1/* $NetBSD: smtp_sasl_proto.c,v 1.3 2022/10/08 16:12:49 christos Exp $ */ 2 3/*++ 4/* NAME 5/* smtp_sasl_proto 3 6/* SUMMARY 7/* Postfix SASL interface for SMTP client 8/* SYNOPSIS 9/* #include smtp_sasl.h 10/* 11/* void smtp_sasl_helo_auth(state, words) 12/* SMTP_STATE *state; 13/* const char *words; 14/* 15/* int smtp_sasl_helo_login(state) 16/* SMTP_STATE *state; 17/* DESCRIPTION 18/* This module contains random chunks of code that implement 19/* the SMTP protocol interface for SASL negotiation. The goal 20/* is to reduce clutter in the main SMTP client source code. 21/* 22/* smtp_sasl_helo_auth() processes the AUTH option in the 23/* SMTP server's EHLO response. 24/* 25/* smtp_sasl_helo_login() authenticates the SMTP client to the 26/* SMTP server, using the authentication mechanism information 27/* given by the server. The result is a Postfix delivery status 28/* code in case of trouble. 29/* 30/* Arguments: 31/* .IP state 32/* Session context. 33/* .IP words 34/* List of SASL authentication mechanisms (separated by blanks) 35/* DIAGNOSTICS 36/* All errors are fatal. 37/* LICENSE 38/* .ad 39/* .fi 40/* The Secure Mailer license must be distributed with this software. 41/* AUTHOR(S) 42/* Original author: 43/* Till Franke 44/* SuSE Rhein/Main AG 45/* 65760 Eschborn, Germany 46/* 47/* Adopted by: 48/* Wietse Venema 49/* IBM T.J. Watson Research 50/* P.O. Box 704 51/* Yorktown Heights, NY 10598, USA 52/* 53/* Wietse Venema 54/* Google, Inc. 55/* 111 8th Avenue 56/* New York, NY 10011, USA 57/*--*/ 58 59/* System library. */ 60 61#include <sys_defs.h> 62#include <string.h> 63#ifdef STRCASECMP_IN_STRINGS_H 64#include <strings.h> 65#endif 66 67/* Utility library. */ 68 69#include <msg.h> 70#include <mymalloc.h> 71#include <stringops.h> 72 73/* Global library. */ 74 75#include <mail_params.h> 76#include <sasl_mech_filter.h> 77 78/* Application-specific. */ 79 80#include "smtp.h" 81#include "smtp_sasl.h" 82 83#ifdef USE_SASL_AUTH 84 85/* smtp_sasl_helo_auth - handle AUTH option in EHLO reply */ 86 87void smtp_sasl_helo_auth(SMTP_SESSION *session, const char *words) 88{ 89 const char *mech_list = sasl_mech_filter(smtp_sasl_mechs, words); 90 char *junk; 91 92 /* 93 * XXX If the server offers no compatible authentication mechanisms, then 94 * pretend that the server doesn't support SASL authentication. 95 * 96 * XXX If the server offers multiple different lists, concatenate them. Let 97 * the SASL library worry about duplicates. 98 */ 99 if (session->sasl_mechanism_list) { 100 if (strcasecmp(session->sasl_mechanism_list, mech_list) != 0 101 && strlen(mech_list) > 0 102 && strlen(session->sasl_mechanism_list) < var_line_limit) { 103 junk = concatenate(session->sasl_mechanism_list, " ", mech_list, 104 (char *) 0); 105 myfree(session->sasl_mechanism_list); 106 session->sasl_mechanism_list = junk; 107 } 108 return; 109 } 110 if (strlen(mech_list) > 0) { 111 session->sasl_mechanism_list = mystrdup(mech_list); 112 } else { 113 msg_warn(*words ? "%s offered no supported AUTH mechanisms: '%s'" : 114 "%s offered null AUTH mechanism list%s", 115 session->namaddrport, words); 116 } 117 session->features |= SMTP_FEATURE_AUTH; 118} 119 120/* smtp_sasl_helo_login - perform SASL login */ 121 122int smtp_sasl_helo_login(SMTP_STATE *state) 123{ 124 SMTP_SESSION *session = state->session; 125 DSN_BUF *why = state->why; 126 int ret; 127 128 /* 129 * Skip authentication when no authentication info exists for this 130 * server, so that we talk to each other like strangers. 131 */ 132 if (smtp_sasl_passwd_lookup(session) == 0) { 133 session->features &= ~SMTP_FEATURE_AUTH; 134 return 0; 135 } 136 137 /* 138 * Otherwise, if authentication information exists, assume that 139 * authentication is required, and assume that an authentication error is 140 * recoverable from the message delivery point of view. An authentication 141 * error is unrecoverable from a session point of view - the session will 142 * not be reused. 143 */ 144 ret = 0; 145 if (session->sasl_mechanism_list == 0) { 146 dsb_simple(why, "4.7.0", "SASL authentication failed: " 147 "server %s offered no compatible authentication mechanisms for this type of connection security", 148 session->namaddr); 149 ret = smtp_sess_fail(state); 150 /* Session reuse is disabled. */ 151 } else { 152#ifndef USE_TLS 153 smtp_sasl_start(session, VAR_LMTP_SMTP(SASL_OPTS), var_smtp_sasl_opts); 154#else 155 if (session->tls_context == 0) 156 smtp_sasl_start(session, VAR_LMTP_SMTP(SASL_OPTS), 157 var_smtp_sasl_opts); 158 else if (TLS_CERT_IS_MATCHED(session->tls_context)) 159 smtp_sasl_start(session, VAR_LMTP_SMTP(SASL_TLSV_OPTS), 160 var_smtp_sasl_tlsv_opts); 161 else 162 smtp_sasl_start(session, VAR_LMTP_SMTP(SASL_TLS_OPTS), 163 var_smtp_sasl_tls_opts); 164#endif 165 if (smtp_sasl_authenticate(session, why) <= 0) { 166 ret = smtp_sess_fail(state); 167 /* Session reuse is disabled. */ 168 } 169 } 170 return (ret); 171} 172 173#endif 174