Apologies for the dupe (and extra noise of this response) - my mail client froze in the midst of sending, and told me it hadn't sent.

Cheers,
Brian

On Nov 1, 2006, at 4:39 PM, Brian Szymanski wrote:

Ask Bjørn Hansen wrote:
Are there any bug-fix patches we must apply before releasing 0.33? I'd like to get it out soon-ish. It's been +6 months since the last release
and I like us to have at least a couple of releases a year.   :-)

I'm not aware of any bugfixes that are outstanding, only improvements. I'm not going to have time to finish the ESMTP extensions stuff (auth and tls) this week
(we're headed to Boston for the weekend), so I say go for it.

John

Since the auth/tls stuff John is working on won't make it in, any chance we can apply my auth_secure_conditions patch? I sent this before, but got no responses positive or negative. It's running in production without problem on our servers here for a month now. Here's what I sent last time:

The below patch allows a qpsmtpd admin to configure which authentication mechanisms s/he wants to allow over "unsecured" connections, and define what secure/unsecure connections are. The config.sample file should explain it pretty well, but here is a small sample config (sans comments), which should give you the basic gist of it:
  ssl
  ip 10.
  ip 192.168.
  ip 127.
  fallback CRAM-MD5

In short, this says allow any auth mechanism over ssl, starttls'd connections, and local IP addresses. Otherwise, only offer CRAM-MD5.

Note: This supersedes and breaks config/tls_before_auth - I don't think that config is very widespread since 0.32* didn't have it, but I'd be happy to refactor this patch, if other folks think it is necessary, to re-enable config/tls_before_auth, or at least die and instruct the admin to use the new format.

auth_secure_conditions.patch:

--- SMTP.pm.dist        2006-10-02 18:10:46.000000000 -0400
+++ SMTP.pm     2006-10-04 08:59:08.000000000 -0400
@@ -206,23 +206,55 @@
? @{ $self->transaction->notes ('capabilities') }
                         : ();

+
+    # Check if we should only offer AUTH after TLS is completed
+    my @auth_secure_conditions =
+      map { $_ =~ /^SSL/ ? ('TLS', 'PORT 465') : $_ }
+      map { $_ =~ s/^\s+//; $_ =~ s/\s+$//; uc($_) }
+      $self->config('auth_secure_conditions');
+    # always show auth if no secure conditions specified
+    my $show_auth = @auth_secure_conditions ? 0 : 1;
+    foreach my $c (@auth_secure_conditions) {
+      my ($cmd, $param) = split(/\s+/, $c, 2);
+ if($cmd eq 'TLS' && !$self->transaction->notes ('tls_enabled') ) { + $self->log(LOGDEBUG, "auth allowed because of config: $cmd");
+          $show_auth = 1;
+      } elsif($cmd eq 'PORT') {
+        $param = $param || 465; #ssmtp port is usually 465
+        if( $ENV{TCPLOCALPORT} == $param ) {
+ $self->log(LOGDEBUG, "auth allowed because of config: $cmd $param");
+          $show_auth = 1;
+        }
+      } elsif($cmd eq 'IP') {
+        $param =~ s/\./\\./g;
+        if ( $ENV{TCPREMOTEIP} =~ /^$param/ ) {
+ $self->log(LOGDEBUG, "auth allowed because of config: $cmd $param");
+          $show_auth = 1;
+        }
+      }
+      last if $show_auth;
+    }
+    $self->log(LOGDEBUG, "auth_result: $show_auth");
+    my %auth_mechanisms_clear =
+ map { my $x = $_; $x =~ s/^FALLBACK\s+//; my @x = split(/\s +/, $x);
+        map { uc($_) => 1 } @x }
+      grep(/^FALLBACK/, @auth_secure_conditions);
+
     # Check for possible AUTH mechanisms
 HOOK: foreach my $hook ( keys %{$self->{hooks}} ) {
         if ( $hook =~ m/^auth-?(.+)?$/ ) {
             if ( defined $1 ) {
                 $auth_mechanisms{uc($1)} = 1;
-            }
-            else { # at least one polymorphous auth provider
+            } else { # at least one polymorphous auth provider
%auth_mechanisms = map {$_,1} qw(PLAIN CRAM-MD5 LOGIN);
                 last HOOK;
             }
         }
     }

-    # Check if we should only offer AUTH after TLS is completed
- my $tls_before_auth = ($self->config('tls_before_auth') ? ($self->config('tls_before_auth'))[0] && $self->transaction->notes ('tls_enabled') : 0);
-    if ( %auth_mechanisms && !$tls_before_auth) {
-        push @capabilities, 'AUTH '.join(" ",keys(%auth_mechanisms));
+    %auth_mechanisms = %auth_mechanisms_clear unless($show_auth);
+    if ( %auth_mechanisms ) {
+        push @capabilities, 'AUTH '.join(" ",keys(%auth_mechanisms));
         $self->{_commands}->{'auth'} = "";
     }

@@ -244,7 +276,6 @@
       unless ($ok == OK);

     $mechanism = lc($mechanism);
-

     #they AUTH'd once already
     return $self->respond( 503, "but you already said AUTH ..." )
@@ -252,9 +283,8 @@
         and $self->{_auth} == OK );
     return $self->respond( 503, "AUTH not defined for HELO" )
       if ( $self->connection->hello eq "helo" );
-    return $self->respond( 503, "SSL/TLS required before AUTH" )
-      if ( ($self->config('tls_before_auth'))[0]
-       and $self->transaction->notes('tls_enabled') );
+#    return $self->respond( 503, "SSL/TLS required before AUTH" )
+#      unless ( $show_auth );

     # if we don't have a plugin implementing this auth mechanism, 504
     if( exists $auth_mechanisms{uc($mechanism)} ) {




config.sample/auth_secure_conditions:

# this configuration controls when to allow any authentication method
# and when to fall back to a restricted set of authentication methods
# that are judged to be "secure". typically we want to allow all auth
# mechanisms including PLAIN and LOGIN over local networks or secure
# connections for maximum compatibility and performance, but cannot
# accept these mechanisms over the big bad internet.
#
# each line is a command, with an optional parameter. available commands:
#   "ssl" -> same as "tls" and "port 465"
# "tls" -> starttls has been called (does NOT include ssmtp connections)
#   "port <num>" -> allow any connection to this local port. useful
# when firewalls restrict access to secure networks, or port uses SSL
#   "ip <ip or subnet>"  -> ip address or beginning of subnet to allow
# access to. be wary of trailing dots, as "ip 10" is not the same as
#     "ip 10." (you probably want the latter).
#   "fallback <auth mechanism(s)>" - allowable auth mechanisms for
# connections that don't meet the "secure" criteria. if not specified
#     auth is not offered at all over these connections.
ssl
ip 10.
ip 192.168.
ip 127.
fallback CRAM-MD5


Cheers,
Brian Szymanski
[EMAIL PROTECTED]



Reply via email to