introduce "authenticated" parameter so rules may apply to authenticated

sessions specifically

ok eric@, sunil@, jung@

4 files changed, 27 insertions, 6 deletions

diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y
index 3d319772c28..38411ee2715 100644
--- a/usr.sbin/smtpd/parse.y
+++ b/usr.sbin/smtpd/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.188 2016/08/31 10:18:08 gilles Exp $	*/
+/*	$OpenBSD: parse.y,v 1.189 2016/08/31 15:24:04 gilles Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -178,7 +178,7 @@ typedef struct {
 %token	ACCEPT REJECT INCLUDE ERROR MDA FROM FOR SOURCE MTA PKI SCHEDULER
 %token	ARROW AUTH TLS LOCAL VIRTUAL TAG TAGGED ALIAS FILTER KEY CA DHE
 %token	AUTH_OPTIONAL TLS_REQUIRE USERBASE SENDER SENDERS MASK_SOURCE VERIFY FORWARDONLY RECIPIENT
-%token	CIPHERS RECEIVEDAUTH MASQUERADE SOCKET SUBADDRESSING_DELIM
+%token	CIPHERS RECEIVEDAUTH MASQUERADE SOCKET SUBADDRESSING_DELIM AUTHENTICATED
 %token	<v.string>	STRING
 %token  <v.number>	NUMBER
 %type	<v.table>	table
@@ -272,6 +272,11 @@ tagged		: TAGGED negation STRING       		{
 		}
 		;
 
+authenticated  	: AUTHENTICATED	{
+			rule->r_wantauth = 1;
+		}
+		;
+
 bouncedelay	: STRING {
 			time_t	d;
 			int	i;
@@ -1377,6 +1382,7 @@ opt_decision	: sender
 		| from
 		| for
 		| tagged
+		| authenticated
 		;
 decision	: opt_decision decision
 		|
@@ -1487,6 +1493,7 @@ lookup(char *s)
 		{ "as",			AS },
 		{ "auth",		AUTH },
 		{ "auth-optional",     	AUTH_OPTIONAL },
+		{ "authenticated",     	AUTHENTICATED },
 		{ "backup",		BACKUP },
 		{ "bounce-warn",	BOUNCEWARN },
 		{ "ca",			CA },
diff --git a/usr.sbin/smtpd/ruleset.c b/usr.sbin/smtpd/ruleset.c
index 2b9e6855ce0..5583b6c9f77 100644
--- a/usr.sbin/smtpd/ruleset.c
+++ b/usr.sbin/smtpd/ruleset.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ruleset.c,v 1.32 2015/10/27 20:14:19 gilles Exp $ */
+/*	$OpenBSD: ruleset.c,v 1.33 2016/08/31 15:24:04 gilles Exp $ */
 
 /*
  * Copyright (c) 2009 Gilles Chehade <gilles@poolp.org>
@@ -56,6 +56,9 @@ ruleset_match(const struct envelope *evp)
 				continue;
 		}
 
+		if (r->r_wantauth && !(evp->flags & EF_AUTHENTICATED))
+			continue;
+		
 		ret = ruleset_check_source(r->r_sources, ss, evp->flags);
 		if (ret == -1) {
 			errno = EAGAIN;
diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5
index 416811e8305..0b19384dbe8 100644
--- a/usr.sbin/smtpd/smtpd.conf.5
+++ b/usr.sbin/smtpd/smtpd.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: smtpd.conf.5,v 1.163 2016/08/31 13:55:32 jmc Exp $
+.\"	$OpenBSD: smtpd.conf.5,v 1.164 2016/08/31 15:24:04 gilles Exp $
 .\"
 .\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org>
 .\" Copyright (c) 2009 Jacek Masiulaniec <jacekm@dobremiasto.net>
@@ -82,7 +82,16 @@ the default action is to reject the message.
 An exclamation mark may be specified to perform a reverse match.
 .Pp
 Following the accept/reject
-decision comes the optional tag matching:
+decision comes the matching of optional session related properties:
+.Bl -tag -width Ds
+.It Xo
+.Ic authenticated
+.Xc
+If specified, the rule will only be matched if the client session was
+authenticated either by requesting authentication over the network or
+because message was submitted over the local enqueuer.
+.El
+.Pp
 .Bl -tag -width Ds
 .It Xo
 .Ic tagged
diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h
index c8bbbd0ac01..a2a01c5f551 100644
--- a/usr.sbin/smtpd/smtpd.h
+++ b/usr.sbin/smtpd/smtpd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: smtpd.h,v 1.517 2016/08/31 10:18:08 gilles Exp $	*/
+/*	$OpenBSD: smtpd.h,v 1.518 2016/08/31 15:24:04 gilles Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -395,6 +395,8 @@ struct rule {
 	enum dest_type			r_desttype;
 	struct table		       *r_destination;
 
+	uint8_t				r_wantauth;
+	
 	enum action_type		r_action;
 	union rule_dest {
 		char			buffer[EXPAND_BUFFER];