/*++ /* NAME /* smtpd_sasl_glue 3 /* SUMMARY /* Postfix SMTP server, SASL support interface /* SYNOPSIS /* #include "smtpd_sasl_glue.h" /* /* void smtpd_sasl_state_init(state) /* SMTPD_STATE *state; /* /* void smtpd_sasl_initialize() /* /* void smtpd_sasl_activate(state, sasl_opts_name, sasl_opts_val) /* SMTPD_STATE *state; /* const char *sasl_opts_name; /* const char *sasl_opts_val; /* /* char *smtpd_sasl_authenticate(state, sasl_method, init_response) /* SMTPD_STATE *state; /* const char *sasl_method; /* const char *init_response; /* /* void smtpd_sasl_logout(state) /* SMTPD_STATE *state; /* /* void smtpd_sasl_login(state, sasl_username, sasl_method) /* SMTPD_STATE *state; /* const char *sasl_username; /* const char *sasl_method; /* /* void smtpd_sasl_deactivate(state) /* SMTPD_STATE *state; /* /* int smtpd_sasl_is_active(state) /* SMTPD_STATE *state; /* /* int smtpd_sasl_set_inactive(state) /* SMTPD_STATE *state; /* DESCRIPTION /* This module encapsulates most of the detail specific to SASL /* authentication. /* /* smtpd_sasl_state_init() performs minimal server state /* initialization to support external authentication (e.g., /* XCLIENT) without having to enable SASL in main.cf. This /* should always be called at process startup. /* /* smtpd_sasl_initialize() initializes the SASL library. This /* routine should be called once at process start-up. It may /* need access to the file system for run-time loading of /* plug-in modules. There is no corresponding cleanup routine. /* /* smtpd_sasl_activate() performs per-connection initialization. /* This routine should be called once at the start of every /* connection. The sasl_opts_name and sasl_opts_val parameters /* are the postfix configuration parameters setting the security /* policy of the SASL authentication. /* /* smtpd_sasl_authenticate() implements the authentication /* dialog. The result is zero in case of success, -1 in case /* of failure. smtpd_sasl_authenticate() updates the following /* state structure members: /* .IP sasl_method /* The authentication method that was successfully applied. /* This member is a null pointer in the absence of successful /* authentication. /* .IP sasl_username /* The username that was successfully authenticated. /* This member is a null pointer in the absence of successful /* authentication. /* .PP /* smtpd_sasl_login() records the result of successful external /* authentication, i.e. without invoking smtpd_sasl_authenticate(), /* but produces an otherwise equivalent result. /* /* smtpd_sasl_logout() cleans up after smtpd_sasl_authenticate(). /* This routine exists for the sake of symmetry. /* /* smtpd_sasl_deactivate() performs per-connection cleanup. /* This routine should be called at the end of every connection. /* /* smtpd_sasl_is_active() is a predicate that returns true /* if the SMTP server session state is between smtpd_sasl_activate() /* and smtpd_sasl_deactivate(). /* /* smtpd_sasl_set_inactive() initializes the SMTP session /* state before the first smtpd_sasl_activate() call. /* /* Arguments: /* .IP state /* SMTP session context. /* .IP sasl_opts_name /* Security options parameter name. /* .IP sasl_opts_val /* Security options parameter value. /* .IP sasl_method /* A SASL mechanism name /* .IP init_reply /* An optional initial client response. /* DIAGNOSTICS /* All errors are fatal. /* LICENSE /* .ad /* .fi /* The Secure Mailer license must be distributed with this software. /* AUTHOR(S) /* Initial implementation by: /* Till Franke /* SuSE Rhein/Main AG /* 65760 Eschborn, Germany /* /* Adopted by: /* Wietse Venema /* IBM T.J. Watson Research /* P.O. Box 704 /* Yorktown Heights, NY 10598, USA /* /* Wietse Venema /* Google, Inc. /* 111 8th Avenue /* New York, NY 10011, USA /*--*/ /* System library. */ #include <sys_defs.h> #include <stdlib.h> #include <string.h> /* Utility library. */ #include <msg.h> #include <mymalloc.h> #include <stringops.h> /* Global library. */ #include <mail_params.h> /* XSASL library. */ #include <xsasl.h> /* Application-specific. */ #include "smtpd.h" #include "smtpd_sasl_glue.h" #include "smtpd_chat.h" #ifdef USE_SASL_AUTH /* * Silly little macros. */ #define STR(s) vstring_str(s) /* * SASL server implementation handle. */ static XSASL_SERVER_IMPL *smtpd_sasl_impl; /* smtpd_sasl_initialize - per-process initialization */ void smtpd_sasl_initialize(void) { /* * Sanity check. */ if (smtpd_sasl_impl) msg_panic("smtpd_sasl_initialize: repeated call"); /* * Initialize the SASL library. */ if ((smtpd_sasl_impl = xsasl_server_init(var_smtpd_sasl_type, var_smtpd_sasl_path)) == 0) msg_fatal("SASL per-process initialization failed"); } /* smtpd_sasl_activate - per-connection initialization */ void smtpd_sasl_activate(SMTPD_STATE *state, const char *sasl_opts_name, const char *sasl_opts_val) { const char *mechanism_list; XSASL_SERVER_CREATE_ARGS create_args; int tls_flag; /* * Sanity check. */ if (smtpd_sasl_is_active(state)) msg_panic("smtpd_sasl_activate: already active"); /* * Initialize SASL-specific state variables. Use long-lived storage for * base 64 conversion results, rather than local variables, to avoid * memory leaks when a read or write routine returns abnormally after * timeout or I/O error. */ state->sasl_reply = vstring_alloc(20); state->sasl_mechanism_list = 0; /* * Set up a new server context for this connection. */ #ifdef USE_TLS tls_flag = state->tls_context != 0; #else tls_flag = 0; #endif #define ADDR_OR_EMPTY(addr, unknown) (strcmp(addr, unknown) ? addr : "") #define REALM_OR_NULL(realm) (*(realm) ? (realm) : (char *) 0) if ((state->sasl_server = XSASL_SERVER_CREATE(smtpd_sasl_impl, &create_args, stream = state->client, addr_family = state->addr_family, server_addr = ADDR_OR_EMPTY(state->dest_addr, SERVER_ADDR_UNKNOWN), server_port = ADDR_OR_EMPTY(state->dest_port, SERVER_PORT_UNKNOWN), client_addr = ADDR_OR_EMPTY(state->addr, CLIENT_ADDR_UNKNOWN), client_port = ADDR_OR_EMPTY(state->port, CLIENT_PORT_UNKNOWN), service = var_smtpd_sasl_service, user_realm = REALM_OR_NULL(var_smtpd_sasl_realm), security_options = sasl_opts_val, tls_flag = tls_flag)) == 0) msg_fatal("SASL per-connection initialization failed"); /* * Get the list of authentication mechanisms. */ if ((mechanism_list = xsasl_server_get_mechanism_list(state->sasl_server)) == 0) msg_fatal("no SASL authentication mechanisms"); state->sasl_mechanism_list = mystrdup(mechanism_list); } /* smtpd_sasl_state_init - initialize state to allow extern authentication. */ void smtpd_sasl_state_init(SMTPD_STATE *state) { /* Initialization to support external authentication (e.g., XCLIENT). */ state->sasl_username = 0; state->sasl_method = 0; state->sasl_sender = 0; } /* smtpd_sasl_deactivate - per-connection cleanup */ void smtpd_sasl_deactivate(SMTPD_STATE *state) { if (state->sasl_reply) { vstring_free(state->sasl_reply); state->sasl_reply = 0; } if (state->sasl_mechanism_list) { myfree(state->sasl_mechanism_list); state->sasl_mechanism_list = 0; } if (state->sasl_username) { myfree(state->sasl_username); state->sasl_username = 0; } if (state->sasl_method) { myfree(state->sasl_method); state->sasl_method = 0; } if (state->sasl_sender) { myfree(state->sasl_sender); state->sasl_sender = 0; } if (state->sasl_server) { xsasl_server_free(state->sasl_server); state->sasl_server = 0; } } /* smtpd_sasl_authenticate - per-session authentication */ int smtpd_sasl_authenticate(SMTPD_STATE *state, const char *sasl_method, const char *init_response) { int status; const char *sasl_username; /* * SASL authentication protocol start-up. Process any initial client * response that was sent along in the AUTH command. */ for (status = xsasl_server_first(state->sasl_server, sasl_method, init_response, state->sasl_reply); status == XSASL_AUTH_MORE; status = xsasl_server_next(state->sasl_server, STR(state->buffer), state->sasl_reply)) { /* * Send a server challenge. */ smtpd_chat_reply(state, "334 %s", STR(state->sasl_reply)); /* * Receive the client response. "*" means that the client gives up. * XXX For now we ignore the fact that an excessively long response * will be chopped into multiple responses. To handle such responses, * we need to change smtpd_chat_query() so that it returns an error * indication. */ smtpd_chat_query(state); if (strcmp(STR(state->buffer), "*") == 0) { msg_warn("%s: SASL %s authentication aborted", state->namaddr, sasl_method); smtpd_chat_reply(state, "501 5.7.0 Authentication aborted"); return (-1); } } if (status != XSASL_AUTH_DONE) { msg_warn("%s: SASL %s authentication failed: %s", state->namaddr, sasl_method, STR(state->sasl_reply)); /* RFC 4954 Section 6. */ if (status == XSASL_AUTH_TEMP) smtpd_chat_reply(state, "454 4.7.0 Temporary authentication failure: %s", STR(state->sasl_reply)); else smtpd_chat_reply(state, "535 5.7.8 Error: authentication failed: %s", STR(state->sasl_reply)); return (-1); } /* RFC 4954 Section 6. */ smtpd_chat_reply(state, "235 2.7.0 Authentication successful"); if ((sasl_username = xsasl_server_get_username(state->sasl_server)) == 0) msg_panic("cannot look up the authenticated SASL username"); state->sasl_username = mystrdup(sasl_username); printable(state->sasl_username, '?'); state->sasl_method = mystrdup(sasl_method); printable(state->sasl_method, '?'); return (0); } /* smtpd_sasl_logout - clean up after smtpd_sasl_authenticate */ void smtpd_sasl_logout(SMTPD_STATE *state) { if (state->sasl_username) { myfree(state->sasl_username); state->sasl_username = 0; } if (state->sasl_method) { myfree(state->sasl_method); state->sasl_method = 0; } } /* smtpd_sasl_login - set login information */ void smtpd_sasl_login(SMTPD_STATE *state, const char *sasl_username, const char *sasl_method) { if (state->sasl_username) myfree(state->sasl_username); state->sasl_username = mystrdup(sasl_username); if (state->sasl_method) myfree(state->sasl_method); state->sasl_method = mystrdup(sasl_method); } #endif