Mail: support SASL EXTERNAL (RFC 4422).
This is needed to allow TLS client certificate auth to work. With
ssl_verify_client configured, the auth daemon can choose to allow the
connection to proceed based on the certificate data.
This has been tested with Thunderbird for IMAP only. I've not yet found a
client that will do client certificate auth for POP3 or SMTP, and the method is
not really documented anywhere that I can find. That said, its simple enough
that the way I've done is probably right.
diff --git a/src/mail/ngx_mail.h b/src/mail/ngx_mail.h
index c30af35..6002508 100644
--- a/src/mail/ngx_mail.h
+++ b/src/mail/ngx_mail.h
@@ -132,7 +132,8 @@
ngx_pop3_auth_login_username,
ngx_pop3_auth_login_password,
ngx_pop3_auth_plain,
- ngx_pop3_auth_cram_md5
+ ngx_pop3_auth_cram_md5,
+ ngx_pop3_auth_external
} ngx_pop3_state_e;
@@ -142,6 +143,7 @@
ngx_imap_auth_login_password,
ngx_imap_auth_plain,
ngx_imap_auth_cram_md5,
+ ngx_imap_auth_external,
ngx_imap_login,
ngx_imap_user,
ngx_imap_passwd
@@ -154,6 +156,7 @@
ngx_smtp_auth_login_password,
ngx_smtp_auth_plain,
ngx_smtp_auth_cram_md5,
+ ngx_smtp_auth_external,
ngx_smtp_helo,
ngx_smtp_helo_xclient,
ngx_smtp_helo_from,
@@ -285,14 +288,16 @@
#define NGX_MAIL_AUTH_LOGIN_USERNAME 2
#define NGX_MAIL_AUTH_APOP 3
#define NGX_MAIL_AUTH_CRAM_MD5 4
-#define NGX_MAIL_AUTH_NONE 5
+#define NGX_MAIL_AUTH_EXTERNAL 5
+#define NGX_MAIL_AUTH_NONE 6
#define NGX_MAIL_AUTH_PLAIN_ENABLED 0x0002
#define NGX_MAIL_AUTH_LOGIN_ENABLED 0x0004
#define NGX_MAIL_AUTH_APOP_ENABLED 0x0008
#define NGX_MAIL_AUTH_CRAM_MD5_ENABLED 0x0010
-#define NGX_MAIL_AUTH_NONE_ENABLED 0x0020
+#define NGX_MAIL_AUTH_EXTERNAL_ENABLED 0x0020
+#define NGX_MAIL_AUTH_NONE_ENABLED 0x0040
#define NGX_MAIL_PARSE_INVALID_COMMAND 20
@@ -377,6 +382,8 @@
ngx_int_t ngx_mail_auth_cram_md5_salt(ngx_mail_session_t *s,
ngx_connection_t *c, char *prefix, size_t len);
ngx_int_t ngx_mail_auth_cram_md5(ngx_mail_session_t *s, ngx_connection_t *c);
+ngx_int_t ngx_mail_auth_external(ngx_mail_session_t *s, ngx_connection_t *c,
+ ngx_uint_t n);
ngx_int_t ngx_mail_auth_parse(ngx_mail_session_t *s, ngx_connection_t *c);
void ngx_mail_send(ngx_event_t *wev);
diff --git a/src/mail/ngx_mail_auth_http_module.c b/src/mail/ngx_mail_auth_http_module.c
index a94434a..6b57358 100644
--- a/src/mail/ngx_mail_auth_http_module.c
+++ b/src/mail/ngx_mail_auth_http_module.c
@@ -151,6 +151,7 @@
ngx_string("plain"),
ngx_string("apop"),
ngx_string("cram-md5"),
+ ngx_string("external"),
ngx_string("none")
};
diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c
index 901bb8f..9d4ef56 100644
--- a/src/mail/ngx_mail_handler.c
+++ b/src/mail/ngx_mail_handler.c
@@ -612,6 +612,40 @@
}
+ngx_int_t
+ngx_mail_auth_external(ngx_mail_session_t *s, ngx_connection_t *c,
+ ngx_uint_t n)
+{
+ ngx_str_t *arg, external;
+
+ arg = s->args.elts;
+
+ ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
+ "mail auth external: \"%V\"", &arg[n]);
+
+ external.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len));
+ if (external.data == NULL) {
+ return NGX_ERROR;
+ }
+
+ if (ngx_decode_base64(&external, &arg[n]) != NGX_OK) {
+ ngx_log_error(NGX_LOG_INFO, c->log, 0,
+ "client sent invalid base64 encoding in AUTH EXTERNAL command");
+ return NGX_MAIL_PARSE_INVALID_COMMAND;
+ }
+
+ s->login.len = external.len;
+ s->login.data = external.data;
+
+ ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
+ "mail auth external: \"%V\"", &s->login);
+
+ s->auth_method = NGX_MAIL_AUTH_EXTERNAL;
+
+ return NGX_DONE;
+}
+
+
void
ngx_mail_send(ngx_event_t *wev)
{
diff --git a/src/mail/ngx_mail_imap_handler.c b/src/mail/ngx_mail_imap_handler.c
index 57e2fb7..1c54457 100644
--- a/src/mail/ngx_mail_imap_handler.c
+++ b/src/mail/ngx_mail_imap_handler.c
@@ -222,6 +222,10 @@
case ngx_imap_auth_cram_md5:
rc = ngx_mail_auth_cram_md5(s, c);
break;
+
+ case ngx_imap_auth_external:
+ rc = ngx_mail_auth_external(s, c, 0);
+ break;
}
} else if (rc == NGX_IMAP_NEXT) {
@@ -399,6 +403,13 @@
}
return NGX_ERROR;
+
+ case NGX_MAIL_AUTH_EXTERNAL:
+
+ ngx_str_set(&s->out, imap_username);
+ s->mail_state = ngx_imap_auth_external;
+
+ return NGX_OK;
}
return rc;
diff --git a/src/mail/ngx_mail_imap_module.c b/src/mail/ngx_mail_imap_module.c
index d281070..1f187fd 100644
--- a/src/mail/ngx_mail_imap_module.c
+++ b/src/mail/ngx_mail_imap_module.c
@@ -29,6 +29,7 @@
{ ngx_string("plain"), NGX_MAIL_AUTH_PLAIN_ENABLED },
{ ngx_string("login"), NGX_MAIL_AUTH_LOGIN_ENABLED },
{ ngx_string("cram-md5"), NGX_MAIL_AUTH_CRAM_MD5_ENABLED },
+ { ngx_string("external"), NGX_MAIL_AUTH_EXTERNAL_ENABLED },
{ ngx_null_string, 0 }
};
@@ -38,6 +39,7 @@
ngx_string("AUTH=LOGIN"),
ngx_null_string, /* APOP */
ngx_string("AUTH=CRAM-MD5"),
+ ngx_string("AUTH=EXTERNAL"),
ngx_null_string /* NONE */
};
@@ -179,7 +181,7 @@
}
for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0;
- m <= NGX_MAIL_AUTH_CRAM_MD5_ENABLED;
+ m <= NGX_MAIL_AUTH_EXTERNAL_ENABLED;
m <<= 1, i++)
{
if (m & conf->auth_methods) {
@@ -205,7 +207,7 @@
auth = p;
for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0;
- m <= NGX_MAIL_AUTH_CRAM_MD5_ENABLED;
+ m <= NGX_MAIL_AUTH_EXTERNAL_ENABLED;
m <<= 1, i++)
{
if (m & conf->auth_methods) {
diff --git a/src/mail/ngx_mail_parse.c b/src/mail/ngx_mail_parse.c
index b158f5a..2c2cdff 100644
--- a/src/mail/ngx_mail_parse.c
+++ b/src/mail/ngx_mail_parse.c
@@ -905,13 +905,27 @@
if (arg[0].len == 8) {
- if (s->args.nelts != 1) {
- return NGX_MAIL_PARSE_INVALID_COMMAND;
- }
-
if (ngx_strncasecmp(arg[0].data, (u_char *) "CRAM-MD5", 8) == 0) {
+
+ if (s->args.nelts != 1) {
+ return NGX_MAIL_PARSE_INVALID_COMMAND;
+ }
+
return NGX_MAIL_AUTH_CRAM_MD5;
}
+
+ if (ngx_strncasecmp(arg[0].data, (u_char *) "EXTERNAL", 8) == 0) {
+
+ if (s->args.nelts == 1) {
+ return NGX_MAIL_AUTH_EXTERNAL;
+ }
+
+ if (s->args.nelts == 2) {
+ return ngx_mail_auth_external(s, c, 1);
+ }
+ }
+
+ return NGX_MAIL_PARSE_INVALID_COMMAND;
}
return NGX_MAIL_PARSE_INVALID_COMMAND;
diff --git a/src/mail/ngx_mail_pop3_handler.c b/src/mail/ngx_mail_pop3_handler.c
index 51bc257..a2d5658 100644
--- a/src/mail/ngx_mail_pop3_handler.c
+++ b/src/mail/ngx_mail_pop3_handler.c
@@ -240,6 +240,10 @@
case ngx_pop3_auth_cram_md5:
rc = ngx_mail_auth_cram_md5(s, c);
break;
+
+ case ngx_pop3_auth_external:
+ rc = ngx_mail_auth_external(s, c, 0);
+ break;
}
}
@@ -494,6 +498,13 @@
}
return NGX_ERROR;
+
+ case NGX_MAIL_AUTH_EXTERNAL:
+
+ ngx_str_set(&s->out, pop3_username);
+ s->mail_state = ngx_pop3_auth_external;
+
+ return NGX_OK;
}
return rc;
diff --git a/src/mail/ngx_mail_pop3_module.c b/src/mail/ngx_mail_pop3_module.c
index efd298f..bd60e0a 100644
--- a/src/mail/ngx_mail_pop3_module.c
+++ b/src/mail/ngx_mail_pop3_module.c
@@ -29,6 +29,7 @@
{ ngx_string("plain"), NGX_MAIL_AUTH_PLAIN_ENABLED },
{ ngx_string("apop"), NGX_MAIL_AUTH_APOP_ENABLED },
{ ngx_string("cram-md5"), NGX_MAIL_AUTH_CRAM_MD5_ENABLED },
+ { ngx_string("external"), NGX_MAIL_AUTH_EXTERNAL_ENABLED },
{ ngx_null_string, 0 }
};
@@ -38,6 +39,7 @@
ngx_string("LOGIN"),
ngx_null_string, /* APOP */
ngx_string("CRAM-MD5"),
+ ngx_string("EXTERNAL"),
ngx_null_string /* NONE */
};
@@ -180,7 +182,7 @@
size += sizeof("SASL") - 1 + sizeof(CRLF) - 1;
for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0;
- m <= NGX_MAIL_AUTH_CRAM_MD5_ENABLED;
+ m <= NGX_MAIL_AUTH_EXTERNAL_ENABLED;
m <<= 1, i++)
{
if (m & conf->auth_methods) {
@@ -207,7 +209,7 @@
p = ngx_cpymem(p, "SASL", sizeof("SASL") - 1);
for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0;
- m <= NGX_MAIL_AUTH_CRAM_MD5_ENABLED;
+ m <= NGX_MAIL_AUTH_EXTERNAL_ENABLED;
m <<= 1, i++)
{
if (m & conf->auth_methods) {
@@ -243,7 +245,7 @@
+ sizeof("." CRLF) - 1;
for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0;
- m <= NGX_MAIL_AUTH_CRAM_MD5_ENABLED;
+ m <= NGX_MAIL_AUTH_EXTERNAL_ENABLED;
m <<= 1, i++)
{
if (m & conf->auth_methods) {
@@ -264,7 +266,7 @@
sizeof("+OK methods supported:" CRLF) - 1);
for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0;
- m <= NGX_MAIL_AUTH_CRAM_MD5_ENABLED;
+ m <= NGX_MAIL_AUTH_EXTERNAL_ENABLED;
m <<= 1, i++)
{
if (m & conf->auth_methods) {
diff --git a/src/mail/ngx_mail_smtp_handler.c b/src/mail/ngx_mail_smtp_handler.c
index 81cc75f..47756c3 100644
--- a/src/mail/ngx_mail_smtp_handler.c
+++ b/src/mail/ngx_mail_smtp_handler.c
@@ -485,6 +485,10 @@
case ngx_smtp_auth_cram_md5:
rc = ngx_mail_auth_cram_md5(s, c);
break;
+
+ case ngx_smtp_auth_external:
+ rc = ngx_mail_auth_external(s, c, 0);
+ break;
}
}
@@ -652,6 +656,13 @@
}
return NGX_ERROR;
+
+ case NGX_MAIL_AUTH_EXTERNAL:
+
+ ngx_str_set(&s->out, smtp_username);
+ s->mail_state = ngx_smtp_auth_external;
+
+ return NGX_OK;
}
return rc;
diff --git a/src/mail/ngx_mail_smtp_module.c b/src/mail/ngx_mail_smtp_module.c
index d5bb51c..f03bd90 100644
--- a/src/mail/ngx_mail_smtp_module.c
+++ b/src/mail/ngx_mail_smtp_module.c
@@ -21,6 +21,7 @@
{ ngx_string("plain"), NGX_MAIL_AUTH_PLAIN_ENABLED },
{ ngx_string("login"), NGX_MAIL_AUTH_LOGIN_ENABLED },
{ ngx_string("cram-md5"), NGX_MAIL_AUTH_CRAM_MD5_ENABLED },
+ { ngx_string("external"), NGX_MAIL_AUTH_EXTERNAL_ENABLED },
{ ngx_string("none"), NGX_MAIL_AUTH_NONE_ENABLED },
{ ngx_null_string, 0 }
};
@@ -31,6 +32,7 @@
ngx_string("LOGIN"),
ngx_null_string, /* APOP */
ngx_string("CRAM-MD5"),
+ ngx_string("EXTERNAL"),
ngx_null_string /* NONE */
};
@@ -207,7 +209,7 @@
auth_enabled = 0;
for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0;
- m <= NGX_MAIL_AUTH_CRAM_MD5_ENABLED;
+ m <= NGX_MAIL_AUTH_EXTERNAL_ENABLED;
m <<= 1, i++)
{
if (m & conf->auth_methods) {
@@ -250,7 +252,7 @@
*p++ = 'A'; *p++ = 'U'; *p++ = 'T'; *p++ = 'H';
for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0;
- m <= NGX_MAIL_AUTH_CRAM_MD5_ENABLED;
+ m <= NGX_MAIL_AUTH_EXTERNAL_ENABLED;
m <<= 1, i++)
{
if (m & conf->auth_methods) {
