirm that LOGIN appears to work fine as tested by using msmtp
      (http://msmtp.sourceforge.net/).  Are there any indications that
      LOGIN support is actually broken in the current implementation?

    - Removes the "X-Qpsmtpd-Auth: True" header appended when a message
      has been sent by an authenticated user.  One problem with such a
      header is that it's impossible to say which SMTP hop added it,
      and it provides no information which could be used to backtrack
      the transaction.  I grepped through my mail archives a bit
      looking for how other MTAs handled the problem, and decided it
      would be best to place this information in the Received: header:

        Received: from remotehost (HELO remotehost) (192.168.42.42)
          (smtp-auth username foo, mechanism cram-md5)
          by mail.netisland.net (qpsmtpd/0.28) with ESMTP; <date>


o lib/Qpsmtpd/Auth.pm:

    - Documentation update for the arguments passed to an auth
      handler; previously the $mechanism argument was not mentioned,
      which threw off the argument offsets.

    - Documentation update for auth-login removing the warning
      that auth-login is not currently supported due to lack of
      functionality.

    - Fix to execute a generic auth hook when a more specific
      auth-$mechanism hook does not exist.  (Previously posted
      to the list last week.)

    - Upon authentication, sets $session->{_auth_user} and
      $session->{_auth_mechanism} so that SMTP.pm can include them
      in the Received: header.


o plugins/queue/qmail-queue

    - Added a timestamp and the qmail-queue qp identifier to the
      "Queued!" 250 message, for compatibility with qmail-smtpd, which
      can be very useful for tracking message delivery from machine to
      machine.  For example, the new 250 message might be:

        250 Queued! 1105927468 qp 3210 <1105927457@netisland.net>

      qmail-smtpd returns:

        250 ok 1106546213 qp 7129

      Additionally, for consistency angle brackets are placed around
      the Message-ID displayed in the 250 if they were missing in the
      message header.


o plugins/check_badmailfrom:

    - Changed the error message from "Mail from $bad not accepted
      here" to "sorry, your envelope sender is in my badmailfrom
      list", for compatibility with qmail-smtpd.  I didn't see any
      reason to share with the sender the value of $bad, especially
      for situations where the sender was rejected resulting from a
      wildcard.


o plugins/check_earlytalker:
o plugins/require_resolvable_fromhost:

    - No longer checks for earlytalkers or resolvable senders if the
      connection note "whitelistclient" is set, which is nice for
      helping backup MX hosts empty their queue faster.


o plugins/count_unrecognized_commands:

    - Return code changed from DENY_DISCONNECT, which isn't valid in
      an unrecognized_command hook, to DENY, which in this context
      drops the connection anyway.  (Previously posted to the list
      last week.)


git-svn-id: https://svn.perl.org/qpsmtpd/trunk@356 958fd67b-6ff1-0310-b445-bb7760255be9
2005-01-28 03:30:50 +00:00
John Peacock
03455aff9a Add username for AUTH success/failure log entry
git-svn-id: https://svn.perl.org/qpsmtpd/trunk@328 958fd67b-6ff1-0310-b445-bb7760255be9
2004-09-23 16:14:56 +00:00
John Peacock
f92e99bd9c * plugins/check_relay
*   plugins/rcpt_ok
    Split check_relay into two plugins

*   config/plugins
    Reorder plugins to take advantage of the new check_relay

*   lib/Qpsmtpd/Connection.pm
    Add support for relay_client() method

*   lib/Qpsmtpd/SMTP.pm
    Copy connection relay settings to transaction object when created

*   lib/Qpsmtpd/Auth.pm
    Use the connection->relay_client() instead of setting an env var


git-svn-id: https://svn.perl.org/qpsmtpd/trunk@326 958fd67b-6ff1-0310-b445-bb7760255be9
2004-09-22 16:01:16 +00:00
Matt Sergeant
a204827d0c Fix for AUTH PLAIN from Michael Holzt <kju@fqdn.org>
git-svn-id: https://svn.perl.org/qpsmtpd/trunk@280 958fd67b-6ff1-0310-b445-bb7760255be9
2004-07-29 14:40:32 +00:00
Matt Sergeant
fd8fcde7c0 Don't allow AUTH under HELO (rfc 821) connections
git-svn-id: https://svn.perl.org/qpsmtpd/trunk@258 958fd67b-6ff1-0310-b445-bb7760255be9
2004-07-05 09:24:59 +00:00
Matt Sergeant
011f44e11d Auth changes (John Peacock with minor modifications by baud)
git-svn-id: https://svn.perl.org/qpsmtpd/trunk@252 958fd67b-6ff1-0310-b445-bb7760255be9
2004-06-29 21:45:35 +00:00