/[smeserver]/rpms/qpsmtpd/sme8/0013-added-auth_vpopmail-plugin.patch
ViewVC logotype

Annotation of /rpms/qpsmtpd/sme8/0013-added-auth_vpopmail-plugin.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Sun Nov 14 20:50:20 2010 UTC (14 years ago) by slords
Branch: MAIN
CVS Tags: qpsmtpd-0_84-3_el5_sme, qpsmtpd-0_84-6_el5_sme, qpsmtpd-0_84-2_el5_sme, qpsmtpd-0_84-5_el5_sme, qpsmtpd-0_84-8_el5_sme, qpsmtpd-0_84-9_el5_sme, qpsmtpd-0_84-4_el5_sme, qpsmtpd-0_84-7_el5_sme, HEAD
* Sun Nov 14 2010 <slords@mail.com> 0.84-2.sme
- Sync with upstream git repo.
- Fix require_resolvable_fromhost doesn't work [SME: 6369]
- Fix TLS security defaults [SME: 6366]
- Fix fatal errors when mail has no headers [SME: 6345]

1 slords 1.1 From b1c3d2f333c807fb40b7a8e5d71086b54f69e562 Mon Sep 17 00:00:00 2001
2     From: Matt Simerson <matt@tnpi.net>
3     Date: Tue, 11 May 2010 02:19:05 -0400
4     Subject: added auth_vpopmail plugin
5    
6     added auth_vpopmail plugin, using the perl-vpopmail module
7     added VPOPMAIL auth methods description to docs/authentication
8     added SEE ALSO section to each module, noting the VPOPMAIL description
9    
10     Signed-off-by: Robert <rspier@pobox.com>
11     ---
12     docs/authentication.pod | 41 ++++++++++++++
13     plugins/auth/auth_checkpassword | 5 ++
14     plugins/auth/auth_vpopmail | 113 +++++++++++++++++++++++++++++++++++++++
15     plugins/auth/auth_vpopmail_sql | 11 ++--
16     plugins/auth/auth_vpopmaild | 5 ++
17     5 files changed, 170 insertions(+), 5 deletions(-)
18     create mode 100644 plugins/auth/auth_vpopmail
19    
20     diff --git a/docs/authentication.pod b/docs/authentication.pod
21     index c6df82d..f13637d 100644
22     --- a/docs/authentication.pod
23     +++ b/docs/authentication.pod
24     @@ -201,10 +201,51 @@ authentication attempts for this transaction.
25     In addition, all plugins that are registered for a specific auth hook will
26     be tried before any plugins which are registered for the general auth hook.
27    
28     +=head1 VPOPMAIL
29     +
30     +There are 4 authentication (smtp-auth) plugins that can be used with
31     +vpopmail.
32     +
33     +=over 4
34     +
35     +=item auth_vpopmaild
36     +
37     +If you aren't sure which one to use, then use auth_vpopmaild. It
38     +has full support for all 3 authentication methods (PLAIN,LOGIN,CRAM-MD5),
39     +doesn't require the qpsmtpd process to run with special permissions, and
40     +can authenticate against vpopmail running on another host. It does require
41     +the vpopmaild server to be running.
42     +
43     +=item auth_vpopmail
44     +
45     +The next best solution is auth_vpopmail. It requires the p5-vpopmail perl
46     +module and it compiles against libvpopmail.a. There are two catches. The
47     +qpsmtpd daemon must run as the vpopmail user, and you must be running v0.09
48     +or higher for CRAM-MD5 support. The released version is 0.08 but my
49     +CRAM-MD5 patch has been added to the developers repo:
50     + http://github.com/sscanlon/vpopmail
51     +
52     +=item auth_vpopmail_sql
53     +
54     +If you are using the MySQL backend for vpopmail, then this module can be
55     +used for smtp-auth. It has support for all three auth methods. However, it
56     +does not work with some vpopmail features such as alias domains, service
57     +restrictions, nor does it update vpopmail's last_auth information.
58     +
59     +=item auth_checkpassword
60     +
61     +The auth_checkpassword is a generic authentication module that will work
62     +with any DJB style checkpassword program, including ~vpopmail/bin/vchkpw.
63     +It only supports PLAIN and LOGIN auth methods.
64     +
65     +=back
66     +
67     =head1 AUTHOR
68    
69     John Peacock <jpeacock@cpan.org>
70    
71     +Matt Simerson <msimerson@cpan.org> (added VPOPMAIL)
72     +
73     =head1 COPYRIGHT AND LICENSE
74    
75     Copyright (c) 2004-2006 John Peacock
76     diff --git a/plugins/auth/auth_checkpassword b/plugins/auth/auth_checkpassword
77     index 6337ff7..db9231f 100644
78     --- a/plugins/auth/auth_checkpassword
79     +++ b/plugins/auth/auth_checkpassword
80     @@ -39,6 +39,11 @@ Using sudo is preferable to enabling setuid on the vchkpw binary. If
81     you reinstall vpopmail and the setuid bit is lost, this plugin will be
82     broken.
83    
84     +=head1 SEE ALSO
85     +
86     +If you are using this plugin with vpopmail, please read the VPOPMAIL
87     +section in docs/authentication.pod
88     +
89     =head1 DIAGNOSTICS
90    
91     Is the path in the config/smtpauth-checkpassword correct?
92     diff --git a/plugins/auth/auth_vpopmail b/plugins/auth/auth_vpopmail
93     new file mode 100644
94     index 0000000..973d230
95     --- /dev/null
96     +++ b/plugins/auth/auth_vpopmail
97     @@ -0,0 +1,113 @@
98     +#!/usr/bin/perl -w
99     +use strict;
100     +
101     +=head1 NAME
102     +
103     +auth_vpopmail - Authenticate against libvpopmail.a
104     +
105     +=head1 DESCRIPTION
106     +
107     +This plugin authenticates vpopmail users using p5-vpopmail.
108     +Using CRAM-MD5 requires that vpopmail be built with the
109     +'--enable-clear-passwd=y' option.
110     +
111     +=head1 CONFIGURATION
112     +
113     +This module will only work if qpsmtpd is running as the 'vpopmail' user.
114     +
115     +CRAM-MD5 authentication will only work with p5-vpopmail 0.09 or higher.
116     + http://github.com/sscanlon/vpopmail
117     +
118     +Decide which authentication methods you are willing to support and uncomment
119     +the lines in the register() sub. See the POD for Qspmtpd::Auth for more
120     +details on the ramifications of supporting various authentication methods.
121     +
122     +=head1 SEE ALSO
123     +
124     +For an overview of the vpopmail authentication plugins and their merits,
125     +please read the VPOPMAIL section in docs/authentication.pod
126     +
127     +=head1 AUTHOR
128     +
129     +Matt Simerson <msimerson@cpan.org>
130     +
131     +=head1 COPYRIGHT AND LICENSE
132     +
133     +Copyright (c) 2010 Matt Simerson
134     +
135     +This plugin is licensed under the same terms as the qpsmtpd package itself.
136     +Please see the LICENSE file included with qpsmtpd for details.
137     +
138     +=cut
139     +
140     +sub register {
141     + my ($self, $qp) = @_;
142     +
143     + $self->register_hook("auth-plain", "auth_vpopmail" );
144     + $self->register_hook("auth-login", "auth_vpopmail" );
145     + $self->register_hook("auth-cram-md5", "auth_vpopmail");
146     +}
147     +
148     +sub auth_vpopmail {
149     + use vpopmail;
150     + use Qpsmtpd::Constants;
151     + use Digest::HMAC_MD5 qw(hmac_md5_hex);
152     +
153     + my ($self, $transaction, $method, $user, $passClear, $passHash, $ticket) =
154     + @_;
155     + my ($pw_name, $pw_domain) = split "@", lc($user);
156     +
157     + $self->log(LOGINFO, "Authenticating against vpopmail: $user");
158     +
159     + return (DECLINED, "authvpopmail/$method - plugin not configured correctly")
160     + if !test_vpopmail();
161     +
162     + my $pw = vauth_getpw($pw_name, $pw_domain);
163     + my $pw_clear_passwd = $pw->{pw_clear_passwd};
164     + my $pw_passwd = $pw->{pw_passwd};
165     +
166     + # make sure the user exists
167     + if (!$pw || (!$pw_clear_passwd && !$pw_passwd)) {
168     + return (DENY, "authvpopmail/$method - invalid user");
169     +
170     + # change DENY to DECLINED to support multiple auth plugins
171     + }
172     +
173     + return (OK, "authvpopmail/$method")
174     + if $pw_passwd eq crypt($passClear, $pw_passwd);
175     +
176     + # simplest case: clear text passwords
177     + if (defined $passClear && defined $pw_clear_passwd) {
178     + return (DENY, "authvpopmail/$method - incorrect password")
179     + if $passClear ne $pw_clear_passwd;
180     + return (OK, "authvpopmail/$method");
181     + }
182     +
183     + if ($method =~ /CRAM-MD5/i) {
184     +
185     + # clear_passwd isn't defined so we cannot support CRAM-MD5
186     + return (DECLINED, "authvpopmail/$method") if !defined $pw_clear_passwd;
187     +
188     + if (defined $passHash
189     + and $passHash eq hmac_md5_hex($ticket, $pw_clear_passwd))
190     + {
191     + }
192     + }
193     +
194     + return (OK, "authvpopmail/$method")
195     + if (defined $passHash
196     + && $passHash eq hmac_md5_hex($ticket, $pw_clear_passwd));
197     +
198     + return (DENY, "authvpopmail/$method - unknown error");
199     +}
200     +
201     +sub test_vpopmail {
202     +
203     +# vpopmail will not allow vauth_getpw to succeed unless the requesting user is vpopmail or root.
204     +# by default, qpsmtpd runs as the user 'qpsmtpd' and does not have permission.
205     + use vpopmail;
206     + my ($domain) = vpopmail::vlistdomains();
207     + my $r = vauth_getpw('postmaster', $domain);
208     + return if !$r;
209     + return 1;
210     +}
211     diff --git a/plugins/auth/auth_vpopmail_sql b/plugins/auth/auth_vpopmail_sql
212     index fd450d0..948ea4f 100644
213     --- a/plugins/auth/auth_vpopmail_sql
214     +++ b/plugins/auth/auth_vpopmail_sql
215     @@ -37,11 +37,7 @@ module requires that only a single record be returned from the database.
216     This authentication modules does not recognize domain aliases. So, if you have
217     the domain example.com, with domain aliases for example.org and example.net,
218     smtp-auth will only work for $user@example.com. If you have domain aliases,
219     -consider using the auth_checkpassword plugin.
220     -
221     -The checkpassword plugin only supports plain and login authentications, where
222     -this plugin also supports CRAM-MD5. I use both modules together. I use this one
223     -for CRAM-MD5 and the checkpassword plugin for plain and login.
224     +consider using another plugin (see SEE ALSO).
225    
226     =head1 FUTURE DIRECTION
227    
228     @@ -49,6 +45,11 @@ The default MySQL configuration for vpopmail includes a table to log access,
229     lastauth, which could conceivably be updated upon sucessful authentication.
230     The addition of this feature is left as an exercise for someone who cares. ;)
231    
232     +=head1 SEE ALSO
233     +
234     +For an overview of the vpopmail authentication plugins and their merits,
235     +please read the VPOPMAIL section in docs/authentication.pod
236     +
237     =head1 AUTHOR
238    
239     John Peacock <jpeacock@cpan.org>
240     diff --git a/plugins/auth/auth_vpopmaild b/plugins/auth/auth_vpopmaild
241     index e4ab940..623d919 100644
242     --- a/plugins/auth/auth_vpopmaild
243     +++ b/plugins/auth/auth_vpopmaild
244     @@ -79,6 +79,11 @@ daemon is running on a different host or port, specify as follows:
245    
246     auth_vpopmaild host [host] port [port]
247    
248     +=head1 SEE ALSO
249     +
250     +For an overview of the vpopmail authentication plugins and their merits,
251     +please read the VPOPMAIL section in doc/authentication.pod
252     +
253     =head1 LINKS
254    
255     [1] http://www.qmailwiki.org/Vpopmaild
256     --
257     1.7.2.2
258    

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed