Altered SASL method to include the mechanism in log entries.
removed auth method from return calls in all auth plugins. The caller knows the
mechanism already. In the code, the difference looks like this:
before:
or return (DENY, "authcvm/$method");
after:
or return (DENY, "authcvm");
Added debug level log entries in auth_vpopmaild
---
docs/authentication.pod | 4 ++--
lib/Qpsmtpd/Auth.pm | 8 ++++----
plugins/auth/auth_checkpassword | 2 +-
plugins/auth/auth_cvm_unix_local | 25 +++++++++--------------
plugins/auth/auth_vpopmail | 24 +++++++++++-----------
plugins/auth/auth_vpopmail_sql | 24 +++++++++++-----------
plugins/auth/auth_vpopmaild | 41 ++++++++++++++++++++++++++------------
7 files changed, 68 insertions(+), 60 deletions(-)
diff --git a/docs/authentication.pod b/docs/authentication.pod
index f13637d..1cf7a35 100644
--- a/docs/authentication.pod
+++ b/docs/authentication.pod
@@ -211,7 +211,7 @@ vpopmail.
=item auth_vpopmaild
If you aren't sure which one to use, then use auth_vpopmaild. It
-has full support for all 3 authentication methods (PLAIN,LOGIN,CRAM-MD5),
+supports the PLAIN and LOGIN authentication methods,
doesn't require the qpsmtpd process to run with special permissions, and
can authenticate against vpopmail running on another host. It does require
the vpopmaild server to be running.
@@ -228,7 +228,7 @@ CRAM-MD5 patch has been added to the developers repo:
=item auth_vpopmail_sql
If you are using the MySQL backend for vpopmail, then this module can be
-used for smtp-auth. It has support for all three auth methods. However, it
+used for smtp-auth. It supports LOGIN, PLAIN, and CRAM-MD5. However, it
does not work with some vpopmail features such as alias domains, service
restrictions, nor does it update vpopmail's last_auth information.
diff --git a/lib/Qpsmtpd/Auth.pm b/lib/Qpsmtpd/Auth.pm
index af53c48..485beb3 100644
--- a/lib/Qpsmtpd/Auth.pm
+++ b/lib/Qpsmtpd/Auth.pm
@@ -51,8 +51,8 @@ sub SASL {
}
if ( $rc == OK ) {
- $msg = "Authentication successful for $user" .
- ( defined $msg ? " - " . $msg : "" );
+ $msg = uc($mechanism) . " authentication successful for $user" .
+ ( $msg ? " - $msg" : '');
$session->respond( 235, $msg );
$session->connection->relay_client(1);
$session->log( LOGINFO, $msg );
@@ -64,8 +64,8 @@ sub SASL {
return OK;
}
else {
- $msg = "Authentication failed for $user" .
- ( defined $msg ? " - " . $msg : "" );
+ $msg = uc($mechanism) . " authentication failed for $user" .
+ ( $msg ? " - $msg" : '');
$session->respond( 535, $msg );
$session->log( LOGERROR, $msg );
return DENY;
diff --git a/plugins/auth/auth_checkpassword b/plugins/auth/auth_checkpassword
index 739478f..e6baa3b 100644
--- a/plugins/auth/auth_checkpassword
+++ b/plugins/auth/auth_checkpassword
@@ -142,7 +142,7 @@ sub get_sudo {
my $sudo = `which sudo` || '/usr/local/bin/sudo';
return '' if !-x $sudo;
- $sudo .= ' -C4'; # prevent sudo from clobber file descriptor 3
+ $sudo .= ' -C4'; # prevent sudo from clobbering file descriptor 3
return "$sudo -u vpopmail" if $binary =~ /vchkpw/;
return $sudo;
diff --git a/plugins/auth/auth_cvm_unix_local b/plugins/auth/auth_cvm_unix_local
index c5daa6f..c937826 100644
--- a/plugins/auth/auth_cvm_unix_local
+++ b/plugins/auth/auth_cvm_unix_local
@@ -47,8 +47,7 @@ use constant SSMTP_PORT => getservbyname("ssmtp", "tcp") ||
465;
sub register {
my ( $self, $qp, %arg ) = @_;
- unless ($arg{cvm_socket})
- {
+ unless ($arg{cvm_socket}) {
$self->log(LOGERROR, "authcvm - requires cvm_socket argument");
return 0;
}
@@ -61,15 +60,13 @@ sub register {
return 0 if ($port == SMTP_PORT and $self->{_enable_smtp} ne 'yes');
return 0 if ($port == SSMTP_PORT and $self->{_enable_ssmtp} ne 'yes');
- if ($arg{cvm_socket} =~ /^([\w\/.-]+)$/)
- {
+ if ($arg{cvm_socket} =~ /^([\w\/.-]+)$/) {
$self->{_cvm_socket} = $1;
}
- unless (-S $self->{_cvm_socket})
- {
- $self->log(LOGERROR, "authcvm - cvm_socket missing or not usable");
- return 0;
+ unless (-S $self->{_cvm_socket}) {
+ $self->log(LOGERROR, "authcvm - cvm_socket missing or not usable");
+ return 0;
}
$self->register_hook("auth-plain", "authcvm_plain");
@@ -81,13 +78,12 @@ sub authcvm_plain {
my ( $self, $transaction, $method, $user, $passClear, $passHash, $ticket ) =
@_;
- $self->log(LOGINFO, "authcvm/$method authentication attempt for: $user");
+ $self->log(LOGINFO, "authcvm authentication attempt for: $user");
- socket(SOCK, PF_UNIX, SOCK_STREAM, 0)
- or return (DENY, "authcvm/$method");
+ socket(SOCK, PF_UNIX, SOCK_STREAM, 0) or return (DENY, "authcvm");
connect(SOCK, sockaddr_un($self->{_cvm_socket}))
- or return (DENY, "authcvm/$method");
+ or return (DENY, "authcvm");
my $o = select(SOCK); $| = 1; select($o);
@@ -100,8 +96,5 @@ sub authcvm_plain {
my $ret = <SOCK>;
my ($s) = unpack ("C", $ret);
- return (
- ($s ? $s == 100 ? DENY : DECLINED
- : OK),
- "authcvm/$method");
+ return ( ($s ? $s == 100 ? DENY : DECLINED : OK), 'authcvm');
}
diff --git a/plugins/auth/auth_vpopmail b/plugins/auth/auth_vpopmail
index 0ad1406..99d9a1a 100644
--- a/plugins/auth/auth_vpopmail
+++ b/plugins/auth/auth_vpopmail
@@ -1,5 +1,4 @@
#!perl -w
-use strict;
=head1 NAME
@@ -41,9 +40,13 @@ Please see the LICENSE file included with qpsmtpd for
details.
=cut
use strict;
+use warnings;
use Qpsmtpd::Constants;
+use Digest::HMAC_MD5 qw(hmac_md5_hex);
+use vpopmail;
+
sub register {
my ($self, $qp) = @_;
@@ -53,16 +56,13 @@ sub register {
}
sub auth_vpopmail {
- use vpopmail;
- use Digest::HMAC_MD5 qw(hmac_md5_hex);
-
my ($self, $transaction, $method, $user, $passClear, $passHash, $ticket) =
@_;
my ($pw_name, $pw_domain) = split "@", lc($user);
$self->log(LOGINFO, "Authenticating against vpopmail: $user");
- return (DECLINED, "authvpopmail/$method - plugin not configured correctly")
+ return (DECLINED, "auth_vpopmail - plugin not configured correctly")
if !test_vpopmail();
my $pw = vauth_getpw($pw_name, $pw_domain);
@@ -71,25 +71,25 @@ sub auth_vpopmail {
# make sure the user exists
if (!$pw || (!$pw_clear_passwd && !$pw_passwd)) {
- return (DENY, "authvpopmail/$method - invalid user");
+ return (DENY, "auth_vpopmail - invalid user");
# change DENY to DECLINED to support multiple auth plugins
}
- return (OK, "authvpopmail/$method")
+ return (OK, "auth_vpopmail")
if $pw_passwd eq crypt($passClear, $pw_passwd);
# simplest case: clear text passwords
if (defined $passClear && defined $pw_clear_passwd) {
- return (DENY, "authvpopmail/$method - incorrect password")
+ return (DENY, "auth_vpopmail - incorrect password")
if $passClear ne $pw_clear_passwd;
- return (OK, "authvpopmail/$method");
+ return (OK, "auth_vpopmail");
}
if ($method =~ /CRAM-MD5/i) {
# clear_passwd isn't defined so we cannot support CRAM-MD5
- return (DECLINED, "authvpopmail/$method") if !defined $pw_clear_passwd;
+ return (DECLINED, "auth_vpopmail") if !defined $pw_clear_passwd;
if (defined $passHash
and $passHash eq hmac_md5_hex($ticket, $pw_clear_passwd))
@@ -97,11 +97,11 @@ sub auth_vpopmail {
}
}
- return (OK, "authvpopmail/$method")
+ return (OK, "auth_vpopmail")
if (defined $passHash
&& $passHash eq hmac_md5_hex($ticket, $pw_clear_passwd));
- return (DENY, "authvpopmail/$method - unknown error");
+ return (DENY, "auth_vpopmail - unknown error");
}
sub test_vpopmail {
diff --git a/plugins/auth/auth_vpopmail_sql b/plugins/auth/auth_vpopmail_sql
index c1c613e..99b4f1d 100644
--- a/plugins/auth/auth_vpopmail_sql
+++ b/plugins/auth/auth_vpopmail_sql
@@ -63,21 +63,21 @@ Please see the LICENSE file included with qpsmtpd for
details.
=cut
+use DBI;
+use Qpsmtpd::Constants;
+use Digest::HMAC_MD5 qw(hmac_md5_hex);
+
sub register {
my ( $self, $qp ) = @_;
- $self->register_hook("auth-plain", "auth_vmysql" );
- $self->register_hook("auth-login", "auth_vmysql" );
- $self->register_hook("auth-cram-md5", "auth_vmysql");
+ $self->register_hook('auth-plain', 'auth_vmysql');
+ $self->register_hook('auth-login', 'auth_vmysql');
+ $self->register_hook('auth-cram-md5', 'auth_vmysql');
}
sub auth_vmysql {
my ( $self, $transaction, $method, $user, $passClear, $passHash, $ticket ) =
@_;
- use DBI;
- use Qpsmtpd::Constants;
- use Digest::HMAC_MD5 qw(hmac_md5_hex);
-
# $DB::single = 1;
my $dsn = $self->qp->config("vpopmail_mysql_dsn") ||
"dbi:mysql:dbname=vpopmail;host=127.0.0.1";
@@ -85,14 +85,14 @@ sub auth_vmysql {
my $dbpass = $self->qp->config("vpopmail_mysql_pass") || "vpoppasswd";
my $dbh = DBI->connect( $dsn, $dbuser, $dbpass );
+
$dbh->{ShowErrorStatement} = 1;
my ( $pw_name, $pw_domain ) = split '@', lc($user);
return DECLINED if ! defined $pw_domain;
- $self->log(LOGINFO,
- "Authentication to vpopmail via mysql: $pw_name\@$pw_domain");
+ $self->log(LOGDEBUG, "auth_vpopmail_sql: $pw_name\@$pw_domain");
my $sth = $dbh->prepare(<<SQL);
SELECT *
@@ -120,7 +120,7 @@ SQL
# user doesn't exist in this domain
( not defined $pw_passwd )
) {
- return ( DECLINED, "auth_vmysql/$method" );
+ return ( DECLINED, "auth_vmysql" );
}
# at this point we can assume the user name matched
@@ -136,10 +136,10 @@ SQL
)
{
- return ( OK, "auth_vmysql/$method" );
+ return ( OK, "auth_vmysql" );
}
else {
- return ( DENY, "auth_vmysql/$method - wrong password" );
+ return ( DENY, "auth_vmysql - wrong password" );
}
}
diff --git a/plugins/auth/auth_vpopmaild b/plugins/auth/auth_vpopmaild
index 0157c9e..2afe421 100644
--- a/plugins/auth/auth_vpopmaild
+++ b/plugins/auth/auth_vpopmaild
@@ -2,9 +2,11 @@
use strict;
use warnings;
+
+use Qpsmtpd::Constants;
use IO::Socket;
use version;
-my $VERSION = qv('1.0.1');
+my $VERSION = qv('1.0.2');
sub register {
my ($self, $qp, %args) = @_;
@@ -14,13 +16,16 @@ sub register {
$self->register_hook('auth-plain', 'auth_vpopmaild');
$self->register_hook('auth-login', 'auth_vpopmaild');
- $self->register_hook('auth-cram-md5', 'auth_vpopmaild');
+ #$self->register_hook('auth-cram-md5', 'auth_vpopmaild'); # not supported
}
sub auth_vpopmaild {
my ($self, $transaction, $method, $user, $passClear, $passHash, $ticket) =
@_;
- use Qpsmtpd::Constants;
+ if ( ! $passClear ) {
+ $self->log(LOGINFO, "vpopmaild does not support cram-md5");
+ return DECLINED;
+ }
# create socket
my $vpopmaild_socket =
@@ -31,28 +36,38 @@ sub auth_vpopmaild {
Type => SOCK_STREAM
) or return DECLINED;
- #$self->log(LOGINFO, "Attempting $method auth via vpopmaild");
+ $self->log(LOGDEBUG, "attempting $method");
# Get server greeting (+OK)
my $connect_response = <$vpopmaild_socket>;
- if ( $connect_response !~ /^\+OK/ ) {
- $self->log(LOGINFO, "Failed to receive vpopmaild connection response:
$connect_response");
+ if ( ! $connect_response ) {
+ $self->log(LOGERROR, "no connection response");
close($vpopmaild_socket);
return DECLINED;
};
- # send login details
- print $vpopmaild_socket "login $user $passClear\n\r";
-
- # get response from server
- my $login_response = <$vpopmaild_socket>;
+ if ( $connect_response !~ /^\+OK/ ) {
+ $self->log(LOGERROR, "bad connection response: $connect_response");
+ close($vpopmaild_socket);
+ return DECLINED;
+ };
+ print $vpopmaild_socket "login $user $passClear\n\r"; # send login details
+ my $login_response = <$vpopmaild_socket>; # get response from server
close($vpopmaild_socket);
+ if ( ! $login_response ) {
+ $self->log(LOGERROR, "no login response");
+ return DECLINED;
+ };
+
# check for successful login (single line (+OK) or multiline (+OK+))
- return (OK, 'auth_vpopmaild') if $login_response =~ /^\+OK/;
+ if ( $login_response =~ /^\+OK/ ) {
+ $self->log(LOGDEBUG, "auth success");
+ return (OK, 'auth_vpopmaild');
+ };
- $self->log(LOGINFO, "Failed vpopmaild authentication response:
$login_response");
+ $self->log(LOGNOTICE, "failed authentication response: $login_response");
return DECLINED;
}
--
1.7.9.6
