Applied, without trailing whitespace as b1c3d2f333c807fb40b7a8e5d71086b54f69e562
Matt Simerson wrote: > > added auth_vpopmail plugin, using the perl-vpopmail module > added VPOPMAIL auth methods description to docs/authentication > added SEE ALSO section to each module, noting the VPOPMAIL description > --- > docs/authentication.pod | 41 ++++++++++++++ > plugins/auth/auth_checkpassword | 5 ++ > plugins/auth/auth_vpopmail | 113 > +++++++++++++++++++++++++++++++++++++++ > plugins/auth/auth_vpopmail_sql | 11 ++-- > plugins/auth/auth_vpopmaild | 5 ++ > 5 files changed, 170 insertions(+), 5 deletions(-) > create mode 100644 plugins/auth/auth_vpopmail > > diff --git a/docs/authentication.pod b/docs/authentication.pod > index c6df82d..9cb455c 100644 > --- a/docs/authentication.pod > +++ b/docs/authentication.pod > @@ -201,10 +201,51 @@ authentication attempts for this transaction. > In addition, all plugins that are registered for a specific auth hook will > be tried before any plugins which are registered for the general auth hook. > > +=head1 VPOPMAIL > + > +There are 4 authentication (smtp-auth) plugins that can be used with > +vpopmail. > + > +=over 4 > + > +=item auth_vpopmaild > + > +If you aren't sure which one to use, then use auth_vpopmaild. It > +has full support for all 3 authentication methods (PLAIN,LOGIN,CRAM-MD5), > +doesn't require the qpsmtpd process to run with special permissions, and > +can authenticate against vpopmail running on another host. It does require > +the vpopmaild server to be running. > + > +=item auth_vpopmail > + > +The next best solution is auth_vpopmail. It requires the p5-vpopmail perl > +module and it compiles against libvpopmail.a. There are two catches. The > +qpsmtpd daemon must run as the vpopmail user, and you must be running v0.09 > +or higher for CRAM-MD5 support. The released version is 0.08 but my > +CRAM-MD5 patch has been added to the developers repo: > + http://github.com/sscanlon/vpopmail > + > +=item auth_vpopmail_sql > + > +If you are using the MySQL backend for vpopmail, then this module can be > +used for smtp-auth. It has support for all three auth methods. However, it > +does not work with some vpopmail features such as alias domains, service > +restrictions, nor does it update vpopmail's last_auth information. > + > +=item auth_checkpassword > + > +The auth_checkpassword is a generic authentication module that will work > +with any DJB style checkpassword program, including ~vpopmail/bin/vchkpw. > +It only supports PLAIN and LOGIN auth methods. > + > +=back > + > =head1 AUTHOR > > John Peacock <jpeac...@cpan.org> > > +Matt Simerson <msimer...@cpan.org> (added VPOPMAIL) > + > =head1 COPYRIGHT AND LICENSE > > Copyright (c) 2004-2006 John Peacock > diff --git a/plugins/auth/auth_checkpassword b/plugins/auth/auth_checkpassword > index 6337ff7..c641293 100644 > --- a/plugins/auth/auth_checkpassword > +++ b/plugins/auth/auth_checkpassword > @@ -39,6 +39,11 @@ Using sudo is preferable to enabling setuid on the vchkpw > binary. If > you reinstall vpopmail and the setuid bit is lost, this plugin will be > broken. > > +=head1 SEE ALSO > + > +If you are using this plugin with vpopmail, please read the VPOPMAIL > +section in docs/authentication.pod > + > =head1 DIAGNOSTICS > > Is the path in the config/smtpauth-checkpassword correct? > diff --git a/plugins/auth/auth_vpopmail b/plugins/auth/auth_vpopmail > new file mode 100644 > index 0000000..98bc9fe > --- /dev/null > +++ b/plugins/auth/auth_vpopmail > @@ -0,0 +1,113 @@ > +#!/usr/bin/perl -w > +use strict; > + > +=head1 NAME > + > +auth_vpopmail - Authenticate against libvpopmail.a > + > +=head1 DESCRIPTION > + > +This plugin authenticates vpopmail users using p5-vpopmail. > +Using CRAM-MD5 requires that vpopmail be built with the > +'--enable-clear-passwd=y' option. > + > +=head1 CONFIGURATION > + > +This module will only work if qpsmtpd is running as the 'vpopmail' user. > + > +CRAM-MD5 authentication will only work with p5-vpopmail 0.09 or higher. > + http://github.com/sscanlon/vpopmail > + > +Decide which authentication methods you are willing to support and uncomment > +the lines in the register() sub. See the POD for Qspmtpd::Auth for more > +details on the ramifications of supporting various authentication methods. > + > +=head1 SEE ALSO > + > +For an overview of the vpopmail authentication plugins and their merits, > +please read the VPOPMAIL section in docs/authentication.pod > + > +=head1 AUTHOR > + > +Matt Simerson <msimer...@cpan.org> > + > +=head1 COPYRIGHT AND LICENSE > + > +Copyright (c) 2010 Matt Simerson > + > +This plugin is licensed under the same terms as the qpsmtpd package itself. > +Please see the LICENSE file included with qpsmtpd for details. > + > +=cut > + > +sub register { > + my ($self, $qp) = @_; > + > + $self->register_hook("auth-plain", "auth_vpopmail" ); > + $self->register_hook("auth-login", "auth_vpopmail" ); > + $self->register_hook("auth-cram-md5", "auth_vpopmail"); > +} > + > +sub auth_vpopmail { > + use vpopmail; > + use Qpsmtpd::Constants; > + use Digest::HMAC_MD5 qw(hmac_md5_hex); > + > + my ($self, $transaction, $method, $user, $passClear, $passHash, $ticket) > = > + @_; > + my ($pw_name, $pw_domain) = split "@", lc($user); > + > + $self->log(LOGINFO, "Authenticating against vpopmail: $user"); > + > + return (DECLINED, "authvpopmail/$method - plugin not configured > correctly") > + if !test_vpopmail(); > + > + my $pw = vauth_getpw($pw_name, $pw_domain); > + my $pw_clear_passwd = $pw->{pw_clear_passwd}; > + my $pw_passwd = $pw->{pw_passwd}; > + > + # make sure the user exists > + if (!$pw || (!$pw_clear_passwd && !$pw_passwd)) { > + return (DENY, "authvpopmail/$method - invalid user"); > + > + # change DENY to DECLINED to support multiple auth plugins > + } > + > + return (OK, "authvpopmail/$method") > + if $pw_passwd eq crypt($passClear, $pw_passwd); > + > + # simplest case: clear text passwords > + if (defined $passClear && defined $pw_clear_passwd) { > + return (DENY, "authvpopmail/$method - incorrect password") > + if $passClear ne $pw_clear_passwd; > + return (OK, "authvpopmail/$method"); > + } > + > + if ($method =~ /CRAM-MD5/i) { > + > + # clear_passwd isn't defined so we cannot support CRAM-MD5 > + return (DECLINED, "authvpopmail/$method") if !defined > $pw_clear_passwd; > + > + if (defined $passHash > + and $passHash eq hmac_md5_hex($ticket, $pw_clear_passwd)) > + { > + } > + } > + > + return (OK, "authvpopmail/$method") > + if (defined $passHash > + && $passHash eq hmac_md5_hex($ticket, $pw_clear_passwd)); > + > + return (DENY, "authvpopmail/$method - unknown error"); > +} > + > +sub test_vpopmail { > + > +# vpopmail will not allow vauth_getpw to succeed unless the requesting user > is vpopmail or root. > +# by default, qpsmtpd runs as the user 'qpsmtpd' and does not have > permission. > + use vpopmail; > + my ($domain) = vpopmail::vlistdomains(); > + my $r = vauth_getpw('postmaster', $domain); > + return if !$r; > + return 1; > +} > diff --git a/plugins/auth/auth_vpopmail_sql b/plugins/auth/auth_vpopmail_sql > index fd450d0..28835c5 100644 > --- a/plugins/auth/auth_vpopmail_sql > +++ b/plugins/auth/auth_vpopmail_sql > @@ -37,11 +37,7 @@ module requires that only a single record be returned from > the database. > This authentication modules does not recognize domain aliases. So, if you > have > the domain example.com, with domain aliases for example.org and example.net, > smtp-auth will only work for $u...@example.com. If you have domain aliases, > -consider using the auth_checkpassword plugin. > - > -The checkpassword plugin only supports plain and login authentications, where > -this plugin also supports CRAM-MD5. I use both modules together. I use this > one > -for CRAM-MD5 and the checkpassword plugin for plain and login. > +consider using another plugin (see SEE ALSO). > > =head1 FUTURE DIRECTION > > @@ -49,6 +45,11 @@ The default MySQL configuration for vpopmail includes a > table to log access, > lastauth, which could conceivably be updated upon sucessful authentication. > The addition of this feature is left as an exercise for someone who cares. ;) > > +=head1 SEE ALSO > + > +For an overview of the vpopmail authentication plugins and their merits, > +please read the VPOPMAIL section in docs/authentication.pod > + > =head1 AUTHOR > > John Peacock <jpeac...@cpan.org> > diff --git a/plugins/auth/auth_vpopmaild b/plugins/auth/auth_vpopmaild > index e4ab940..f9c416a 100644 > --- a/plugins/auth/auth_vpopmaild > +++ b/plugins/auth/auth_vpopmaild > @@ -79,6 +79,11 @@ daemon is running on a different host or port, specify as > follows: > > auth_vpopmaild host [host] port [port] > > +=head1 SEE ALSO > + > +For an overview of the vpopmail authentication plugins and their merits, > +please read the VPOPMAIL section in doc/authentication.pod > + > =head1 LINKS > > [1] http://www.qmailwiki.org/Vpopmaild > -- > 1.7.0.6 >
