allow using the session username in builtin filters when available

4 files changed, 116 insertions, 8 deletions

diff --git a/usr.sbin/smtpd/lka_filter.c b/usr.sbin/smtpd/lka_filter.c
index fc85192848a..9141c39f040 100644
--- a/usr.sbin/smtpd/lka_filter.c
+++ b/usr.sbin/smtpd/lka_filter.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: lka_filter.c,v 1.59 2020/01/08 00:33:29 gilles Exp $	*/
+/*	$OpenBSD: lka_filter.c,v 1.60 2020/01/08 01:41:11 gilles Exp $	*/
 
 /*
  * Copyright (c) 2018 Gilles Chehade <gilles@poolp.org>
@@ -80,6 +80,7 @@ struct filter_session {
 	int fcrdns;
 
 	char *helo;
+	char *username;
 	char *mail_from;
 	
 	enum filter_phase	phase;
@@ -530,6 +531,7 @@ lka_filter_end(uint64_t reqid)
 	free(fs->rdns);
 	free(fs->helo);
 	free(fs->mail_from);
+	free(fs->username);
 	free(fs->lastparam);
 	free(fs);
 	log_trace(TRACE_FILTERS, "%016"PRIx64" filters session-end", reqid);
@@ -886,7 +888,6 @@ filter_protocol(uint64_t reqid, enum filter_phase phase, const char *param)
 		param = nparam;
 		break;
 	case FILTER_STARTTLS:
-	case FILTER_AUTH:
 		/* TBD */
 		break;
 	default:
@@ -1110,6 +1111,47 @@ filter_check_helo_regex(struct filter *filter, const char *key)
 }
 
 static int
+filter_check_auth(struct filter *filter, const char *username)
+{
+	int ret = 0;
+
+	if (!filter->config->auth)
+		return 0;
+
+	ret = username ? 1 : 0;
+
+	return filter->config->not_auth < 0 ? !ret : ret;
+}
+
+static int
+filter_check_auth_table(struct filter *filter, enum table_service kind, const char *key)
+{
+	int	ret = 0;
+
+	if (filter->config->auth_table == NULL)
+		return 0;
+	
+	if (key && table_match(filter->config->auth_table, kind, key) > 0)
+		ret = 1;
+
+	return filter->config->not_auth_table < 0 ? !ret : ret;
+}
+
+static int
+filter_check_auth_regex(struct filter *filter, const char *key)
+{
+	int	ret = 0;
+
+	if (filter->config->auth_regex == NULL)
+		return 0;
+
+	if (key && table_match(filter->config->auth_regex, K_REGEX, key) > 0)
+		ret = 1;
+	return filter->config->not_auth_regex < 0 ? !ret : ret;
+}
+
+
+static int
 filter_check_mail_from_table(struct filter *filter, enum table_service kind, const char *key)
 {
 	int	ret = 0;
@@ -1211,6 +1253,10 @@ filter_builtins_global(struct filter_session *fs, struct filter *filter, uint64_
 	    filter_check_src_regex(filter, ss_to_text(&fs->ss_src)) ||
 	    filter_check_helo_table(filter, K_DOMAIN, fs->helo) ||
 	    filter_check_helo_regex(filter, fs->helo) ||
+	    filter_check_auth(filter, fs->username) ||
+	    filter_check_auth_table(filter, K_STRING, fs->username) ||
+	    filter_check_auth_table(filter, K_CREDENTIALS, fs->username) ||
+	    filter_check_auth_regex(filter, fs->username) ||
 	    filter_check_mail_from_table(filter, K_MAILADDR, fs->mail_from) ||
 	    filter_check_mail_from_regex(filter, fs->mail_from);
 }
@@ -1424,6 +1470,12 @@ void
 lka_report_smtp_link_auth(const char *direction, struct timeval *tv, uint64_t reqid,
     const char *username, const char *result)
 {
+	struct filter_session *fs;
+
+	if (strcmp(result, "pass") == 0) {
+		fs = tree_xget(&sessions, reqid);
+		fs->username = xstrdup(username);
+	}
 	report_smtp_broadcast(reqid, direction, tv, "link-auth", "%s|%s\n",
 	    username, result);
 }
diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y
index 41f98ed05cd..ef332a7fc61 100644
--- a/usr.sbin/smtpd/parse.y
+++ b/usr.sbin/smtpd/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.272 2019/12/21 11:07:38 gilles Exp $	*/
+/*	$OpenBSD: parse.y,v 1.273 2020/01/08 01:41:11 gilles Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -1599,6 +1599,25 @@ negation HELO REGEX tables {
 }
 ;
 
+filter_phase_check_auth:
+negation AUTH {
+	filter_config->not_auth = $1 ? -1 : 1;
+	filter_config->auth = 1;
+}
+;
+filter_phase_check_auth_table:
+negation AUTH tables {
+	filter_config->not_auth_table = $1 ? -1 : 1;
+	filter_config->auth_table = $3;
+}
+;
+filter_phase_check_auth_regex:
+negation AUTH REGEX tables {
+	filter_config->not_auth_regex = $1 ? -1 : 1;
+	filter_config->auth_regex = $4;
+}
+;
+
 filter_phase_check_mail_from_table:
 negation MAIL_FROM tables {
 	filter_config->not_mail_from_table = $1 ? -1 : 1;
@@ -1641,9 +1660,20 @@ filter_phase_check_helo_table |
 filter_phase_check_helo_regex |
 filter_phase_global_options;
 
+filter_phase_auth_options:
+filter_phase_check_helo_table |
+filter_phase_check_helo_regex |
+filter_phase_check_auth |
+filter_phase_check_auth_table |
+filter_phase_check_auth_regex |
+filter_phase_global_options;
+
 filter_phase_mail_from_options:
 filter_phase_check_helo_table |
 filter_phase_check_helo_regex |
+filter_phase_check_auth |
+filter_phase_check_auth_table |
+filter_phase_check_auth_regex |
 filter_phase_check_mail_from_table |
 filter_phase_check_mail_from_regex |
 filter_phase_global_options;
@@ -1651,6 +1681,9 @@ filter_phase_global_options;
 filter_phase_rcpt_to_options:
 filter_phase_check_helo_table |
 filter_phase_check_helo_regex |
+filter_phase_check_auth |
+filter_phase_check_auth_table |
+filter_phase_check_auth_regex |
 filter_phase_check_mail_from_table |
 filter_phase_check_mail_from_regex |
 filter_phase_check_rcpt_to_table |
@@ -1660,6 +1693,9 @@ filter_phase_global_options;
 filter_phase_data_options:
 filter_phase_check_helo_table |
 filter_phase_check_helo_regex |
+filter_phase_check_auth |
+filter_phase_check_auth_table |
+filter_phase_check_auth_regex |
 filter_phase_check_mail_from_table |
 filter_phase_check_mail_from_regex |
 filter_phase_global_options;
@@ -1684,6 +1720,9 @@ filter_phase_global_options;
 filter_phase_commit_options:
 filter_phase_check_helo_table |
 filter_phase_check_helo_regex |
+filter_phase_check_auth |
+filter_phase_check_auth_table |
+filter_phase_check_auth_regex |
 filter_phase_check_mail_from_table |
 filter_phase_check_mail_from_regex |
 filter_phase_global_options;
@@ -1708,6 +1747,11 @@ EHLO {
 } MATCH filter_phase_helo_options filter_action_builtin
 ;
 
+filter_phase_auth:
+AUTH {
+} MATCH filter_phase_auth_options filter_action_builtin
+;
+
 filter_phase_mail_from:
 MAIL_FROM {
 	filter_config->phase = FILTER_MAIL_FROM;
@@ -1764,6 +1808,7 @@ filter_phase:
 filter_phase_connect
 | filter_phase_helo
 | filter_phase_ehlo
+| filter_phase_auth
 | filter_phase_mail_from
 | filter_phase_rcpt_to
 | filter_phase_data
diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5
index 74f3ca6e4a5..d6d40c99448 100644
--- a/usr.sbin/smtpd/smtpd.conf.5
+++ b/usr.sbin/smtpd/smtpd.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: smtpd.conf.5,v 1.246 2019/12/19 13:34:45 jmc Exp $
+.\"	$OpenBSD: smtpd.conf.5,v 1.247 2020/01/08 01:41:11 gilles Exp $
 .\"
 .\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org>
 .\" Copyright (c) 2009 Jacek Masiulaniec <jacekm@dobremiasto.net>
@@ -17,7 +17,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
 .\"
-.Dd $Mdocdate: December 19 2019 $
+.Dd $Mdocdate: January 8 2020 $
 .Dt SMTPD.CONF 5
 .Os
 .Sh NAME
@@ -979,8 +979,10 @@ but other data must have been already submitted before they are available.
 .It rdns Pf < Ar table Ns >       Ta session has a reverse DNS in table
 .It src Pf < Ar table Ns >        Ta source address is in table
 .It helo Pf < Ar table Ns >       Ta helo name is in table
-.It mail-from Pf < Ar table Ns > Ta sender address is in table
-.It rcpt-to Pf < Ar table Ns >   Ta recipient address is in table
+.It auth			  Ta session is authenticated
+.It auth Pf < Ar table Ns >       Ta session username is in table
+.It mail-from Pf < Ar table Ns >  Ta sender address is in table
+.It rcpt-to Pf < Ar table Ns >    Ta recipient address is in table
 .El
 .Pp
 These conditions may all be negated by prefixing them with an exclamation mark:
diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h
index 7e59d4d32b2..b1a90d375fe 100644
--- a/usr.sbin/smtpd/smtpd.h
+++ b/usr.sbin/smtpd/smtpd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: smtpd.h,v 1.649 2019/12/21 10:40:20 gilles Exp $	*/
+/*	$OpenBSD: smtpd.h,v 1.650 2020/01/08 01:41:11 gilles Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -1093,6 +1093,15 @@ struct filter_config {
 	int8_t                          not_helo_regex;
 	struct table                   *helo_regex;
 
+  	int8_t                          not_auth;
+	int8_t				auth;
+
+  	int8_t                          not_auth_table;
+	struct table                   *auth_table;
+
+	int8_t                          not_auth_regex;
+	struct table                   *auth_regex;
+
 	int8_t                          not_mail_from_table;
 	struct table                   *mail_from_table;