ph10 2006/10/16 14:43:22 BST
Modified files:
exim-doc/doc-txt ChangeLog NewStuff
exim-src/src/auths dovecot.c get_no64_data.c
exim-test/confs 9350
exim-test/log 9350
exim-test/rejectlog 9350
exim-test/scripts/9350-Dovecot 9350
exim-test/stdout 9350
Log:
Update Dovecot authenticator to (a) lock out tabs (b) add extra
parameters "secured" and "valid-client-cert" when relevant.
Revision Changes Path
1.409 +9 -1 exim/exim-doc/doc-txt/ChangeLog
1.116 +6 -0 exim/exim-doc/doc-txt/NewStuff
1.2 +41 -11 exim/exim-src/src/auths/dovecot.c
1.4 +2 -1 exim/exim-src/src/auths/get_no64_data.c
1.2 +7 -0 exim/exim-test/confs/9350
1.2 +2 -0 exim/exim-test/log/9350
1.2 +2 -0 exim/exim-test/rejectlog/9350
1.2 +48 -0 exim/exim-test/scripts/9350-Dovecot/9350
1.2 +82 -0 exim/exim-test/stdout/9350
Index: ChangeLog
===================================================================
RCS file: /home/cvs/exim/exim-doc/doc-txt/ChangeLog,v
retrieving revision 1.408
retrieving revision 1.409
diff -u -r1.408 -r1.409
--- ChangeLog 16 Oct 2006 10:58:39 -0000 1.408
+++ ChangeLog 16 Oct 2006 13:43:21 -0000 1.409
@@ -1,4 +1,4 @@
-$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.408 2006/10/16 10:58:39 ph10 Exp $
+$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.409 2006/10/16 13:43:21 ph10 Exp $
Change log file for Exim from version 4.21
-------------------------------------------
@@ -65,7 +65,7 @@
addresses), $smtp_active_hostname is used.
PH/12 Installed Andrey Panin's patch to add a dovecot authenticator. Various
- tweaks were necessary in order to get it to work:
+ tweaks were necessary in order to get it to work (see also 21 below):
(a) The code assumed that strncpy() returns a negative number on buffer
overflow, which isn't the case. Replaced with Exim's string_format()
function.
@@ -141,6 +141,14 @@
always available. This code has been removed, because it had the bad
effect of slowing Exim down by computing (never used) parameters for the
RSA_EXPORT functionality.
+
+PH/21 On the advice of Timo Sirainen, added a check to the dovecot
+ authenticator to fail if there's a tab character in the incoming data
+ (there should never be unless someone is messing about, as it's supposed
+ to be base64-encoded). Also added, on Timo's advice, the "secured" option
+ if the connection is using TLS or if the remote IP is the same as the
+ local IP, and the "valid-client-cert option" if a client certificate has
+ been verified.
Exim version 4.63
Index: NewStuff
===================================================================
RCS file: /home/cvs/exim/exim-doc/doc-txt/NewStuff,v
retrieving revision 1.115
retrieving revision 1.116
diff -u -r1.115 -r1.116
--- NewStuff 3 Oct 2006 15:11:22 -0000 1.115
+++ NewStuff 16 Oct 2006 13:43:21 -0000 1.116
@@ -1,4 +1,4 @@
-$Cambridge: exim/exim-doc/doc-txt/NewStuff,v 1.115 2006/10/03 15:11:22 ph10 Exp $
+$Cambridge: exim/exim-doc/doc-txt/NewStuff,v 1.116 2006/10/16 13:43:21 ph10 Exp $
New Features in Exim
--------------------
@@ -71,6 +71,12 @@
public_name = NTLM
server_name = /var/run/dovecot/auth-client
server_setid = $auth1
+
+ If the SMTP connection is encrypted, or if $sender_host_address is equal to
+ $interface_address (that is, the connection is local), the "secured" option
+ is passed in the Dovecot authentication command. If, for a TLS connection, a
+ client certificate has been verified, the "valid-client-cert" option is
+ passed.
4. The variable $message_headers_raw provides a concatenation of all the
messages's headers without any decoding. This is in contrast to
Index: dovecot.c
===================================================================
RCS file: /home/cvs/exim/exim-src/src/auths/dovecot.c,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- dovecot.c 2 Oct 2006 13:38:18 -0000 1.1
+++ dovecot.c 16 Oct 2006 13:43:22 -0000 1.2
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/exim-src/src/auths/dovecot.c,v 1.1 2006/10/02 13:38:18 ph10 Exp $ */
+/* $Cambridge: exim/exim-src/src/auths/dovecot.c,v 1.2 2006/10/16 13:43:22 ph10 Exp $ */
/*
* Copyright (c) 2004 Andrey Panin <pazke@???>
@@ -94,6 +94,8 @@
goto out; \
} while(0)
+
+
/*************************************************
* Server entry point *
*************************************************/
@@ -105,6 +107,8 @@
struct sockaddr_un sa;
char buffer[4096];
char *args[8];
+ uschar *auth_command;
+ uschar *auth_extra_data = US"";
int nargs, tmp;
int cuid = 0, cont = 1, found = 0, fd, ret = DEFER;
FILE *f;
@@ -186,31 +190,49 @@
if (!found)
goto out;
- fprintf(f, "VERSION\t%d\t%d\nCPID\t%d\n"
- "AUTH\t%d\t%s\tservice=smtp\trip=%s\tlip=%s\tresp=%s\n",
- VERSION_MAJOR, VERSION_MINOR, getpid(), cuid,
- ablock->public_name, sender_host_address, interface_address,
- data ? (char *) data : "");
+ /* Added by PH: data must not contain tab (as it is
+ b64 it shouldn't, but check for safety). */
+
+ if (Ustrchr(data, '\t') != NULL) {
+ ret = FAIL;
+ goto out;
+ }
+
+ /* Added by PH: extra fields when TLS is in use or if the TCP/IP
+ connection is local. */
+
+ if (tls_cipher != NULL)
+ auth_extra_data = string_sprintf("secured\t%s%s",
+ tls_certificate_verified? "valid-client-cert" : "",
+ tls_certificate_verified? "\t" : "");
+ else if (Ustrcmp(sender_host_address, interface_address) == 0)
+ auth_extra_data = US"secured\t";
+
/****************************************************************************
The code below was the original code here. It didn't work. A reading of the
file auth-protocol.txt.gz that came with Dovecot 1.0_beta8 indicated that
- this was not right. Maybe something changed. I changed it to the above, and
- it seems to be better. PH
+ this was not right. Maybe something changed. I changed it to move the
+ service indication into the AUTH command, and it seems to be better. PH
fprintf(f, "VERSION\t%d\t%d\r\nSERVICE\tSMTP\r\nCPID\t%d\r\n"
"AUTH\t%d\t%s\trip=%s\tlip=%s\tresp=%s\r\n",
VERSION_MAJOR, VERSION_MINOR, getpid(), cuid,
ablock->public_name, sender_host_address, interface_address,
data ? (char *) data : "");
+
+ Subsequently, the command was modified to add "secured" and "valid-client-
+ cert" when relevant.
****************************************************************************/
- HDEBUG(D_auth) debug_printf("sent: VERSION\t%d\t%d\nsent: CPID\t%d\n"
- "sent: AUTH\t%d\t%s\tservice=smtp\trip=%s\tlip=%s\tresp=%s\n",
+ auth_command = string_sprintf("VERSION\t%d\t%d\nCPID\t%d\n"
+ "AUTH\t%d\t%s\tservice=smtp\t%srip=%s\tlip=%s\tresp=%s\n",
VERSION_MAJOR, VERSION_MINOR, getpid(), cuid,
- ablock->public_name, sender_host_address, interface_address,
- data ? (char *) data : "");
+ ablock->public_name, auth_extra_data, sender_host_address,
+ interface_address, data ? (char *) data : "");
+ fprintf(f, "%s", auth_command);
+ HDEBUG(D_auth) debug_printf("sent: %s", auth_command);
while (1) {
if (fgets(buffer, sizeof(buffer), f) == NULL) {
@@ -232,6 +254,14 @@
tmp = auth_get_no64_data(&data, US args[2]);
if (tmp != OK) {
ret = tmp;
+ goto out;
+ }
+
+ /* Added by PH: data must not contain tab (as it is
+ b64 it shouldn't, but check for safety). */
+
+ if (Ustrchr(data, '\t') != NULL) {
+ ret = FAIL;
goto out;
}
Index: get_no64_data.c
===================================================================
RCS file: /home/cvs/exim/exim-src/src/auths/get_no64_data.c,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- get_no64_data.c 7 Feb 2006 11:19:01 -0000 1.3
+++ get_no64_data.c 16 Oct 2006 13:43:22 -0000 1.4
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/exim-src/src/auths/get_no64_data.c,v 1.3 2006/02/07 11:19:01 ph10 Exp $ */
+/* $Cambridge: exim/exim-src/src/auths/get_no64_data.c,v 1.4 2006/10/16 13:43:22 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -16,7 +16,8 @@
/* This function is used by authentication drivers to output a challenge
to the SMTP client and read the response line. This version does not use base
-64 encoding for the text on the 334 line. It is used by the SPA authenticator.
+64 encoding for the text on the 334 line. It is used by the SPA and dovecot
+authenticators.
Arguments:
aptr set to point to the response (which is in big_buffer)
Index: 9350
===================================================================
RCS file: /home/cvs/exim/exim-test/confs/9350,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- 9350 9 Oct 2006 14:33:37 -0000 1.1
+++ 9350 16 Oct 2006 13:43:22 -0000 1.2
@@ -15,6 +15,13 @@
acl_smtp_rcpt = check_recipient
+tls_advertise_hosts = *
+tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
+tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
+
+tls_verify_hosts = HOSTIPV4
+tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail}
+
# ----- ACL -----
Index: 9350
===================================================================
RCS file: /home/cvs/exim/exim-test/log/9350,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- 9350 9 Oct 2006 14:33:37 -0000 1.1
+++ 9350 16 Oct 2006 13:43:22 -0000 1.2
@@ -2,3 +2,5 @@
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 dovecot authenticator failed for (xxxx) [127.0.0.1]: 535 Incorrect authentication data (set_id=userx)
+1999-03-02 09:44:33 dovecot authenticator failed for (xxxx) [127.0.0.1]: 535 Incorrect authentication data (set_id=userx)
+1999-03-02 09:44:33 dovecot authenticator failed for (xxxx) [ip4.ip4.ip4.ip4]: 535 Incorrect authentication data (set_id=userx)
Index: 9350
===================================================================
RCS file: /home/cvs/exim/exim-test/rejectlog/9350,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- 9350 9 Oct 2006 14:33:38 -0000 1.1
+++ 9350 16 Oct 2006 13:43:22 -0000 1.2
@@ -1,3 +1,5 @@
******** SERVER ********
1999-03-02 09:44:33 dovecot authenticator failed for (xxxx) [127.0.0.1]: 535 Incorrect authentication data (set_id=userx)
+1999-03-02 09:44:33 dovecot authenticator failed for (xxxx) [127.0.0.1]: 535 Incorrect authentication data (set_id=userx)
+1999-03-02 09:44:33 dovecot authenticator failed for (xxxx) [ip4.ip4.ip4.ip4]: 535 Incorrect authentication data (set_id=userx)
Index: 9350
===================================================================
RCS file: /home/cvs/exim/exim-test/scripts/9350-Dovecot/9350,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- 9350 9 Oct 2006 14:44:53 -0000 1.1
+++ 9350 16 Oct 2006 13:43:22 -0000 1.2
@@ -1,7 +1,55 @@
# Dovecot authentication (server only)
exim -DSERVER=server -bd -oX PORT_D
****
+# Try without TLS
client -t3 127.0.0.1 PORT_D
+??? 220
+EHLO xxxx
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+AUTH PLAIN AHVzZXJ4AHNlY3JldA==
+??? 535
+quit
+??? 221
+****
+# TLS, but no client certificate
+client-gnutls -t3 127.0.0.1 PORT_D
+??? 220
+EHLO xxxx
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+STARTTLS
+??? 220
+EHLO xxxx
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+AUTH PLAIN AHVzZXJ4AHNlY3JldA==
+??? 535
+quit
+??? 221
+****
+# TLS with client certificate
+client-gnutls -t3 HOSTIPV4 PORT_D DIR/aux-fixed/cert2 DIR/aux-fixed/cert2
+??? 220
+EHLO xxxx
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+STARTTLS
??? 220
EHLO xxxx
??? 250-
Index: 9350
===================================================================
RCS file: /home/cvs/exim/exim-test/stdout/9350,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- 9350 9 Oct 2006 14:33:38 -0000 1.1
+++ 9350 16 Oct 2006 13:43:22 -0000 1.2
@@ -10,6 +10,88 @@
<<< 250-PIPELINING
??? 250-
<<< 250-AUTH PLAIN
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> AUTH PLAIN AHVzZXJ4AHNlY3JldA==
+??? 535
+<<< 535 Incorrect authentication data
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+Connecting to 127.0.0.1 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> EHLO xxxx
+??? 250-
+<<< 250-myhost.test.ex Hello xxxx [127.0.0.1]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-AUTH PLAIN
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> STARTTLS
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+Succeeded in starting TLS
+>>> EHLO xxxx
+??? 250-
+<<< 250-myhost.test.ex Hello xxxx [127.0.0.1]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-AUTH PLAIN
+??? 250
+<<< 250 HELP
+>>> AUTH PLAIN AHVzZXJ4AHNlY3JldA==
+??? 535
+<<< 535 Incorrect authentication data
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = TESTSUITE/aux-fixed/cert2
+Key file = TESTSUITE/aux-fixed/cert2
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> EHLO xxxx
+??? 250-
+<<< 250-myhost.test.ex Hello xxxx [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-AUTH PLAIN
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> STARTTLS
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+Succeeded in starting TLS
+>>> EHLO xxxx
+??? 250-
+<<< 250-myhost.test.ex Hello xxxx [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-AUTH PLAIN
??? 250
<<< 250 HELP
>>> AUTH PLAIN AHVzZXJ4AHNlY3JldA==
