#!perl -w
use strict;

=head1 NAME

auth_vpopmail - Authenticate against libvpopmail.a


This plugin authenticates vpopmail users using p5-vpopmail.
Using CRAM-MD5 requires that vpopmail be built with the
'--enable-clear-passwd=y' option.


This module will only work if qpsmtpd is running as the 'vpopmail' user.

CRAM-MD5 authentication will only work with p5-vpopmail 0.09 or higher.

Decide which authentication methods you are willing to support and uncomment
the lines in the register() sub. See the POD for Qspmtpd::Auth for more
details on the ramifications of supporting various authentication methods.

=head1 SEE ALSO

For an overview of the vpopmail authentication plugins and their merits,
please read the VPOPMAIL section in docs/authentication.pod

=head1 AUTHOR

Matt Simerson <msimerson@cpan.org>


Copyright (c) 2010 Matt Simerson

This plugin is licensed under the same terms as the qpsmtpd package itself.
Please see the LICENSE file included with qpsmtpd for details.


use strict;

use Qpsmtpd::Constants;

sub register {
    my ($self, $qp) = @_;

    $self->register_hook("auth-plain", "auth_vpopmail" );
    $self->register_hook("auth-login", "auth_vpopmail" );
    $self->register_hook("auth-cram-md5", "auth_vpopmail");

sub auth_vpopmail {
    use vpopmail;
    use Digest::HMAC_MD5 qw(hmac_md5_hex);

    my ($self, $transaction, $method, $user, $passClear, $passHash, $ticket) =
    my ($pw_name, $pw_domain) = split "@", lc($user);

    $self->log(LOGINFO, "Authenticating against vpopmail: $user");

    return (DECLINED, "authvpopmail/$method - plugin not configured correctly")
      if !test_vpopmail();

    my $pw              = vauth_getpw($pw_name, $pw_domain);
    my $pw_clear_passwd = $pw->{pw_clear_passwd};
    my $pw_passwd       = $pw->{pw_passwd};

    # make sure the user exists
    if (!$pw || (!$pw_clear_passwd && !$pw_passwd)) {
        return (DENY, "authvpopmail/$method - invalid user");

        # change DENY to DECLINED to support multiple auth plugins

    return (OK, "authvpopmail/$method")
      if $pw_passwd eq crypt($passClear, $pw_passwd);

    # simplest case: clear text passwords
    if (defined $passClear && defined $pw_clear_passwd) {
        return (DENY, "authvpopmail/$method - incorrect password")
          if $passClear ne $pw_clear_passwd;
        return (OK, "authvpopmail/$method");

    if ($method =~ /CRAM-MD5/i) {

        # clear_passwd isn't defined so we cannot support CRAM-MD5
        return (DECLINED, "authvpopmail/$method") if !defined $pw_clear_passwd;

        if (defined $passHash
            and $passHash eq hmac_md5_hex($ticket, $pw_clear_passwd))

    return (OK, "authvpopmail/$method")
      if (defined $passHash
          && $passHash eq hmac_md5_hex($ticket, $pw_clear_passwd));

    return (DENY, "authvpopmail/$method - unknown error");

sub test_vpopmail {

# vpopmail will not allow vauth_getpw to succeed unless the requesting user is vpopmail or root.
# by default, qpsmtpd runs as the user 'qpsmtpd' and does not have permission.
    eval "use vpopmail";
    if ( $@ ) {
        warn "vpopmail perl module not installed.\n";
    my ($domain) = vpopmail::vlistdomains();
    my $r = vauth_getpw('postmaster', $domain);
    return if !$r;
    return 1;