qpsmtpd/sme9/0013-added-auth_vpopmail-plugin.patch

From b1c3d2f333c807fb40b7a8e5d71086b54f69e562 Mon Sep 17 00:00:00 2001
From: Matt Simerson <matt@tnpi.net>
Date: Tue, 11 May 2010 02:19:05 -0400
Subject: added auth_vpopmail plugin

added auth_vpopmail plugin, using the perl-vpopmail module
added VPOPMAIL auth methods description to docs/authentication
added SEE ALSO section to each module, noting the VPOPMAIL description

Signed-off-by: Robert <rspier@pobox.com>
---
 docs/authentication.pod         |   41 ++++++++++++++
 plugins/auth/auth_checkpassword |    5 ++
 plugins/auth/auth_vpopmail      |  113 +++++++++++++++++++++++++++++++++++++++
 plugins/auth/auth_vpopmail_sql  |   11 ++--
 plugins/auth/auth_vpopmaild     |    5 ++
 5 files changed, 170 insertions(+), 5 deletions(-)
 create mode 100644 plugins/auth/auth_vpopmail

diff --git a/docs/authentication.pod b/docs/authentication.pod
index c6df82d..f13637d 100644
--- a/docs/authentication.pod
+++ b/docs/authentication.pod
@@ -201,10 +201,51 @@ authentication attempts for this transaction.
 In addition, all plugins that are registered for a specific auth hook will
 be tried before any plugins which are registered for the general auth hook.
 
+=head1 VPOPMAIL
+
+There are 4 authentication (smtp-auth) plugins that can be used with
+vpopmail.
+
+=over 4
+
+=item auth_vpopmaild
+
+If you aren't sure which one to use, then use auth_vpopmaild. It
+has full support for all 3 authentication methods (PLAIN,LOGIN,CRAM-MD5),
+doesn't require the qpsmtpd process to run with special permissions, and
+can authenticate against vpopmail running on another host. It does require
+the vpopmaild server to be running.
+
+=item auth_vpopmail
+
+The next best solution is auth_vpopmail. It requires the p5-vpopmail perl
+module and it compiles against libvpopmail.a. There are two catches. The
+qpsmtpd daemon must run as the vpopmail user, and you must be running v0.09
+or higher for CRAM-MD5 support. The released version is 0.08 but my
+CRAM-MD5 patch has been added to the developers repo:
+   http://github.com/sscanlon/vpopmail
+
+=item auth_vpopmail_sql
+
+If you are using the MySQL backend for vpopmail, then this module can be
+used for smtp-auth. It has support for all three auth methods. However, it
+does not work with some vpopmail features such as alias domains, service
+restrictions, nor does it update vpopmail's last_auth information.
+
+=item auth_checkpassword
+
+The auth_checkpassword is a generic authentication module that will work
+with any DJB style checkpassword program, including ~vpopmail/bin/vchkpw.
+It only supports PLAIN and LOGIN auth methods.
+
+=back
+
 =head1 AUTHOR
 
 John Peacock <jpeacock@cpan.org>
 
+Matt Simerson <msimerson@cpan.org> (added VPOPMAIL)
+
 =head1 COPYRIGHT AND LICENSE
 
 Copyright (c) 2004-2006 John Peacock
diff --git a/plugins/auth/auth_checkpassword b/plugins/auth/auth_checkpassword
index 6337ff7..db9231f 100644
--- a/plugins/auth/auth_checkpassword
+++ b/plugins/auth/auth_checkpassword
@@ -39,6 +39,11 @@ Using sudo is preferable to enabling setuid on the vchkpw binary. If
 you reinstall vpopmail and the setuid bit is lost, this plugin will be
 broken.
 
+=head1 SEE ALSO
+
+If you are using this plugin with vpopmail, please read the VPOPMAIL
+section in docs/authentication.pod
+
 =head1 DIAGNOSTICS
 
 Is the path in the config/smtpauth-checkpassword correct?
diff --git a/plugins/auth/auth_vpopmail b/plugins/auth/auth_vpopmail
new file mode 100644
index 0000000..973d230
--- /dev/null
+++ b/plugins/auth/auth_vpopmail
@@ -0,0 +1,113 @@
+#!/usr/bin/perl -w
+use strict;
+
+=head1 NAME
+
+auth_vpopmail - Authenticate against libvpopmail.a
+
+=head1 DESCRIPTION
+
+This plugin authenticates vpopmail users using p5-vpopmail.
+Using CRAM-MD5 requires that vpopmail be built with the
+'--enable-clear-passwd=y' option.
+
+=head1 CONFIGURATION
+
+This module will only work if qpsmtpd is running as the 'vpopmail' user.
+
+CRAM-MD5 authentication will only work with p5-vpopmail 0.09 or higher.
+    http://github.com/sscanlon/vpopmail
+
+Decide which authentication methods you are willing to support and uncomment
+the lines in the register() sub. See the POD for Qspmtpd::Auth for more
+details on the ramifications of supporting various authentication methods.
+
+=head1 SEE ALSO
+
+For an overview of the vpopmail authentication plugins and their merits,
+please read the VPOPMAIL section in docs/authentication.pod
+
+=head1 AUTHOR
+
+Matt Simerson <msimerson@cpan.org>
+
+=head1 COPYRIGHT AND LICENSE
+
+Copyright (c) 2010 Matt Simerson
+
+This plugin is licensed under the same terms as the qpsmtpd package itself.
+Please see the LICENSE file included with qpsmtpd for details.
+
+=cut
+
+sub register {
+    my ($self, $qp) = @_;
+
+    $self->register_hook("auth-plain", "auth_vpopmail" );
+    $self->register_hook("auth-login", "auth_vpopmail" );
+    $self->register_hook("auth-cram-md5", "auth_vpopmail");
+}
+
+sub auth_vpopmail {
+    use vpopmail;
+    use Qpsmtpd::Constants;
+    use Digest::HMAC_MD5 qw(hmac_md5_hex);
+
+    my ($self, $transaction, $method, $user, $passClear, $passHash, $ticket) =
+      @_;
+    my ($pw_name, $pw_domain) = split "@", lc($user);
+
+    $self->log(LOGINFO, "Authenticating against vpopmail: $user");
+
+    return (DECLINED, "authvpopmail/$method - plugin not configured correctly")
+      if !test_vpopmail();
+
+    my $pw              = vauth_getpw($pw_name, $pw_domain);
+    my $pw_clear_passwd = $pw->{pw_clear_passwd};
+    my $pw_passwd       = $pw->{pw_passwd};
+
+    # make sure the user exists
+    if (!$pw || (!$pw_clear_passwd && !$pw_passwd)) {
+        return (DENY, "authvpopmail/$method - invalid user");
+
+        # change DENY to DECLINED to support multiple auth plugins
+    }
+
+    return (OK, "authvpopmail/$method")
+      if $pw_passwd eq crypt($passClear, $pw_passwd);
+
+    # simplest case: clear text passwords
+    if (defined $passClear && defined $pw_clear_passwd) {
+        return (DENY, "authvpopmail/$method - incorrect password")
+          if $passClear ne $pw_clear_passwd;
+        return (OK, "authvpopmail/$method");
+    }
+
+    if ($method =~ /CRAM-MD5/i) {
+
+        # clear_passwd isn't defined so we cannot support CRAM-MD5
+        return (DECLINED, "authvpopmail/$method") if !defined $pw_clear_passwd;
+
+        if (defined $passHash
+            and $passHash eq hmac_md5_hex($ticket, $pw_clear_passwd))
+        {
+        }
+    }
+
+    return (OK, "authvpopmail/$method")
+      if (defined $passHash
+          && $passHash eq hmac_md5_hex($ticket, $pw_clear_passwd));
+
+    return (DENY, "authvpopmail/$method - unknown error");
+}
+
+sub test_vpopmail {
+
+# vpopmail will not allow vauth_getpw to succeed unless the requesting user is vpopmail or root.
+# by default, qpsmtpd runs as the user 'qpsmtpd' and does not have permission.
+    use vpopmail;
+    my ($domain) = vpopmail::vlistdomains();
+    my $r = vauth_getpw('postmaster', $domain);
+    return if !$r;
+    return 1;
+}
diff --git a/plugins/auth/auth_vpopmail_sql b/plugins/auth/auth_vpopmail_sql
index fd450d0..948ea4f 100644
--- a/plugins/auth/auth_vpopmail_sql
+++ b/plugins/auth/auth_vpopmail_sql
@@ -37,11 +37,7 @@ module requires that only a single record be returned from the database.
 This authentication modules does not recognize domain aliases. So, if you have
 the domain example.com, with domain aliases for example.org and example.net,
 smtp-auth will only work for $user@example.com. If you have domain aliases,
-consider using the auth_checkpassword plugin.
-
-The checkpassword plugin only supports plain and login authentications, where
-this plugin also supports CRAM-MD5. I use both modules together. I use this one
-for CRAM-MD5 and the checkpassword plugin for plain and login.
+consider using another plugin (see SEE ALSO).
 
 =head1 FUTURE DIRECTION
 
@@ -49,6 +45,11 @@ The default MySQL configuration for vpopmail includes a table to log access,
 lastauth, which could conceivably be updated upon sucessful authentication.
 The addition of this feature is left as an exercise for someone who cares. ;)
 
+=head1 SEE ALSO
+
+For an overview of the vpopmail authentication plugins and their merits,
+please read the VPOPMAIL section in docs/authentication.pod
+
 =head1 AUTHOR
 
 John Peacock <jpeacock@cpan.org>
diff --git a/plugins/auth/auth_vpopmaild b/plugins/auth/auth_vpopmaild
index e4ab940..623d919 100644
--- a/plugins/auth/auth_vpopmaild
+++ b/plugins/auth/auth_vpopmaild
@@ -79,6 +79,11 @@ daemon is running on a different host or port, specify as follows:
 
 auth_vpopmaild host [host] port [port]
 
+=head1 SEE ALSO
+
+For an overview of the vpopmail authentication plugins and their merits,
+please read the VPOPMAIL section in doc/authentication.pod
+
 =head1 LINKS
 
 [1] http://www.qmailwiki.org/Vpopmaild
-- 
1.7.2.2

1	From b1c3d2f333c807fb40b7a8e5d71086b54f69e562 Mon Sep 17 00:00:00 2001
2	From: Matt Simerson <matt@tnpi.net>
3	Date: Tue, 11 May 2010 02:19:05 -0400
4	Subject: added auth_vpopmail plugin
5
6	added auth_vpopmail plugin, using the perl-vpopmail module
7	added VPOPMAIL auth methods description to docs/authentication
8	added SEE ALSO section to each module, noting the VPOPMAIL description
9
10	Signed-off-by: Robert <rspier@pobox.com>
11	---
12	docs/authentication.pod \| 41 ++++++++++++++
13	plugins/auth/auth_checkpassword \| 5 ++
14	plugins/auth/auth_vpopmail \| 113 +++++++++++++++++++++++++++++++++++++++
15	plugins/auth/auth_vpopmail_sql \| 11 ++--
16	plugins/auth/auth_vpopmaild \| 5 ++
17	5 files changed, 170 insertions(+), 5 deletions(-)
18	create mode 100644 plugins/auth/auth_vpopmail
19
20	diff --git a/docs/authentication.pod b/docs/authentication.pod
21	index c6df82d..f13637d 100644
22	--- a/docs/authentication.pod
23	+++ b/docs/authentication.pod
24	@@ -201,10 +201,51 @@ authentication attempts for this transaction.
25	In addition, all plugins that are registered for a specific auth hook will
26	be tried before any plugins which are registered for the general auth hook.
27
28	+=head1 VPOPMAIL
29	+
30	+There are 4 authentication (smtp-auth) plugins that can be used with
31	+vpopmail.
32	+
33	+=over 4
34	+
35	+=item auth_vpopmaild
36	+
37	+If you aren't sure which one to use, then use auth_vpopmaild. It
38	+has full support for all 3 authentication methods (PLAIN,LOGIN,CRAM-MD5),
39	+doesn't require the qpsmtpd process to run with special permissions, and
40	+can authenticate against vpopmail running on another host. It does require
41	+the vpopmaild server to be running.
42	+
43	+=item auth_vpopmail
44	+
45	+The next best solution is auth_vpopmail. It requires the p5-vpopmail perl
46	+module and it compiles against libvpopmail.a. There are two catches. The
47	+qpsmtpd daemon must run as the vpopmail user, and you must be running v0.09
48	+or higher for CRAM-MD5 support. The released version is 0.08 but my
49	+CRAM-MD5 patch has been added to the developers repo:
50	+ http://github.com/sscanlon/vpopmail
51	+
52	+=item auth_vpopmail_sql
53	+
54	+If you are using the MySQL backend for vpopmail, then this module can be
55	+used for smtp-auth. It has support for all three auth methods. However, it
56	+does not work with some vpopmail features such as alias domains, service
57	+restrictions, nor does it update vpopmail's last_auth information.
58	+
59	+=item auth_checkpassword
60	+
61	+The auth_checkpassword is a generic authentication module that will work
62	+with any DJB style checkpassword program, including ~vpopmail/bin/vchkpw.
63	+It only supports PLAIN and LOGIN auth methods.
64	+
65	+=back
66	+
67	=head1 AUTHOR
68
69	John Peacock <jpeacock@cpan.org>
70
71	+Matt Simerson <msimerson@cpan.org> (added VPOPMAIL)
72	+
73	=head1 COPYRIGHT AND LICENSE
74
75	Copyright (c) 2004-2006 John Peacock
76	diff --git a/plugins/auth/auth_checkpassword b/plugins/auth/auth_checkpassword
77	index 6337ff7..db9231f 100644
78	--- a/plugins/auth/auth_checkpassword
79	+++ b/plugins/auth/auth_checkpassword
80	@@ -39,6 +39,11 @@ Using sudo is preferable to enabling setuid on the vchkpw binary. If
81	you reinstall vpopmail and the setuid bit is lost, this plugin will be
82	broken.
83
84	+=head1 SEE ALSO
85	+
86	+If you are using this plugin with vpopmail, please read the VPOPMAIL
87	+section in docs/authentication.pod
88	+
89	=head1 DIAGNOSTICS
90
91	Is the path in the config/smtpauth-checkpassword correct?
92	diff --git a/plugins/auth/auth_vpopmail b/plugins/auth/auth_vpopmail
93	new file mode 100644
94	index 0000000..973d230
95	--- /dev/null
96	+++ b/plugins/auth/auth_vpopmail
97	@@ -0,0 +1,113 @@
98	+#!/usr/bin/perl -w
99	+use strict;
100	+
101	+=head1 NAME
102	+
103	+auth_vpopmail - Authenticate against libvpopmail.a
104	+
105	+=head1 DESCRIPTION
106	+
107	+This plugin authenticates vpopmail users using p5-vpopmail.
108	+Using CRAM-MD5 requires that vpopmail be built with the
109	+'--enable-clear-passwd=y' option.
110	+
111	+=head1 CONFIGURATION
112	+
113	+This module will only work if qpsmtpd is running as the 'vpopmail' user.
114	+
115	+CRAM-MD5 authentication will only work with p5-vpopmail 0.09 or higher.
116	+ http://github.com/sscanlon/vpopmail
117	+
118	+Decide which authentication methods you are willing to support and uncomment
119	+the lines in the register() sub. See the POD for Qspmtpd::Auth for more
120	+details on the ramifications of supporting various authentication methods.
121	+
122	+=head1 SEE ALSO
123	+
124	+For an overview of the vpopmail authentication plugins and their merits,
125	+please read the VPOPMAIL section in docs/authentication.pod
126	+
127	+=head1 AUTHOR
128	+
129	+Matt Simerson <msimerson@cpan.org>
130	+
131	+=head1 COPYRIGHT AND LICENSE
132	+
133	+Copyright (c) 2010 Matt Simerson
134	+
135	+This plugin is licensed under the same terms as the qpsmtpd package itself.
136	+Please see the LICENSE file included with qpsmtpd for details.
137	+
138	+=cut
139	+
140	+sub register {
141	+ my ($self, $qp) = @_;
142	+
143	+ $self->register_hook("auth-plain", "auth_vpopmail" );
144	+ $self->register_hook("auth-login", "auth_vpopmail" );
145	+ $self->register_hook("auth-cram-md5", "auth_vpopmail");
146	+}
147	+
148	+sub auth_vpopmail {
149	+ use vpopmail;
150	+ use Qpsmtpd::Constants;
151	+ use Digest::HMAC_MD5 qw(hmac_md5_hex);
152	+
153	+ my ($self, $transaction, $method, $user, $passClear, $passHash, $ticket) =
154	+ @_;
155	+ my ($pw_name, $pw_domain) = split "@", lc($user);
156	+
157	+ $self->log(LOGINFO, "Authenticating against vpopmail: $user");
158	+
159	+ return (DECLINED, "authvpopmail/$method - plugin not configured correctly")
160	+ if !test_vpopmail();
161	+
162	+ my $pw = vauth_getpw($pw_name, $pw_domain);
163	+ my $pw_clear_passwd = $pw->{pw_clear_passwd};
164	+ my $pw_passwd = $pw->{pw_passwd};
165	+
166	+ # make sure the user exists
167	+ if (!$pw \|\| (!$pw_clear_passwd && !$pw_passwd)) {
168	+ return (DENY, "authvpopmail/$method - invalid user");
169	+
170	+ # change DENY to DECLINED to support multiple auth plugins
171	+ }
172	+
173	+ return (OK, "authvpopmail/$method")
174	+ if $pw_passwd eq crypt($passClear, $pw_passwd);
175	+
176	+ # simplest case: clear text passwords
177	+ if (defined $passClear && defined $pw_clear_passwd) {
178	+ return (DENY, "authvpopmail/$method - incorrect password")
179	+ if $passClear ne $pw_clear_passwd;
180	+ return (OK, "authvpopmail/$method");
181	+ }
182	+
183	+ if ($method =~ /CRAM-MD5/i) {
184	+
185	+ # clear_passwd isn't defined so we cannot support CRAM-MD5
186	+ return (DECLINED, "authvpopmail/$method") if !defined $pw_clear_passwd;
187	+
188	+ if (defined $passHash
189	+ and $passHash eq hmac_md5_hex($ticket, $pw_clear_passwd))
190	+ {
191	+ }
192	+ }
193	+
194	+ return (OK, "authvpopmail/$method")
195	+ if (defined $passHash
196	+ && $passHash eq hmac_md5_hex($ticket, $pw_clear_passwd));
197	+
198	+ return (DENY, "authvpopmail/$method - unknown error");
199	+}
200	+
201	+sub test_vpopmail {
202	+
203	+# vpopmail will not allow vauth_getpw to succeed unless the requesting user is vpopmail or root.
204	+# by default, qpsmtpd runs as the user 'qpsmtpd' and does not have permission.
205	+ use vpopmail;
206	+ my ($domain) = vpopmail::vlistdomains();
207	+ my $r = vauth_getpw('postmaster', $domain);
208	+ return if !$r;
209	+ return 1;
210	+}
211	diff --git a/plugins/auth/auth_vpopmail_sql b/plugins/auth/auth_vpopmail_sql
212	index fd450d0..948ea4f 100644
213	--- a/plugins/auth/auth_vpopmail_sql
214	+++ b/plugins/auth/auth_vpopmail_sql
215	@@ -37,11 +37,7 @@ module requires that only a single record be returned from the database.
216	This authentication modules does not recognize domain aliases. So, if you have
217	the domain example.com, with domain aliases for example.org and example.net,
218	smtp-auth will only work for $user@example.com. If you have domain aliases,
219	-consider using the auth_checkpassword plugin.
220	-
221	-The checkpassword plugin only supports plain and login authentications, where
222	-this plugin also supports CRAM-MD5. I use both modules together. I use this one
223	-for CRAM-MD5 and the checkpassword plugin for plain and login.
224	+consider using another plugin (see SEE ALSO).
225
226	=head1 FUTURE DIRECTION
227
228	@@ -49,6 +45,11 @@ The default MySQL configuration for vpopmail includes a table to log access,
229	lastauth, which could conceivably be updated upon sucessful authentication.
230	The addition of this feature is left as an exercise for someone who cares. ;)
231
232	+=head1 SEE ALSO
233	+
234	+For an overview of the vpopmail authentication plugins and their merits,
235	+please read the VPOPMAIL section in docs/authentication.pod
236	+
237	=head1 AUTHOR
238
239	John Peacock <jpeacock@cpan.org>
240	diff --git a/plugins/auth/auth_vpopmaild b/plugins/auth/auth_vpopmaild
241	index e4ab940..623d919 100644
242	--- a/plugins/auth/auth_vpopmaild
243	+++ b/plugins/auth/auth_vpopmaild
244	@@ -79,6 +79,11 @@ daemon is running on a different host or port, specify as follows:
245
246	auth_vpopmaild host [host] port [port]
247
248	+=head1 SEE ALSO
249	+
250	+For an overview of the vpopmail authentication plugins and their merits,
251	+please read the VPOPMAIL section in doc/authentication.pod
252	+
253	=head1 LINKS
254
255	[1] http://www.qmailwiki.org/Vpopmaild
256	--
257	1.7.2.2
258