diff options
author | Gilles Chehade <gilles@cvs.openbsd.org> | 2016-08-31 15:24:05 +0000 |
---|---|---|
committer | Gilles Chehade <gilles@cvs.openbsd.org> | 2016-08-31 15:24:05 +0000 |
commit | faf9fc11c58e8b2b0f3acbd8f2ba8b8a2a086d54 (patch) | |
tree | d03a630ad6a2e21d9299b9979378f6a55c0ca530 | |
parent | c8dc48bf60914311913c5553c1d1ad64c0897fa4 (diff) |
introduce "authenticated" parameter so rules may apply to authenticated
sessions specifically
ok eric@, sunil@, jung@
-rw-r--r-- | usr.sbin/smtpd/parse.y | 11 | ||||
-rw-r--r-- | usr.sbin/smtpd/ruleset.c | 5 | ||||
-rw-r--r-- | usr.sbin/smtpd/smtpd.conf.5 | 13 | ||||
-rw-r--r-- | usr.sbin/smtpd/smtpd.h | 4 |
4 files changed, 27 insertions, 6 deletions
diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y index 3d319772c28..38411ee2715 100644 --- a/usr.sbin/smtpd/parse.y +++ b/usr.sbin/smtpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.188 2016/08/31 10:18:08 gilles Exp $ */ +/* $OpenBSD: parse.y,v 1.189 2016/08/31 15:24:04 gilles Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org> @@ -178,7 +178,7 @@ typedef struct { %token ACCEPT REJECT INCLUDE ERROR MDA FROM FOR SOURCE MTA PKI SCHEDULER %token ARROW AUTH TLS LOCAL VIRTUAL TAG TAGGED ALIAS FILTER KEY CA DHE %token AUTH_OPTIONAL TLS_REQUIRE USERBASE SENDER SENDERS MASK_SOURCE VERIFY FORWARDONLY RECIPIENT -%token CIPHERS RECEIVEDAUTH MASQUERADE SOCKET SUBADDRESSING_DELIM +%token CIPHERS RECEIVEDAUTH MASQUERADE SOCKET SUBADDRESSING_DELIM AUTHENTICATED %token <v.string> STRING %token <v.number> NUMBER %type <v.table> table @@ -272,6 +272,11 @@ tagged : TAGGED negation STRING { } ; +authenticated : AUTHENTICATED { + rule->r_wantauth = 1; + } + ; + bouncedelay : STRING { time_t d; int i; @@ -1377,6 +1382,7 @@ opt_decision : sender | from | for | tagged + | authenticated ; decision : opt_decision decision | @@ -1487,6 +1493,7 @@ lookup(char *s) { "as", AS }, { "auth", AUTH }, { "auth-optional", AUTH_OPTIONAL }, + { "authenticated", AUTHENTICATED }, { "backup", BACKUP }, { "bounce-warn", BOUNCEWARN }, { "ca", CA }, diff --git a/usr.sbin/smtpd/ruleset.c b/usr.sbin/smtpd/ruleset.c index 2b9e6855ce0..5583b6c9f77 100644 --- a/usr.sbin/smtpd/ruleset.c +++ b/usr.sbin/smtpd/ruleset.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ruleset.c,v 1.32 2015/10/27 20:14:19 gilles Exp $ */ +/* $OpenBSD: ruleset.c,v 1.33 2016/08/31 15:24:04 gilles Exp $ */ /* * Copyright (c) 2009 Gilles Chehade <gilles@poolp.org> @@ -56,6 +56,9 @@ ruleset_match(const struct envelope *evp) continue; } + if (r->r_wantauth && !(evp->flags & EF_AUTHENTICATED)) + continue; + ret = ruleset_check_source(r->r_sources, ss, evp->flags); if (ret == -1) { errno = EAGAIN; diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5 index 416811e8305..0b19384dbe8 100644 --- a/usr.sbin/smtpd/smtpd.conf.5 +++ b/usr.sbin/smtpd/smtpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: smtpd.conf.5,v 1.163 2016/08/31 13:55:32 jmc Exp $ +.\" $OpenBSD: smtpd.conf.5,v 1.164 2016/08/31 15:24:04 gilles Exp $ .\" .\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org> .\" Copyright (c) 2009 Jacek Masiulaniec <jacekm@dobremiasto.net> @@ -82,7 +82,16 @@ the default action is to reject the message. An exclamation mark may be specified to perform a reverse match. .Pp Following the accept/reject -decision comes the optional tag matching: +decision comes the matching of optional session related properties: +.Bl -tag -width Ds +.It Xo +.Ic authenticated +.Xc +If specified, the rule will only be matched if the client session was +authenticated either by requesting authentication over the network or +because message was submitted over the local enqueuer. +.El +.Pp .Bl -tag -width Ds .It Xo .Ic tagged diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h index c8bbbd0ac01..a2a01c5f551 100644 --- a/usr.sbin/smtpd/smtpd.h +++ b/usr.sbin/smtpd/smtpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: smtpd.h,v 1.517 2016/08/31 10:18:08 gilles Exp $ */ +/* $OpenBSD: smtpd.h,v 1.518 2016/08/31 15:24:04 gilles Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org> @@ -395,6 +395,8 @@ struct rule { enum dest_type r_desttype; struct table *r_destination; + uint8_t r_wantauth; + enum action_type r_action; union rule_dest { char buffer[EXPAND_BUFFER]; |