sync

2 files changed, 81 insertions, 4 deletions

diff --git a/smtpd/parse.y b/smtpd/parse.y
index f94b4685..e26ab927 100644
--- a/smtpd/parse.y
+++ b/smtpd/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.265 2019/11/26 06:10:20 gilles Exp $	*/
+/*	$OpenBSD: parse.y,v 1.267 2019/11/26 07:50:01 gilles Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -1021,7 +1021,7 @@ negation TAG REGEX tables {
 		YYERROR;
 	}
 
-	if (!table_check_use(t, T_DYNAMIC|T_LIST, K_CREDENTIALS)) {
+       	if (!table_check_use(t, T_DYNAMIC|T_LIST, K_STRING|K_CREDENTIALS)) {
 		yyerror("table \"%s\" may not be used for auth lookups",
 		    t->t_name);
 		YYERROR;
@@ -1227,6 +1227,61 @@ negation TAG REGEX tables {
 	rule->flag_from_rdns = 1;
 	rule->table_from = strdup(t->t_name);
 }
+
+| negation FROM AUTH {
+	struct table	*anyhost = table_find(conf, "<anyhost>");
+
+	if (rule->flag_from) {
+		yyerror("from already specified for this rule");
+		YYERROR;
+	}
+
+	rule->flag_from = 1;
+	rule->table_from = strdup(anyhost->t_name);
+	rule->flag_smtp_auth = $1 ? -1 : 1;
+}
+| negation FROM AUTH tables {
+	struct table	*anyhost = table_find(conf, "<anyhost>");
+	struct table	*t = $4;
+
+	if (rule->flag_from) {
+		yyerror("from already specified for this rule");
+		YYERROR;
+	}
+
+       	if (!table_check_use(t, T_DYNAMIC|T_LIST, K_STRING|K_CREDENTIALS)) {
+		yyerror("table \"%s\" may not be used for from lookups",
+		    t->t_name);
+		YYERROR;
+	}
+
+	rule->flag_from = 1;
+	rule->table_from = strdup(anyhost->t_name);
+	rule->flag_smtp_auth = $1 ? -1 : 1;
+	rule->table_smtp_auth = strdup(t->t_name);
+}
+| negation FROM AUTH REGEX tables {
+	struct table	*anyhost = table_find(conf, "<anyhost>");
+	struct table	*t = $5;
+
+	if (rule->flag_from) {
+		yyerror("from already specified for this rule");
+		YYERROR;
+	}
+
+	if (!table_check_use(t, T_DYNAMIC|T_LIST, K_REGEX)) {
+        	yyerror("table \"%s\" may not be used for from lookups",
+		    t->t_name);
+		YYERROR;
+	}
+
+	rule->flag_from = 1;
+	rule->table_from = strdup(anyhost->t_name);
+	rule->flag_smtp_auth = $1 ? -1 : 1;
+	rule->flag_smtp_auth_regex = 1;
+	rule->table_smtp_auth = strdup(t->t_name);
+}
+
 | negation FROM MAIL_FROM tables {
 	struct table	*anyhost = table_find(conf, "<anyhost>");
 	struct table	*t = $4;
@@ -1964,7 +2019,7 @@ opt_sock_listen : FILTER STRING {
 			listen_opts.options |= LO_TAG;
 
 			if (strlen($2) >= SMTPD_TAG_SIZE) {
-       				yyerror("tag name too long");
+				yyerror("tag name too long");
 				free($2);
 				YYERROR;
 			}
diff --git a/smtpd/smtpd.conf.5 b/smtpd/smtpd.conf.5
index f8a9f0e0..adcf09bc 100644
--- a/smtpd/smtpd.conf.5
+++ b/smtpd/smtpd.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: smtpd.conf.5,v 1.230 2019/11/26 06:10:20 gilles Exp $
+.\"	$OpenBSD: smtpd.conf.5,v 1.231 2019/11/26 07:50:01 gilles Exp $
 .\"
 .\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org>
 .\" Copyright (c) 2009 Jacek Masiulaniec <jacekm@dobremiasto.net>
@@ -607,6 +607,28 @@ Specify that session may address the regex or regex table
 Specify that session may originate from any source.
 .It Xo
 .Op Ic \&!
+.Cm from auth
+.Xc
+Specify that session may originate from any authenticated user,
+no matter the source IP address.
+.It Xo
+.Op Ic \&!
+.Cm from auth
+.Ar user | Pf < Ar user Ns >
+.Xc
+Specify that session may originate from authenticated user or user list
+.Ar user ,
+no matter the source IP address.
+.It Xo
+.Op Ic \&!
+.Cm from auth
+.Ar user | Pf < Ar user Ns >
+.Xc
+Specify that session may originate from authenticated regex or regex list
+.Ar user ,
+no matter the source IP address.
+.It Xo
+.Op Ic \&!
 .Cm from local
 .Xc
 Specify that session may only originate from a local IP address,