From: Matt Simerson <[email protected]>
---
plugins/auth/auth_vpopmail | 105 ++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 105 insertions(+), 0 deletions(-)
create mode 100644 plugins/auth/auth_vpopmail
diff --git a/plugins/auth/auth_vpopmail b/plugins/auth/auth_vpopmail
new file mode 100644
index 0000000..bfe7c00
--- /dev/null
+++ b/plugins/auth/auth_vpopmail
@@ -0,0 +1,105 @@
+#!/usr/bin/perl -w
+use strict;
+
+=head1 NAME
+
+auth_vpopmail - Authenticate against libvpopmail.a
+
+=head1 DESCRIPTION
+
+This plugin authenticates vpopmail users using p5-vpopmail.
+Using CRAM-MD5 requires that vpopmail be built with the
+'--enable-clear-passwd=y' option.
+
+=head1 CONFIGURATION
+
+This module will only work if qpsmtpd is running as the 'vpopmail' user.
+
+CRAM-MD5 authentication will only work if you edit the vpopmail.xs file
+(from the p5-vpopmail dist). Find the vauth_getpw function and duplicate
+the "SET HASH->{pw_passwd}" block, renaming pw_passwd to pw_clear_passwd.
+Then compile and install. I have contacted the author of p5-vpopmail and
+hope to get this change rolled into a new version.
+
+Decide which authentication methods you are willing to support and uncomment
+the lines in the register() sub. See the POD for Qspmtpd::Auth for more
+details on the ramifications of supporting various authentication methods.
+
+=head1 AUTHOR
+
+Matt Simerson <[email protected]>
+
+=head1 COPYRIGHT AND LICENSE
+
+Copyright (c) 2010 Matt Simerson
+
+This plugin is licensed under the same terms as the qpsmtpd package itself.
+Please see the LICENSE file included with qpsmtpd for details.
+
+=cut
+
+sub register {
+ my ( $self, $qp ) = @_;
+
+ # the checkpassword module can handle PLAIN and LOGIN methods
+ #$self->register_hook("auth-plain", "auth_vpopmail" );
+ #$self->register_hook("auth-login", "auth_vpopmail" );
+
+ $self->register_hook("auth-cram-md5", "auth_vpopmail");
+}
+
+sub auth_vpopmail {
+ use vpopmail;
+ use Qpsmtpd::Constants;
+ use Digest::HMAC_MD5 qw(hmac_md5_hex);
+
+ my ( $self, $transaction, $method, $user, $passClear, $passHash, $ticket )
= @_;
+ my ( $pw_name, $pw_domain ) = split "@", lc($user);
+
+ $self->log(LOGINFO, "Authenticating against vpopmail: $user");
+
+ return ( DECLINED, "authvchkpw/$method - plugin not configured correctly"
)
+ if ! test_vpopmail();
+
+ my $pw = vauth_getpw($pw_name, $pw_domain);
+ my $pw_clear_passwd = $pw->{pw_clear_passwd};
+ my $pw_passwd = $pw->{pw_passwd};
+
+ # make sure the user exists
+ if ( ! $pw || ( ! $pw_clear_passwd && ! $pw_passwd ) ) {
+ return ( DENY, "authvchkpw/$method - invalid user" );
+# change DENY to DECLINED to support multiple auth plugins
+ };
+
+ return ( OK, "authvchkpw/$method" ) if $pw_passwd eq crypt( $passClear,
$pw_passwd );
+
+ # simplest case: clear text passwords
+ if ( defined $passClear && defined $pw_clear_passwd ) {
+ return ( DENY, "authvchkpw/$method - incorrect password" ) if
$passClear ne $pw_clear_passwd;
+ return ( OK, "authvchkpw/$method" );
+ };
+
+ if ( $method =~ /CRAM-MD5/i ) {
+ # clear_passwd isn't defined so we cannot support CRAM-MD5
+ return ( DECLINED, "authvchkpw/$method" ) if ! defined
$pw_clear_passwd;
+
+ if ( defined $passHash and $passHash eq hmac_md5_hex( $ticket,
$pw_clear_passwd ) ) {
+ };
+ }
+
+ return ( OK, "authvchkpw/$method" )
+ if (defined $passHash && $passHash eq hmac_md5_hex( $ticket,
$pw_clear_passwd ) );
+
+ return ( DENY, "authvchkpw/$method - unknown error" );
+}
+
+sub test_vpopmail {
+# vpopmail will not allow vauth_getpw to succeed unless the requesting user is
vpopmail or root.
+# by default, qpsmtpd runs as the user 'qpsmtpd' and does not have permission.
The most straight
+# solution is to add qpsmtpd to the vchkpw group
+ use vpopmail;
+ my ($domain) = vpopmail::vlistdomains();
+ my $r = vauth_getpw('postmaster',$domain);
+ return if ! $r;
+ return 1;
+}
--
1.7.0.6
