|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: SASL Authentication
From: Alan Becker (beckera
softrends.com)
Date: Sat Aug 23 2003 - 22:53:12 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Thanks very much for your response. I'll look at this and assess
whether the
effort is worth it for a temporary situation. Just knowing that a
patch is
needed in order to achieve what I was looking for is valuable.
Thanks Again,
Alan Becker
Wietse Venema wrote:
>Alan Becker:
>
>
>>In the interest of a smooth migration, I would like (for a little while)
>>to be able to run both types
>>of users concurrently, invoking password challenges ONLY if the
>>connection is originating
>>outside our known networks, then gradually migrate all the users to the
>>authentication approach.
>>
>>
>
>Code to restrict what clients see the AUTH announcements was
>submitted by Ben Rosengart <br+postfixpanix.com> but I haven't
>gotten around to integrate this into Postfix. The TODO list is
>too long.
>
>I expect it patches fine into Postfix 1.something with no surprises,
>because the change is relatively small (one parameter definition
>and one lookup against that parameter).
>
> Wietse
>
>
>------------------------------------------------------------------------
>
>diff -ru snapshot-20010228-sasl-clean/conf/sample-auth.cf snapshot-20010228-sasl-withexceptions/conf/sample-auth.cf
>--- snapshot-20010228-sasl-clean/conf/sample-auth.cf Sun May 28 17:55:19 2000
>+++ snapshot-20010228-sasl-withexceptions/conf/sample-auth.cf Fri Nov 2 19:56:13 2001
> -73,6 +73,17
> # smtpd_sasl_local_domain = $mydomain
> smtpd_sasl_local_domain = $myhostname
>
>+# Some clients (Netscape 4 at least) have a bug that causes them
>+# to require a login and password whenever AUTH is offered, whether
>+# it's necessary or not. To work around this, set
>+# smtpd_sasl_exceptions_networks to $mynetworks and turn on
>+# smtpd_sasl_exceptions. This will cause smtpd not to offer AUTH to
>+# clients in smtpd_sasl_exceptions_networks.
>+#
>+#smtpd_sasl_exceptions = yes
>+#smtpd_sasl_exceptions_mynetworks = $mynetworks
>+smtpd_sasl_exceptions = no
>+
> # SMTP CLIENT CONTROLS
>
> # The smtp_sasl_auth_enable parameter controls whether authentication
>diff -ru snapshot-20010228-sasl-clean/src/global/mail_params.h snapshot-20010228-sasl-withexceptions/src/global/mail_params.h
>--- snapshot-20010228-sasl-clean/src/global/mail_params.h Tue Mar 13 16:46:56 2001
>+++ snapshot-20010228-sasl-withexceptions/src/global/mail_params.h Fri Nov 2 20:22:44 2001
> -927,6 +927,14
> #define DEF_SMTPD_SASL_REALM "$myhostname"
> extern char *var_smtpd_sasl_realm;
>
>+#define VAR_SMTPD_SASL_EXCEPTIONS "smtpd_sasl_exceptions"
>+#define DEF_SMTPD_SASL_EXCEPTIONS 0
>+extern bool var_smtpd_sasl_exceptions;
>+
>+#define VAR_SMTPD_SASL_EXCEPTIONS_NETWORKS "smtpd_sasl_exceptions_networks"
>+#define DEF_SMTPD_SASL_EXCEPTIONS_NETWORKS ""
>+extern char *var_smtpd_sasl_exceptions_networks;
>+
> /*
> * SASL authentication support, SMTP client side.
> */
>diff -ru snapshot-20010228-sasl-clean/src/smtpd/smtpd.c snapshot-20010228-sasl-withexceptions/src/smtpd/smtpd.c
>--- snapshot-20010228-sasl-clean/src/smtpd/smtpd.c Tue Mar 13 16:46:56 2001
>+++ snapshot-20010228-sasl-withexceptions/src/smtpd/smtpd.c Fri Nov 2 20:05:08 2001
> -61,6 +61,12
> /* Support older Microsoft clients that mis-implement the AUTH
> /* protocol, and that expect an EHLO response of "250 AUTH=list"
> /* instead of "250 AUTH list".
>+/* .IP \fBsmtpd_sasl_exceptions\fR
>+/* .IP \fBsmtpd_sasl_exceptions_networks\fR
>+/* Don't offer AUTH in the response to EHLO when talking to
>+/* clients in these networks. This is a workaround for buggy
>+/* clients that demand a login and password from the user if AUTH
>+/* is offered.
> /* .SH "Content inspection controls"
> /* .IP \fBcontent_filter\fR
> /* The name of a mail delivery transport that filters mail and that
> -269,6 +275,7
>
> /* Global library. */
>
>+#include <namadr_list.h>
> #include <mail_params.h>
> #include <record.h>
> #include <rec_type.h>
> -350,6 +357,8
> bool var_smtpd_sasl_enable;
> char *var_smtpd_sasl_opts;
> char *var_smtpd_sasl_realm;
>+bool var_smtpd_sasl_exceptions;
>+char *var_smtpd_sasl_exceptions_networks;
> char *var_filter_xport;
> bool var_broken_auth_clients;
> int var_smtpd_starttls_tmout;
> -380,6 +389,27
> static void mail_reset(SMTPD_STATE *);
> static void rcpt_reset(SMTPD_STATE *);
>
>+/* check_sasl_exceptions - Should we not offer AUTH for this IP?
>+ This is to work around a Netscape mail client bug where it
>+ tries to use AUTH if available, even if user has not configured it.
>+ Returns TRUE if AUTH should be offered in the EHLO.
>+*/
>+static int check_sasl_exceptions(NAMADR_LIST * addrlist, SMTPD_STATE *state)
>+{
>+ int match;
>+
>+ if (var_smtpd_sasl_exceptions == 0)
>+ return 1;
>+
>+ match= namadr_list_match(addrlist, state->name, state->addr);
>+
>+ if (msg_verbose)
>+ msg_info("sasl_exceptions: %s[%s], match=%d",
>+ state->name, state->addr, match);
>+
>+ return (!match);
>+}
>+
> /* collapse_args - put arguments together again */
>
> static void collapse_args(int argc, SMTPD_TOKEN *argv)
> -425,6 +455,12
> static int ehlo_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
> {
> char *err;
>+#ifdef USE_SASL_AUTH
>+ NAMADR_LIST *sasl_exceptions_networks;
>+
>+ if (var_smtpd_sasl_exceptions != 0)
>+ sasl_exceptions_networks = namadr_list_init(var_smtpd_sasl_exceptions_networks);
>+#endif
>
> if (argc < 2) {
> state->error_mask |= MAIL_ERROR_PROTOCOL;
> -460,7 +496,7
> smtpd_chat_reply(state, "250-STARTTLS");
> #endif
> #ifdef USE_SASL_AUTH
>- if (var_smtpd_sasl_enable) {
>+ if (var_smtpd_sasl_enable && check_sasl_exceptions(sasl_exceptions_networks, state) ) {
> #ifdef HAS_SSL
> if (!state->tls_enforce_tls || state->tls_active) {
> #endif
> -1702,6 +1738,7
> VAR_DISABLE_VRFY_CMD, DEF_DISABLE_VRFY_CMD, &var_disable_vrfy_cmd,
> VAR_ALLOW_UNTRUST_ROUTE, DEF_ALLOW_UNTRUST_ROUTE, &var_allow_untrust_route,
> VAR_SMTPD_SASL_ENABLE, DEF_SMTPD_SASL_ENABLE, &var_smtpd_sasl_enable,
>+ VAR_SMTPD_SASL_EXCEPTIONS, DEF_SMTPD_SASL_EXCEPTIONS, &var_smtpd_sasl_exceptions,
> VAR_BROKEN_AUTH_CLNTS, DEF_BROKEN_AUTH_CLNTS, &var_broken_auth_clients,
> VAR_SMTPD_TLS_WRAPPER, DEF_SMTPD_TLS_WRAPPER, &var_smtpd_tls_wrappermode,
> VAR_SMTPD_USE_TLS, DEF_SMTPD_USE_TLS, &var_smtpd_use_tls,
> -1732,6 +1769,7
> VAR_LOCAL_RCPT_MAPS, DEF_LOCAL_RCPT_MAPS, &var_local_rcpt_maps, 0, 0,
> VAR_SMTPD_SASL_OPTS, DEF_SMTPD_SASL_OPTS, &var_smtpd_sasl_opts, 0, 0,
> VAR_SMTPD_SASL_REALM, DEF_SMTPD_SASL_REALM, &var_smtpd_sasl_realm, 1, 0,
>+ VAR_SMTPD_SASL_EXCEPTIONS_NETWORKS, DEF_SMTPD_SASL_EXCEPTIONS_NETWORKS, &var_smtpd_sasl_exceptions_networks, 0, 0,
> VAR_FILTER_XPORT, DEF_FILTER_XPORT, &var_filter_xport, 0, 0,
> VAR_RELAY_CCERTS, DEF_RELAY_CCERTS, &var_relay_ccerts, 0, 0,
> 0,
>
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]