NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2003-04

[anounce] PAM lookup table

From: Andrew I Baznikin (dikiyobrazmail.ru)
Date: Tue Apr 22 2003 - 02:43:29 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi!

I write a patch to add PAM lookup table support to Postfix.

I have built mail system with RADIUS authorization and Cyrus as maildrop. To check, is userdomain.my exists or not (for local_recipient_maps), I should ask RADIUS. So, dict_pam & pam_radius - and all work fine.. Possibly someone find this useful.

[-- patch here ------------------------------]

diff -Naur ./postfix-2.0.6/README_FILES/PAM_README /home/dikiy/src/postfix/postfix-2.0.6/README_FILES/PAM_README
--- ./postfix-2.0.6/README_FILES/PAM_README Thu Jan 1 07:00:00 1970
+++ /home/dikiy/src/postfix/postfix-2.0.6/README_FILES/PAM_README Mon Apr 21 13:57:26 2003
-0,0 +1,26
+PAM map type for Postfix.
+
+Written by Andrew I Baznikin <dikiyobrazmail.ru>, JSC ISP "Tel", Russia.
+
+In order to build postfix with PAM map support, you will need to add
+-DHAS_PAM and the libpam library to AUXLIBS, for example:
+
+make -f Makefile.init makefiles \
+ 'CCARGS=-DHAS_PAM' \
+ 'AUXLIBS=-L/usr/lib -lpam'
+
+then, just run 'make'.
+
+Once postfix is built with PAM map support, you can specify a map type
+in main.cf like this:
+
+local_recipient_maps = pam:smtpcheck
+
+In this example 'smtpcheck' is service name, applicant is e-mail address of recipient.
+Facility is always "auth". See pam(8) for details.
+
+Add some lines to /etc/pam.conf (or /etc/pam.d/<servicename>) :
+ #smtpcheck auth sufficient pam_permit.so debug try_first_pass
+ #smtpcheck auth sufficient pam_deny.so debug try_first_pass
+ smtpcheck auth sufficient pam_unix.so debug try_first_pass
+ smtpcheck auth required pam_radius.so debug try_first_pass
diff -Naur ./postfix-2.0.6/conf/postfix-files /home/dikiy/src/postfix/postfix-2.0.6/conf/postfix-files
--- ./postfix-2.0.6/conf/postfix-files Mon Jan 13 00:08:12 2003
+++ /home/dikiy/src/postfix/postfix-2.0.6/conf/postfix-files Mon Apr 21 13:45:24 2003
-185,6 +185,7
$readme_directory/MYSQL_README:f:root:-:644
$readme_directory/NFS_README:f:root:-:644
$readme_directory/PACKAGE_README:f:root:-:644
+$readme_directory/PAM_README:f:root:-:644
$readme_directory/PCRE_README:f:root:-:644
$readme_directory/QMQP_README:f:root:-:644
$readme_directory/RELEASE_NOTES:f:root:-:644
diff -Naur ./postfix-2.0.6/src/util/Makefile.in /home/dikiy/src/postfix/postfix-2.0.6/src/util/Makefile.in
--- ./postfix-2.0.6/src/util/Makefile.in Thu Feb 20 07:22:20 2003
+++ /home/dikiy/src/postfix/postfix-2.0.6/src/util/Makefile.in Mon Apr 21 13:07:58 2003
-4,8 +4,8
         chroot_uid.c clean_env.c close_on_exec.c concatenate.c ctable.c \
         dict.c dict_alloc.c dict_db.c dict_dbm.c dict_debug.c dict_env.c \
         dict_ht.c dict_ldap.c dict_mysql.c dict_ni.c dict_nis.c \
- dict_nisplus.c dict_open.c dict_pcre.c dict_regexp.c dict_static.c \
- dict_tcp.c dict_unix.c dir_forest.c doze.c duplex_pipe.c \
+ dict_nisplus.c dict_open.c dict_pam.c dict_pcre.c dict_regexp.c \
+ dict_static.c dict_tcp.c dict_unix.c dir_forest.c doze.c duplex_pipe.c \
         environ.c events.c exec_command.c fifo_listen.c fifo_trigger.c \
         file_limit.c find_inet.c fsspace.c fullname.c get_domainname.c \
         get_hostname.c hex_quote.c htable.c inet_addr_host.c \
-32,8 +32,8
         chroot_uid.o clean_env.o close_on_exec.o concatenate.o ctable.o \
         dict.o dict_alloc.o dict_db.o dict_dbm.o dict_debug.o dict_env.o \
         dict_ht.o dict_ldap.o dict_mysql.o dict_ni.o dict_nis.o \
- dict_nisplus.o dict_open.o dict_pcre.o dict_regexp.o dict_static.o \
- dict_tcp.o dict_unix.o dir_forest.o doze.o duplex_pipe.o \
+ dict_nisplus.o dict_open.o dict_pam.o dict_pcre.o dict_regexp.o \
+ dict_static.o dict_tcp.o dict_unix.o dir_forest.o doze.o duplex_pipe.o \
         environ.o events.o exec_command.o fifo_listen.o fifo_trigger.o \
         file_limit.o find_inet.o fsspace.o fullname.o get_domainname.o \
         get_hostname.o hex_quote.o htable.o inet_addr_host.o \
-58,8 +58,8
HDRS = argv.h attr.h base64_code.h binhash.h chroot_uid.h clean_env.h \
         connect.h ctable.h dict.h dict_db.h dict_dbm.h dict_env.h \
         dict_ht.h dict_ldap.h dict_mysql.h dict_ni.h dict_nis.h \
- dict_nisplus.h dict_pcre.h dict_regexp.h dict_static.h dict_tcp.h \
- dict_unix.h dir_forest.h events.h exec_command.h find_inet.h \
+ dict_nisplus.h dict_pam.h dict_pcre.h dict_regexp.h dict_static.h \
+ dict_tcp.h dict_unix.h dir_forest.h events.h exec_command.h find_inet.h \
         fsspace.h fullname.h get_domainname.h get_hostname.h hex_quote.h \
         htable.h inet_addr_host.h inet_addr_list.h inet_addr_local.h \
         inet_util.h intv.h iostuff.h line_wrap.h listen.h lstat_as.h \
-615,6 +615,7
dict_open.o: dict_ni.h
dict_open.o: dict_ldap.h
dict_open.o: dict_mysql.h
+dict_open.o: dict_pam.h
dict_open.o: dict_pcre.h
dict_open.o: dict_regexp.h
dict_open.o: dict_static.h
-622,6 +623,15
dict_open.o: vstring.h
dict_open.o: split_at.h
dict_open.o: htable.h
+dict_pam.o: dict_pam.c
+dict_pam.o: sys_defs.h
+dict_pam.o: mymalloc.h
+dict_pam.o: msg.h
+dict_pam.o: dict.h
+dict_pam.o: vstream.h
+dict_pam.o: vbuf.h
+dict_pam.o: argv.h
+dict_pam.o: dict_pam.h
dict_pcre.o: dict_pcre.c
dict_pcre.o: sys_defs.h
dict_pcre.o: mymalloc.h
diff -Naur ./postfix-2.0.6/src/util/dict_open.c /home/dikiy/src/postfix/postfix-2.0.6/src/util/dict_open.c
--- ./postfix-2.0.6/src/util/dict_open.c Sun Jan 5 08:07:25 2003
+++ /home/dikiy/src/postfix/postfix-2.0.6/src/util/dict_open.c Mon Apr 21 12:21:10 2003
-174,6 +174,7
#include <dict_ni.h>
#include <dict_ldap.h>
#include <dict_mysql.h>
+#include <dict_pam.h>
#include <dict_pcre.h>
#include <dict_regexp.h>
#include <dict_static.h>
-222,6 +223,9
#endif
#ifdef HAS_POSIX_REGEXP
     DICT_TYPE_REGEXP, dict_regexp_open,
+#endif
+#ifdef HAS_PAM
+ DICT_TYPE_PAM, dict_pam_open,
#endif
     DICT_TYPE_STATIC, dict_static_open,
     0,
diff -Naur ./postfix-2.0.6/src/util/dict_pam.c /home/dikiy/src/postfix/postfix-2.0.6/src/util/dict_pam.c
--- ./postfix-2.0.6/src/util/dict_pam.c Thu Jan 1 07:00:00 1970
+++ /home/dikiy/src/postfix/postfix-2.0.6/src/util/dict_pam.c Mon Apr 21 13:48:38 2003
-0,0 +1,156
+/*++
+/* NAME
+/* dict_pam 3
+/* SUMMARY
+/* dictionary manager interface to PAM
+/* SYNOPSIS
+/* #include <dict_pam.h>
+/*
+/* DICT *dict_pam_open(service, dummy, dict_flags)
+/* const char *service;
+/* int dummy;
+/* int dict_flags;
+/* DESCRIPTION
+/* dict_pam_open() implements a dictionary that returns
+/* as lookup result the key value on PAM_SUCCESS
+/* and 0 on any other.
+/*
+/* The \fIdummy\fR argument is ignored.
+/* SEE ALSO
+/* dict(3) generic dictionary manager
+/* LICENSE
+/* .ad
+/* .fi
+/* The Secure Mailer license must be distributed with this software.
+/* AUTHOR(S)
+/* Andrew I Baznikin
+/* dikiyobrazmail.ru
+/* http://d.scn.ru
+/*--*/
+
+/* System library. */
+
+#include "sys_defs.h"
+
+#ifdef HAS_PAM
+#include <unistd.h>
+#include <security/pam_appl.h>
+
+/* Utility library. */
+
+#include "mymalloc.h"
+#include "msg.h"
+#include "vstring.h"
+#include "dict.h"
+#include "dict_pam.h"
+
+int converse(int, const struct pam_message **, struct pam_response **, void *);
+
+typedef struct {
+ DICT dict;
+ VSTRING *service;
+} DICT_PAM;
+
+/* answer 'Ok' on any request .) */
+int converse(int n, const struct pam_message **msg,
+ struct pam_response **resp, void *data)
+{
+ char buf[PAM_MAX_RESP_SIZE];
+ int i;
+
+ data = data;
+ if (n <= 0 || n > PAM_MAX_NUM_MSG)
+ return (PAM_CONV_ERR);
+ if ((*resp = calloc(n, sizeof **resp)) == NULL)
+ return (PAM_BUF_ERR);
+ for (i = 0; i < n; ++i) {
+ resp[i]->resp_retcode = 0;
+ resp[i]->resp = strdup(msg[i]->msg); // FIXME
+ }
+
+ return (PAM_SUCCESS);
+}
+
+
+/* dict_pam_lookup - access PAM */
+
+static const char *dict_pam_lookup(DICT *dict, const char *name)
+{
+ DICT_PAM *dp = (DICT_PAM *) dict;
+ int pam_err;
+ char *auth_tok, *tty;
+
+ static pam_handle_t *pamh;
+ static struct pam_conv pamc;
+
+ pamc.conv = &converse;
+ if ((pam_err = pam_start( vstring_str(dp->service), name, &pamc, &pamh))
+ != PAM_SUCCESS)
+ goto pamerr;
+
+ if (msg_verbose)
+ msg_info("pam: dict_pam_lookup %s with service '%s'", name, vstring_str(dp->service));
+
+ tty = ttyname(STDERR_FILENO);
+ tty = tty ? tty : "unknown";
+ if ((pam_err = pam_set_item(pamh, PAM_TTY, tty)) != PAM_SUCCESS)
+ goto pamerr;
+
+ // authenticate the applicant
+ if ((pam_err = pam_authenticate(pamh, 0)) != PAM_SUCCESS)
+ goto pamerr;
+
+ if (msg_verbose)
+ msg_info("pam: dict_pam_lookup success");
+ return (name);
+
+ pamerr:
+ if (msg_verbose)
+ msg_warn("PAM error %d (%s)", pam_err, pam_strerror(pamh, pam_err));
+ pam_end(pamh, pam_err);
+ return (0);
+}
+
+/* dict_pam_close - close PAM dictionary */
+
+static void dict_pam_close(DICT *dict)
+{
+ DICT_PAM *dp = (DICT_PAM *) dict;
+
+ if (msg_verbose)
+ msg_info("pam: dict_pam_close");
+ vstring_free(dp->service);
+ dict_free(dict);
+}
+
+/* dict_pam_open - make association with PAM */
+
+DICT *dict_pam_open(const char *service, int param, int dict_flags)
+{
+ DICT_PAM *dp;
+ VSTRING *s, *f;
+
+ if (msg_verbose)
+ msg_info("pam: dict_pam_open: service %s, param %d, dict_flags %d ", service, param, dict_flags);
+
+ dp = (DICT_PAM *) dict_alloc(DICT_TYPE_PAM, service, sizeof(DICT_PAM));
+
+ dp->service = vstring_alloc(10);
+
+ vstring_strcpy(dp->service, service);
+ dp->dict.lookup = dict_pam_lookup;
+ dp->dict.close = dict_pam_close;
+ dp->dict.flags = dict_flags | DICT_FLAG_FIXED;
+
+ return (DICT_DEBUG (&dp->dict));
+}
+#endif
\ No newline at end of file
diff -Naur ./postfix-2.0.6/src/util/dict_pam.h /home/dikiy/src/postfix/postfix-2.0.6/src/util/dict_pam.h
--- ./postfix-2.0.6/src/util/dict_pam.h Thu Jan 1 07:00:00 1970
+++ /home/dikiy/src/postfix/postfix-2.0.6/src/util/dict_pam.h Mon Apr 21 10:59:58 2003
-0,0 +1,36
+#ifndef _DICT_PAM_H_INCLUDED_
+#define _DICT_PAM_H_INCLUDED_
+
+/*++
+/* NAME
+/* dict_pam 3h
+/* SUMMARY
+/* dictionary manager interface to PAM
+/* SYNOPSIS
+/* #include <dict_pam.h>
+/* DESCRIPTION
+/* .nf
+
+ /*
+ * Utility library.
+ */
+#include <dict.h>
+
+ /*
+ * External interface.
+ */
+#define DICT_TYPE_PAM "pam"
+
+extern DICT *dict_pam_open(const char *, int, int);
+
+/* LICENSE
+/* .ad
+/* .fi
+/* The Secure Mailer license must be distributed with this software.
+/* AUTHOR(S)
+/* Andrew I Baznikin
+/* dikiyobrazmail.ru
+/* http://d.scn.ru
+/*--*/
+
+#endif

[-- patch end ------------------------------]

--
Andrew I Baznikin
http://d.scn.ru

# /\ ASCII ribbon
# \/ campaign
# /\ against
# / \ HTML email

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]