[PATCH] Mail: Support SASL EXTERNAL (RFC 4422)

Maxim Dounin mdounin at mdounin.ru
Thu Oct 13 05:50:29 UTC 2016


Hello!

On Sat, Oct 08, 2016 at 06:31:02PM +1100, Rob N ★ wrote:

> # HG changeset patch
> # User Rob N ★ <robn at fastmail.com>
> # Date 1475910300 -39600
> #      Sat Oct 08 18:05:00 2016 +1100
> # Node ID 205f2148260460379f9b0889cdb8015994028c73
> # Parent  1606a817c1d48ed351f1dd7d9cb9c996e2c77b9a
> Mail: Support SASL EXTERNAL (RFC 4422)
> 
> This is needed to allow TLS client certificate auth to work. With
> ssl_verify_client configured, the auth daemon can choose to allow the
> connection to proceed based on the certificate data.
> 
> This has been tested with Thunderbird for IMAP only. I've not yet found a
> client that will do client certificate auth for POP3 or SMTP, and the method is
> not really documented anywhere that I can find. That said, its simple enough
> that the way I've done is probably right.

Thank you for the patch.  Overral it looks good, though there are 
some things I would like to do differently in the pop3 module.  
See below.

[...]

> diff -r 1606a817c1d4 -r 205f21482604 src/mail/ngx_mail_pop3_module.c
> --- a/src/mail/ngx_mail_pop3_module.c	Fri Oct 07 16:59:14 2016 +0300
> +++ b/src/mail/ngx_mail_pop3_module.c	Sat Oct 08 18:05:00 2016 +1100
> @@ -29,23 +29,33 @@
>      { ngx_string("plain"), NGX_MAIL_AUTH_PLAIN_ENABLED },
>      { ngx_string("apop"), NGX_MAIL_AUTH_APOP_ENABLED },
>      { ngx_string("cram-md5"), NGX_MAIL_AUTH_CRAM_MD5_ENABLED },
> +    { ngx_string("external"), NGX_MAIL_AUTH_EXTERNAL_ENABLED },
>      { ngx_null_string, 0 }
>  };
>  
>  
> -static ngx_str_t  ngx_mail_pop3_auth_plain_capability =
> -    ngx_string("+OK methods supported:" CRLF
> -               "LOGIN" CRLF
> -               "PLAIN" CRLF
> -               "." CRLF);
> +static ngx_str_t  ngx_mail_pop3_auth_methods_capabilities[] = {
> +    ngx_string("LOGIN PLAIN"),
> +    ngx_null_string,  /* LOGIN */
> +    ngx_null_string,  /* APOP */
> +    ngx_string("CRAM-MD5"),
> +    ngx_string("EXTERNAL"),
> +    ngx_null_string   /* NONE */
> +};
>  
>  
> -static ngx_str_t  ngx_mail_pop3_auth_cram_md5_capability =
> -    ngx_string("+OK methods supported:" CRLF
> -               "LOGIN" CRLF
> -               "PLAIN" CRLF
> -               "CRAM-MD5" CRLF
> -               "." CRLF);
> +static ngx_str_t  ngx_mail_pop3_auth_methods_authnames[] = {
> +    ngx_string("LOGIN" CRLF "PLAIN" CRLF),
> +    ngx_null_string,  /* LOGIN */
> +    ngx_null_string,  /* APOP */
> +    ngx_string("CRAM-MD5" CRLF),
> +    ngx_string("EXTERNAL" CRLF),
> +    ngx_null_string   /* NONE */
> +};
> +
> +
> +static ngx_str_t  ngx_mail_pop3_auth_capability =
> +    ngx_string("+OK methods supported:" CRLF);

It would be much easier to just have a list of method names 
instead, much like IMAP module do.  The fact that that LOGIN is 
expected to be switched on along with PLAIN can be easily handled 
elsewhere in the code.

This will result in switched order of methods ("PLAIN LOGIN" 
instead of "LOGIN PLAIN" used to be previously), but I don't think 
this is important for any reasonable client.

Also, this probably should be a separate preparatory patch to 
simplify things.

Below is the pop3 part rewritten to use just a method names (and 
few other style issues fixed), and your patch on top of it.

# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1476333412 -10800
#      Thu Oct 13 07:36:52 2016 +0300
# Node ID 6c5362af49924af0e6f478a89ffa3f1dbdae3ddd
# Parent  7cdf69d012f02a80c94d930b29c71847e203e4d6
Mail: extensible auth methods in pop3 module.

diff --git a/src/mail/ngx_mail_pop3_module.c b/src/mail/ngx_mail_pop3_module.c
--- a/src/mail/ngx_mail_pop3_module.c
+++ b/src/mail/ngx_mail_pop3_module.c
@@ -33,19 +33,13 @@ static ngx_conf_bitmask_t  ngx_mail_pop3
 };
 
 
-static ngx_str_t  ngx_mail_pop3_auth_plain_capability =
-    ngx_string("+OK methods supported:" CRLF
-               "LOGIN" CRLF
-               "PLAIN" CRLF
-               "." CRLF);
-
-
-static ngx_str_t  ngx_mail_pop3_auth_cram_md5_capability =
-    ngx_string("+OK methods supported:" CRLF
-               "LOGIN" CRLF
-               "PLAIN" CRLF
-               "CRAM-MD5" CRLF
-               "." CRLF);
+static ngx_str_t  ngx_mail_pop3_auth_methods_names[] = {
+    ngx_string("PLAIN"),
+    ngx_string("LOGIN"),
+    ngx_null_string,  /* APOP */
+    ngx_string("CRAM-MD5"),
+    ngx_null_string   /* NONE */
+};
 
 
 static ngx_mail_protocol_t  ngx_mail_pop3_protocol = {
@@ -140,13 +134,17 @@ ngx_mail_pop3_merge_srv_conf(ngx_conf_t 
     u_char      *p;
     size_t       size, stls_only_size;
     ngx_str_t   *c, *d;
-    ngx_uint_t   i;
+    ngx_uint_t   i, m;
 
     ngx_conf_merge_bitmask_value(conf->auth_methods,
                                  prev->auth_methods,
                                  (NGX_CONF_BITMASK_SET
                                   |NGX_MAIL_AUTH_PLAIN_ENABLED));
 
+    if (conf->auth_methods & NGX_MAIL_AUTH_PLAIN_ENABLED) {
+        conf->auth_methods |= NGX_MAIL_AUTH_LOGIN_ENABLED;
+    }
+
     if (conf->capabilities.nelts == 0) {
         conf->capabilities = prev->capabilities;
     }
@@ -179,11 +177,15 @@ ngx_mail_pop3_merge_srv_conf(ngx_conf_t 
         stls_only_size += c[i].len + sizeof(CRLF) - 1;
     }
 
-    if (conf->auth_methods & NGX_MAIL_AUTH_CRAM_MD5_ENABLED) {
-        size += sizeof("SASL LOGIN PLAIN CRAM-MD5" CRLF) - 1;
+    size += sizeof("SASL") - 1 + sizeof(CRLF) - 1;
 
-    } else {
-        size += sizeof("SASL LOGIN PLAIN" CRLF) - 1;
+    for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0;
+         m <= NGX_MAIL_AUTH_CRAM_MD5_ENABLED;
+         m <<= 1, i++)
+    {
+        if (m & conf->auth_methods) {
+            size += 1 + ngx_mail_pop3_auth_methods_names[i].len;
+        }
     }
 
     p = ngx_pnalloc(cf->pool, size);
@@ -202,15 +204,21 @@ ngx_mail_pop3_merge_srv_conf(ngx_conf_t 
         *p++ = CR; *p++ = LF;
     }
 
-    if (conf->auth_methods & NGX_MAIL_AUTH_CRAM_MD5_ENABLED) {
-        p = ngx_cpymem(p, "SASL LOGIN PLAIN CRAM-MD5" CRLF,
-                       sizeof("SASL LOGIN PLAIN CRAM-MD5" CRLF) - 1);
+    p = ngx_cpymem(p, "SASL", sizeof("SASL") - 1);
 
-    } else {
-        p = ngx_cpymem(p, "SASL LOGIN PLAIN" CRLF,
-                       sizeof("SASL LOGIN PLAIN" CRLF) - 1);
+    for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0;
+         m <= NGX_MAIL_AUTH_CRAM_MD5_ENABLED;
+         m <<= 1, i++)
+    {
+        if (m & conf->auth_methods) {
+            *p++ = ' ';
+            p = ngx_cpymem(p, ngx_mail_pop3_auth_methods_names[i].data,
+                           ngx_mail_pop3_auth_methods_names[i].len);
+        }
     }
 
+    *p++ = CR; *p++ = LF;
+
     *p++ = '.'; *p++ = CR; *p = LF;
 
 
@@ -231,13 +239,43 @@ ngx_mail_pop3_merge_srv_conf(ngx_conf_t 
     *p++ = '.'; *p++ = CR; *p = LF;
 
 
-    if (conf->auth_methods & NGX_MAIL_AUTH_CRAM_MD5_ENABLED) {
-        conf->auth_capability = ngx_mail_pop3_auth_cram_md5_capability;
+    size = sizeof("+OK methods supported:" CRLF) - 1
+           + sizeof("." CRLF) - 1;
 
-    } else {
-        conf->auth_capability = ngx_mail_pop3_auth_plain_capability;
+    for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0;
+         m <= NGX_MAIL_AUTH_CRAM_MD5_ENABLED;
+         m <<= 1, i++)
+    {
+        if (m & conf->auth_methods) {
+            size += ngx_mail_pop3_auth_methods_names[i].len
+                    + sizeof(CRLF) - 1;
+        }
     }
 
+    p = ngx_pnalloc(cf->pool, size);
+    if (p == NULL) {
+        return NGX_CONF_ERROR;
+    }
+
+    conf->auth_capability.data = p;
+    conf->auth_capability.len = size;
+
+    p = ngx_cpymem(p, "+OK methods supported:" CRLF,
+                   sizeof("+OK methods supported:" CRLF) - 1);
+
+    for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0;
+         m <= NGX_MAIL_AUTH_CRAM_MD5_ENABLED;
+         m <<= 1, i++)
+    {
+        if (m & conf->auth_methods) {
+            p = ngx_cpymem(p, ngx_mail_pop3_auth_methods_names[i].data,
+                           ngx_mail_pop3_auth_methods_names[i].len);
+            *p++ = CR; *p++ = LF;
+        }
+    }
+
+    *p++ = '.'; *p++ = CR; *p = LF;
+
 
     p = ngx_pnalloc(cf->pool, stls_only_size);
     if (p == NULL) {
# HG changeset patch
# User Rob N ★ <robn at fastmail.com>
# Date 1475910300 -39600
#      Sat Oct 08 18:05:00 2016 +1100
# Node ID 63ed6c3acaa00c348d91ec84436fa05bd4afc96b
# Parent  6c5362af49924af0e6f478a89ffa3f1dbdae3ddd
Mail: support SASL EXTERNAL (RFC 4422).

This is needed to allow TLS client certificate auth to work. With
ssl_verify_client configured, the auth daemon can choose to allow the
connection to proceed based on the certificate data.

This has been tested with Thunderbird for IMAP only. I've not yet found a
client that will do client certificate auth for POP3 or SMTP, and the method is
not really documented anywhere that I can find. That said, its simple enough
that the way I've done is probably right.

diff --git a/src/mail/ngx_mail.h b/src/mail/ngx_mail.h
--- a/src/mail/ngx_mail.h
+++ b/src/mail/ngx_mail.h
@@ -132,7 +132,8 @@ typedef enum {
     ngx_pop3_auth_login_username,
     ngx_pop3_auth_login_password,
     ngx_pop3_auth_plain,
-    ngx_pop3_auth_cram_md5
+    ngx_pop3_auth_cram_md5,
+    ngx_pop3_auth_external
 } ngx_pop3_state_e;
 
 
@@ -142,6 +143,7 @@ typedef enum {
     ngx_imap_auth_login_password,
     ngx_imap_auth_plain,
     ngx_imap_auth_cram_md5,
+    ngx_imap_auth_external,
     ngx_imap_login,
     ngx_imap_user,
     ngx_imap_passwd
@@ -154,6 +156,7 @@ typedef enum {
     ngx_smtp_auth_login_password,
     ngx_smtp_auth_plain,
     ngx_smtp_auth_cram_md5,
+    ngx_smtp_auth_external,
     ngx_smtp_helo,
     ngx_smtp_helo_xclient,
     ngx_smtp_helo_from,
@@ -285,14 +288,16 @@ typedef struct {
 #define NGX_MAIL_AUTH_LOGIN_USERNAME    2
 #define NGX_MAIL_AUTH_APOP              3
 #define NGX_MAIL_AUTH_CRAM_MD5          4
-#define NGX_MAIL_AUTH_NONE              5
+#define NGX_MAIL_AUTH_EXTERNAL          5
+#define NGX_MAIL_AUTH_NONE              6
 
 
 #define NGX_MAIL_AUTH_PLAIN_ENABLED     0x0002
 #define NGX_MAIL_AUTH_LOGIN_ENABLED     0x0004
 #define NGX_MAIL_AUTH_APOP_ENABLED      0x0008
 #define NGX_MAIL_AUTH_CRAM_MD5_ENABLED  0x0010
-#define NGX_MAIL_AUTH_NONE_ENABLED      0x0020
+#define NGX_MAIL_AUTH_EXTERNAL_ENABLED  0x0020
+#define NGX_MAIL_AUTH_NONE_ENABLED      0x0040
 
 
 #define NGX_MAIL_PARSE_INVALID_COMMAND  20
@@ -377,6 +382,8 @@ ngx_int_t ngx_mail_auth_login_password(n
 ngx_int_t ngx_mail_auth_cram_md5_salt(ngx_mail_session_t *s,
     ngx_connection_t *c, char *prefix, size_t len);
 ngx_int_t ngx_mail_auth_cram_md5(ngx_mail_session_t *s, ngx_connection_t *c);
+ngx_int_t ngx_mail_auth_external(ngx_mail_session_t *s, ngx_connection_t *c,
+    ngx_uint_t n);
 ngx_int_t ngx_mail_auth_parse(ngx_mail_session_t *s, ngx_connection_t *c);
 
 void ngx_mail_send(ngx_event_t *wev);
diff --git a/src/mail/ngx_mail_auth_http_module.c b/src/mail/ngx_mail_auth_http_module.c
--- a/src/mail/ngx_mail_auth_http_module.c
+++ b/src/mail/ngx_mail_auth_http_module.c
@@ -151,6 +151,7 @@ static ngx_str_t   ngx_mail_auth_http_me
     ngx_string("plain"),
     ngx_string("apop"),
     ngx_string("cram-md5"),
+    ngx_string("external"),
     ngx_string("none")
 };
 
diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c
--- a/src/mail/ngx_mail_handler.c
+++ b/src/mail/ngx_mail_handler.c
@@ -612,6 +612,40 @@ ngx_mail_auth_cram_md5(ngx_mail_session_
 }
 
 
+ngx_int_t
+ngx_mail_auth_external(ngx_mail_session_t *s, ngx_connection_t *c,
+    ngx_uint_t n)
+{
+    ngx_str_t  *arg, external;
+
+    arg = s->args.elts;
+
+    ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
+                   "mail auth external: \"%V\"", &arg[n]);
+
+    external.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len));
+    if (external.data == NULL) {
+        return NGX_ERROR;
+    }
+
+    if (ngx_decode_base64(&external, &arg[n]) != NGX_OK) {
+        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+            "client sent invalid base64 encoding in AUTH EXTERNAL command");
+        return NGX_MAIL_PARSE_INVALID_COMMAND;
+    }
+
+    s->login.len = external.len;
+    s->login.data = external.data;
+
+    ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
+                   "mail auth external: \"%V\"", &s->login);
+
+    s->auth_method = NGX_MAIL_AUTH_EXTERNAL;
+
+    return NGX_DONE;
+}
+
+
 void
 ngx_mail_send(ngx_event_t *wev)
 {
diff --git a/src/mail/ngx_mail_imap_handler.c b/src/mail/ngx_mail_imap_handler.c
--- a/src/mail/ngx_mail_imap_handler.c
+++ b/src/mail/ngx_mail_imap_handler.c
@@ -222,6 +222,10 @@ ngx_mail_imap_auth_state(ngx_event_t *re
         case ngx_imap_auth_cram_md5:
             rc = ngx_mail_auth_cram_md5(s, c);
             break;
+
+        case ngx_imap_auth_external:
+            rc = ngx_mail_auth_external(s, c, 0);
+            break;
         }
 
     } else if (rc == NGX_IMAP_NEXT) {
@@ -399,6 +403,13 @@ ngx_mail_imap_authenticate(ngx_mail_sess
         }
 
         return NGX_ERROR;
+
+    case NGX_MAIL_AUTH_EXTERNAL:
+
+        ngx_str_set(&s->out, imap_username);
+        s->mail_state = ngx_imap_auth_external;
+
+        return NGX_OK;
     }
 
     return rc;
diff --git a/src/mail/ngx_mail_imap_module.c b/src/mail/ngx_mail_imap_module.c
--- a/src/mail/ngx_mail_imap_module.c
+++ b/src/mail/ngx_mail_imap_module.c
@@ -29,6 +29,7 @@ static ngx_conf_bitmask_t  ngx_mail_imap
     { ngx_string("plain"), NGX_MAIL_AUTH_PLAIN_ENABLED },
     { ngx_string("login"), NGX_MAIL_AUTH_LOGIN_ENABLED },
     { ngx_string("cram-md5"), NGX_MAIL_AUTH_CRAM_MD5_ENABLED },
+    { ngx_string("external"), NGX_MAIL_AUTH_EXTERNAL_ENABLED },
     { ngx_null_string, 0 }
 };
 
@@ -38,6 +39,7 @@ static ngx_str_t  ngx_mail_imap_auth_met
     ngx_string("AUTH=LOGIN"),
     ngx_null_string,  /* APOP */
     ngx_string("AUTH=CRAM-MD5"),
+    ngx_string("AUTH=EXTERNAL"),
     ngx_null_string   /* NONE */
 };
 
@@ -179,7 +181,7 @@ ngx_mail_imap_merge_srv_conf(ngx_conf_t 
     }
 
     for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0;
-         m <= NGX_MAIL_AUTH_CRAM_MD5_ENABLED;
+         m <= NGX_MAIL_AUTH_EXTERNAL_ENABLED;
          m <<= 1, i++)
     {
         if (m & conf->auth_methods) {
@@ -205,7 +207,7 @@ ngx_mail_imap_merge_srv_conf(ngx_conf_t 
     auth = p;
 
     for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0;
-         m <= NGX_MAIL_AUTH_CRAM_MD5_ENABLED;
+         m <= NGX_MAIL_AUTH_EXTERNAL_ENABLED;
          m <<= 1, i++)
     {
         if (m & conf->auth_methods) {
diff --git a/src/mail/ngx_mail_parse.c b/src/mail/ngx_mail_parse.c
--- a/src/mail/ngx_mail_parse.c
+++ b/src/mail/ngx_mail_parse.c
@@ -905,13 +905,27 @@ ngx_mail_auth_parse(ngx_mail_session_t *
 
     if (arg[0].len == 8) {
 
-        if (s->args.nelts != 1) {
-            return NGX_MAIL_PARSE_INVALID_COMMAND;
+        if (ngx_strncasecmp(arg[0].data, (u_char *) "CRAM-MD5", 8) == 0) {
+
+            if (s->args.nelts != 1) {
+                return NGX_MAIL_PARSE_INVALID_COMMAND;
+            }
+
+            return NGX_MAIL_AUTH_CRAM_MD5;
         }
 
-        if (ngx_strncasecmp(arg[0].data, (u_char *) "CRAM-MD5", 8) == 0) {
-            return NGX_MAIL_AUTH_CRAM_MD5;
+        if (ngx_strncasecmp(arg[0].data, (u_char *) "EXTERNAL", 8) == 0) {
+
+            if (s->args.nelts == 1) {
+                return NGX_MAIL_AUTH_EXTERNAL;
+            }
+
+            if (s->args.nelts == 2) {
+                return ngx_mail_auth_external(s, c, 1);
+            }
         }
+
+        return NGX_MAIL_PARSE_INVALID_COMMAND;
     }
 
     return NGX_MAIL_PARSE_INVALID_COMMAND;
diff --git a/src/mail/ngx_mail_pop3_handler.c b/src/mail/ngx_mail_pop3_handler.c
--- a/src/mail/ngx_mail_pop3_handler.c
+++ b/src/mail/ngx_mail_pop3_handler.c
@@ -240,6 +240,10 @@ ngx_mail_pop3_auth_state(ngx_event_t *re
         case ngx_pop3_auth_cram_md5:
             rc = ngx_mail_auth_cram_md5(s, c);
             break;
+
+        case ngx_pop3_auth_external:
+            rc = ngx_mail_auth_external(s, c, 0);
+            break;
         }
     }
 
@@ -494,6 +498,13 @@ ngx_mail_pop3_auth(ngx_mail_session_t *s
         }
 
         return NGX_ERROR;
+
+    case NGX_MAIL_AUTH_EXTERNAL:
+
+        ngx_str_set(&s->out, pop3_username);
+        s->mail_state = ngx_pop3_auth_external;
+
+        return NGX_OK;
     }
 
     return rc;
diff --git a/src/mail/ngx_mail_pop3_module.c b/src/mail/ngx_mail_pop3_module.c
--- a/src/mail/ngx_mail_pop3_module.c
+++ b/src/mail/ngx_mail_pop3_module.c
@@ -29,6 +29,7 @@ static ngx_conf_bitmask_t  ngx_mail_pop3
     { ngx_string("plain"), NGX_MAIL_AUTH_PLAIN_ENABLED },
     { ngx_string("apop"), NGX_MAIL_AUTH_APOP_ENABLED },
     { ngx_string("cram-md5"), NGX_MAIL_AUTH_CRAM_MD5_ENABLED },
+    { ngx_string("external"), NGX_MAIL_AUTH_EXTERNAL_ENABLED },
     { ngx_null_string, 0 }
 };
 
@@ -38,6 +39,7 @@ static ngx_str_t  ngx_mail_pop3_auth_met
     ngx_string("LOGIN"),
     ngx_null_string,  /* APOP */
     ngx_string("CRAM-MD5"),
+    ngx_string("EXTERNAL"),
     ngx_null_string   /* NONE */
 };
 
@@ -180,7 +182,7 @@ ngx_mail_pop3_merge_srv_conf(ngx_conf_t 
     size += sizeof("SASL") - 1 + sizeof(CRLF) - 1;
 
     for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0;
-         m <= NGX_MAIL_AUTH_CRAM_MD5_ENABLED;
+         m <= NGX_MAIL_AUTH_EXTERNAL_ENABLED;
          m <<= 1, i++)
     {
         if (m & conf->auth_methods) {
@@ -207,7 +209,7 @@ ngx_mail_pop3_merge_srv_conf(ngx_conf_t 
     p = ngx_cpymem(p, "SASL", sizeof("SASL") - 1);
 
     for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0;
-         m <= NGX_MAIL_AUTH_CRAM_MD5_ENABLED;
+         m <= NGX_MAIL_AUTH_EXTERNAL_ENABLED;
          m <<= 1, i++)
     {
         if (m & conf->auth_methods) {
@@ -243,7 +245,7 @@ ngx_mail_pop3_merge_srv_conf(ngx_conf_t 
            + sizeof("." CRLF) - 1;
 
     for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0;
-         m <= NGX_MAIL_AUTH_CRAM_MD5_ENABLED;
+         m <= NGX_MAIL_AUTH_EXTERNAL_ENABLED;
          m <<= 1, i++)
     {
         if (m & conf->auth_methods) {
@@ -264,7 +266,7 @@ ngx_mail_pop3_merge_srv_conf(ngx_conf_t 
                    sizeof("+OK methods supported:" CRLF) - 1);
 
     for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0;
-         m <= NGX_MAIL_AUTH_CRAM_MD5_ENABLED;
+         m <= NGX_MAIL_AUTH_EXTERNAL_ENABLED;
          m <<= 1, i++)
     {
         if (m & conf->auth_methods) {
diff --git a/src/mail/ngx_mail_smtp_handler.c b/src/mail/ngx_mail_smtp_handler.c
--- a/src/mail/ngx_mail_smtp_handler.c
+++ b/src/mail/ngx_mail_smtp_handler.c
@@ -485,6 +485,10 @@ ngx_mail_smtp_auth_state(ngx_event_t *re
         case ngx_smtp_auth_cram_md5:
             rc = ngx_mail_auth_cram_md5(s, c);
             break;
+
+        case ngx_smtp_auth_external:
+            rc = ngx_mail_auth_external(s, c, 0);
+            break;
         }
     }
 
@@ -652,6 +656,13 @@ ngx_mail_smtp_auth(ngx_mail_session_t *s
         }
 
         return NGX_ERROR;
+
+    case NGX_MAIL_AUTH_EXTERNAL:
+
+        ngx_str_set(&s->out, smtp_username);
+        s->mail_state = ngx_smtp_auth_external;
+
+        return NGX_OK;
     }
 
     return rc;
diff --git a/src/mail/ngx_mail_smtp_module.c b/src/mail/ngx_mail_smtp_module.c
--- a/src/mail/ngx_mail_smtp_module.c
+++ b/src/mail/ngx_mail_smtp_module.c
@@ -21,6 +21,7 @@ static ngx_conf_bitmask_t  ngx_mail_smtp
     { ngx_string("plain"), NGX_MAIL_AUTH_PLAIN_ENABLED },
     { ngx_string("login"), NGX_MAIL_AUTH_LOGIN_ENABLED },
     { ngx_string("cram-md5"), NGX_MAIL_AUTH_CRAM_MD5_ENABLED },
+    { ngx_string("external"), NGX_MAIL_AUTH_EXTERNAL_ENABLED },
     { ngx_string("none"), NGX_MAIL_AUTH_NONE_ENABLED },
     { ngx_null_string, 0 }
 };
@@ -31,6 +32,7 @@ static ngx_str_t  ngx_mail_smtp_auth_met
     ngx_string("LOGIN"),
     ngx_null_string,  /* APOP */
     ngx_string("CRAM-MD5"),
+    ngx_string("EXTERNAL"),
     ngx_null_string   /* NONE */
 };
 
@@ -207,7 +209,7 @@ ngx_mail_smtp_merge_srv_conf(ngx_conf_t 
     auth_enabled = 0;
 
     for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0;
-         m <= NGX_MAIL_AUTH_CRAM_MD5_ENABLED;
+         m <= NGX_MAIL_AUTH_EXTERNAL_ENABLED;
          m <<= 1, i++)
     {
         if (m & conf->auth_methods) {
@@ -250,7 +252,7 @@ ngx_mail_smtp_merge_srv_conf(ngx_conf_t 
         *p++ = 'A'; *p++ = 'U'; *p++ = 'T'; *p++ = 'H';
 
         for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0;
-             m <= NGX_MAIL_AUTH_CRAM_MD5_ENABLED;
+             m <= NGX_MAIL_AUTH_EXTERNAL_ENABLED;
              m <<= 1, i++)
         {
             if (m & conf->auth_methods) {

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx-devel mailing list