Ask Bjørn Hansen wrote:
Are there any bug-fix patches we must apply before releasing
0.33? I'd
like to get it out soon-ish. It's been +6 months since the last
release
and I like us to have at least a couple of releases a year. :-)
I'm not aware of any bugfixes that are outstanding, only
improvements. I'm not
going to have time to finish the ESMTP extensions stuff (auth and
tls) this week
(we're headed to Boston for the weekend), so I say go for it.
John
Since the auth/tls stuff John is working on won't make it in, any
chance we can apply my auth_secure_conditions patch? I sent this
before, but got no responses positive or negative. It's running in
production without problem on our servers here for a month now.
Here's what I sent last time:
The below patch allows a qpsmtpd admin to configure which
authentication mechanisms s/he wants to allow over "unsecured"
connections, and define what secure/unsecure connections are. The
config.sample file should explain it pretty well, but here is a small
sample config (sans comments), which should give you the basic gist
of it:
ssl
ip 10.
ip 192.168.
ip 127.
fallback CRAM-MD5
In short, this says allow any auth mechanism over ssl, starttls'd
connections, and local IP addresses. Otherwise, only offer CRAM-MD5.
Note: This supersedes and breaks config/tls_before_auth - I don't
think that config is very widespread since 0.32* didn't have it, but
I'd be happy to refactor this patch, if other folks think it is
necessary, to re-enable config/tls_before_auth, or at least die and
instruct the admin to use the new format.
auth_secure_conditions.patch:
--- SMTP.pm.dist 2006-10-02 18:10:46.000000000 -0400
+++ SMTP.pm 2006-10-04 08:59:08.000000000 -0400
@@ -206,23 +206,55 @@
? @{ $self->transaction->notes
('capabilities') }
: ();
+
+ # Check if we should only offer AUTH after TLS is completed
+ my @auth_secure_conditions =
+ map { $_ =~ /^SSL/ ? ('TLS', 'PORT 465') : $_ }
+ map { $_ =~ s/^\s+//; $_ =~ s/\s+$//; uc($_) }
+ $self->config('auth_secure_conditions');
+ # always show auth if no secure conditions specified
+ my $show_auth = @auth_secure_conditions ? 0 : 1;
+ foreach my $c (@auth_secure_conditions) {
+ my ($cmd, $param) = split(/\s+/, $c, 2);
+ if($cmd eq 'TLS' && !$self->transaction->notes('tls_enabled') ) {
+ $self->log(LOGDEBUG, "auth allowed because of config: $cmd");
+ $show_auth = 1;
+ } elsif($cmd eq 'PORT') {
+ $param = $param || 465; #ssmtp port is usually 465
+ if( $ENV{TCPLOCALPORT} == $param ) {
+ $self->log(LOGDEBUG, "auth allowed because of config: $cmd
$param");
+ $show_auth = 1;
+ }
+ } elsif($cmd eq 'IP') {
+ $param =~ s/\./\\./g;
+ if ( $ENV{TCPREMOTEIP} =~ /^$param/ ) {
+ $self->log(LOGDEBUG, "auth allowed because of config: $cmd
$param");
+ $show_auth = 1;
+ }
+ }
+ last if $show_auth;
+ }
+ $self->log(LOGDEBUG, "auth_result: $show_auth");
+ my %auth_mechanisms_clear =
+ map { my $x = $_; $x =~ s/^FALLBACK\s+//; my @x = split(/\s+/,
$x);
+ map { uc($_) => 1 } @x }
+ grep(/^FALLBACK/, @auth_secure_conditions);
+
# Check for possible AUTH mechanisms
HOOK: foreach my $hook ( keys %{$self->{hooks}} ) {
if ( $hook =~ m/^auth-?(.+)?$/ ) {
if ( defined $1 ) {
$auth_mechanisms{uc($1)} = 1;
- }
- else { # at least one polymorphous auth provider
+ } else { # at least one polymorphous auth provider
%auth_mechanisms = map {$_,1} qw(PLAIN CRAM-MD5
LOGIN);
last HOOK;
}
}
}
- # Check if we should only offer AUTH after TLS is completed
- my $tls_before_auth = ($self->config('tls_before_auth') ? ($self-
>config('tls_before_auth'))[0] && $self->transaction->notes
('tls_enabled') : 0);
- if ( %auth_mechanisms && !$tls_before_auth) {
- push @capabilities, 'AUTH '.join(" ",keys(%auth_mechanisms));
+ %auth_mechanisms = %auth_mechanisms_clear unless($show_auth);
+ if ( %auth_mechanisms ) {
+ push @capabilities, 'AUTH '.join(" ",keys(%auth_mechanisms));
$self->{_commands}->{'auth'} = "";
}
@@ -244,7 +276,6 @@
unless ($ok == OK);
$mechanism = lc($mechanism);
-
#they AUTH'd once already
return $self->respond( 503, "but you already said AUTH ..." )
@@ -252,9 +283,8 @@
and $self->{_auth} == OK );
return $self->respond( 503, "AUTH not defined for HELO" )
if ( $self->connection->hello eq "helo" );
- return $self->respond( 503, "SSL/TLS required before AUTH" )
- if ( ($self->config('tls_before_auth'))[0]
- and $self->transaction->notes('tls_enabled') );
+# return $self->respond( 503, "SSL/TLS required before AUTH" )
+# unless ( $show_auth );
# if we don't have a plugin implementing this auth mechanism, 504
if( exists $auth_mechanisms{uc($mechanism)} ) {
config.sample/auth_secure_conditions:
# this configuration controls when to allow any authentication method
# and when to fall back to a restricted set of authentication methods
# that are judged to be "secure". typically we want to allow all auth
# mechanisms including PLAIN and LOGIN over local networks or secure
# connections for maximum compatibility and performance, but cannot
# accept these mechanisms over the big bad internet.
#
# each line is a command, with an optional parameter. available
commands:
# "ssl" -> same as "tls" and "port 465"
# "tls" -> starttls has been called (does NOT include ssmtp
connections)
# "port <num>" -> allow any connection to this local port. useful
# when firewalls restrict access to secure networks, or port uses
SSL
# "ip <ip or subnet>" -> ip address or beginning of subnet to allow
# access to. be wary of trailing dots, as "ip 10" is not the same as
# "ip 10." (you probably want the latter).
# "fallback <auth mechanism(s)>" - allowable auth mechanisms for
# connections that don't meet the "secure" criteria. if not
specified
# auth is not offered at all over these connections.
ssl
ip 10.
ip 192.168.
ip 127.
fallback CRAM-MD5
Cheers,
Brian Szymanski
[EMAIL PROTECTED]