#!/usr/bin/perl -w =head1 NAME auth_vpopmail_sql - Authenticate to vpopmail via MySQL =head1 DESCRIPTION This plugin authenticates vpopmail users directly against a standard vpopmail MySQL database. It makes the not-unreasonable assumption that both pw_name and pw_domain are lowercase only (qmail doesn't actually care). If you are using CRAM-MD5, it also requires that vpopmail be built with the recommended '--enable-clear-passwd=y' option, because there is no way to compare the crypted password. =head1 CONFIGURATION Decide which authentication methods you are willing to support and uncomment the lines in the register() sub. See the POD for Qspmtpd::Auth for more details on the ramifications of supporting various authentication methods. Then, change the database information at the top of the authsql() sub so that the module can access the database. This can be a read-only account since the plugin does not update the last accessed time (yet, see below). The remote user must login with a fully qualified e-mail address (i.e. both account name and domain), even if they don't normally need to. This is because the vpopmail table has a unique index on pw_name/pw_domain, and this module requires that only a single record be returned from the database. =head1 FUTURE DIRECTION The default MySQL configuration for vpopmail includes a table to log access, lastauth, which could conceivably be updated upon sucessful authentication. The addition of this feature is left as an exercise for someone who cares. ;) =head1 AUTHOR John Peacock =head1 COPYRIGHT AND LICENSE Copyright (c) 2004 John Peacock This plugin is licensed under the same terms as the qpsmtpd package itself. Please see the LICENSE file included with qpsmtpd for details. =cut sub register { my ( $self, $qp ) = @_; $self->register_hook("auth-plain", "authsql" ); $self->register_hook("auth-login", "authsql" ); $self->register_hook("auth-cram-md5", "authsql"); } sub authsql { use DBI; use Qpsmtpd::Constants; use Digest::HMAC_MD5 qw(hmac_md5_hex); # $DB::single = 1; my $connect = "dbi:mysql:dbname=vpopmail"; my $dbuser = "vpopmailuser"; my $dbpasswd = "vpoppasswd"; my $dbh = DBI->connect( $connect, $dbuser, $dbpasswd ); $dbh->{ShowErrorStatement} = 1; my ( $self, $transaction, $method, $user, $passClear, $passHash, $ticket ) = @_; my ( $pw_name, $pw_domain ) = split "@", lc($user); unless ( defined $pw_domain ) { return DECLINED; } $self->log(LOGINFO, "Authentication to vpopmail via mysql: $pw_name\@$pw_domain"); my $sth = $dbh->prepare(<execute( $pw_name, $pw_domain ); my $passwd_hash = $sth->fetchrow_hashref; $sth->finish; $dbh->disconnect; # if vpopmail was not built with '--enable-clear-passwd=y' # then pw_clear_passwd may not even exist my $pw_clear_passwd = exists $passwd_hash->{'pw_clear_passwd'} ? $passwd_hash->{'pw_clear_passwd'} : undef; my $pw_passwd = $passwd_hash->{'pw_passwd'}; # this is always present if ( # clear_passwd isn't defined so we cannot support CRAM-MD5 ( $method =~ /CRAM-MD5/i and not defined $pw_clear_passwd ) or # user doesn't exist in this domain ( not defined $pw_passwd ) ) { return ( DECLINED, "authsql/$method" ); } # at this point we can assume the user name matched if ( ( defined $passClear and ( ($pw_clear_passwd eq $passClear) or ($pw_passwd eq crypt( $passClear, $pw_passwd ) ) ) ) or ( defined $passHash and $passHash eq hmac_md5_hex( $ticket, $pw_clear_passwd ) ) ) { return ( OK, "authsql/$method" ); } else { return ( DENY, "authsql/$method - wrong password" ); } }