diff options
Diffstat (limited to 'src/smtp/smtp_sasl_proto.c')
-rw-r--r-- | src/smtp/smtp_sasl_proto.c | 202 |
1 files changed, 202 insertions, 0 deletions
diff --git a/src/smtp/smtp_sasl_proto.c b/src/smtp/smtp_sasl_proto.c new file mode 100644 index 0000000..6a51696 --- /dev/null +++ b/src/smtp/smtp_sasl_proto.c @@ -0,0 +1,202 @@ +/*++ +/* NAME +/* smtp_sasl_proto 3 +/* SUMMARY +/* Postfix SASL interface for SMTP client +/* SYNOPSIS +/* #include smtp_sasl.h +/* +/* void smtp_sasl_helo_auth(state, words) +/* SMTP_STATE *state; +/* const char *words; +/* +/* int smtp_sasl_helo_login(state) +/* SMTP_STATE *state; +/* DESCRIPTION +/* This module contains random chunks of code that implement +/* the SMTP protocol interface for SASL negotiation. The goal +/* is to reduce clutter in the main SMTP client source code. +/* +/* smtp_sasl_helo_auth() processes the AUTH option in the +/* SMTP server's EHLO response. +/* +/* smtp_sasl_helo_login() authenticates the SMTP client to the +/* SMTP server, using the authentication mechanism information +/* given by the server. The result is a Postfix delivery status +/* code in case of trouble. +/* +/* Arguments: +/* .IP state +/* Session context. +/* .IP words +/* List of SASL authentication mechanisms (separated by blanks) +/* DIAGNOSTICS +/* All errors are fatal. +/* LICENSE +/* .ad +/* .fi +/* The Secure Mailer license must be distributed with this software. +/* AUTHOR(S) +/* Original author: +/* Till Franke +/* SuSE Rhein/Main AG +/* 65760 Eschborn, Germany +/* +/* Adopted by: +/* Wietse Venema +/* IBM T.J. Watson Research +/* P.O. Box 704 +/* Yorktown Heights, NY 10598, USA +/*--*/ + +/* System library. */ + +#include <sys_defs.h> +#include <string.h> +#ifdef STRCASECMP_IN_STRINGS_H +#include <strings.h> +#endif + +/* Utility library. */ + +#include <msg.h> +#include <mymalloc.h> +#include <stringops.h> + +/* Global library. */ + +#include <mail_params.h> + +/* Application-specific. */ + +#include "smtp.h" +#include "smtp_sasl.h" + +#ifdef USE_SASL_AUTH + +/* smtp_sasl_compat_mechs - Trim server's mechanism list */ + +static const char *smtp_sasl_compat_mechs(const char *words) +{ + static VSTRING *buf; + char *mech_list; + char *save_mech; + char *mech; + + /* + * Use server's mechanisms if no filter specified + */ + if (smtp_sasl_mechs == 0 || *words == 0) + return (words); + + if (buf == 0) + buf = vstring_alloc(10); + + VSTRING_RESET(buf); + VSTRING_TERMINATE(buf); + + save_mech = mech_list = mystrdup(words); + + while ((mech = mystrtok(&mech_list, " \t")) != 0) { + if (string_list_match(smtp_sasl_mechs, mech)) { + if (VSTRING_LEN(buf) > 0) + VSTRING_ADDCH(buf, ' '); + vstring_strcat(buf, mech); + } else if (smtp_sasl_mechs->error) { + msg_fatal("SASL mechanism filter failed for: '%s'", mech); + } + } + myfree(save_mech); + + return (vstring_str(buf)); +} + +/* smtp_sasl_helo_auth - handle AUTH option in EHLO reply */ + +void smtp_sasl_helo_auth(SMTP_SESSION *session, const char *words) +{ + const char *mech_list = smtp_sasl_compat_mechs(words); + char *junk; + + /* + * XXX If the server offers no compatible authentication mechanisms, then + * pretend that the server doesn't support SASL authentication. + * + * XXX If the server offers multiple different lists, concatenate them. Let + * the SASL library worry about duplicates. + */ + if (session->sasl_mechanism_list) { + if (strcasecmp(session->sasl_mechanism_list, mech_list) != 0 + && strlen(mech_list) > 0 + && strlen(session->sasl_mechanism_list) < var_line_limit) { + junk = concatenate(session->sasl_mechanism_list, " ", mech_list, + (char *) 0); + myfree(session->sasl_mechanism_list); + session->sasl_mechanism_list = junk; + } + return; + } + if (strlen(mech_list) > 0) { + session->sasl_mechanism_list = mystrdup(mech_list); + } else { + msg_warn(*words ? "%s offered no supported AUTH mechanisms: '%s'" : + "%s offered null AUTH mechanism list%s", + session->namaddrport, words); + } + session->features |= SMTP_FEATURE_AUTH; +} + +/* smtp_sasl_helo_login - perform SASL login */ + +int smtp_sasl_helo_login(SMTP_STATE *state) +{ + SMTP_SESSION *session = state->session; + DSN_BUF *why = state->why; + int ret; + + /* + * Skip authentication when no authentication info exists for this + * server, so that we talk to each other like strangers. + */ + if (smtp_sasl_passwd_lookup(session) == 0) { + session->features &= ~SMTP_FEATURE_AUTH; + return 0; + } + + /* + * Otherwise, if authentication information exists, assume that + * authentication is required, and assume that an authentication error is + * recoverable from the message delivery point of view. An authentication + * error is unrecoverable from a session point of view - the session will + * not be reused. + */ + ret = 0; + if (session->sasl_mechanism_list == 0) { + dsb_simple(why, "4.7.0", "SASL authentication failed: " + "server %s offered no compatible authentication mechanisms for this type of connection security", + session->namaddr); + ret = smtp_sess_fail(state); + /* Session reuse is disabled. */ + } else { +#ifndef USE_TLS + smtp_sasl_start(session, VAR_LMTP_SMTP(SASL_OPTS), var_smtp_sasl_opts); +#else + if (session->tls_context == 0) + smtp_sasl_start(session, VAR_LMTP_SMTP(SASL_OPTS), + var_smtp_sasl_opts); + else if (TLS_CERT_IS_MATCHED(session->tls_context)) + smtp_sasl_start(session, VAR_LMTP_SMTP(SASL_TLSV_OPTS), + var_smtp_sasl_tlsv_opts); + else + smtp_sasl_start(session, VAR_LMTP_SMTP(SASL_TLS_OPTS), + var_smtp_sasl_tls_opts); +#endif + if (smtp_sasl_authenticate(session, why) <= 0) { + ret = smtp_sess_fail(state); + /* Session reuse is disabled. */ + } + } + return (ret); +} + +#endif |