20131028

	Feature: check_sasl_access to block hijacked logins.  Files:
	mantools/postlink, proto/postconf.proto, global/mail_params.h,
	smtpd/smtpd_check.c, smtpd/smtpd_dsn_fix.h.

diff --exclude=man --exclude=html --exclude=README_FILES --exclude=INSTALL --exclude=.indent.pro --exclude=Makefile.in -r -cr --exclude=dict_pcre.c /tmp/postfix-2.11-20131001/mantools/postlink ./mantools/postlink
*** /tmp/postfix-2.11-20131001/mantools/postlink	Sat Sep 28 19:55:51 2013
--- ./mantools/postlink	Mon Oct 28 19:45:26 2013
***************
*** 864,869 ****
--- 864,870 ----
      s;\bcheck_reverse_client_hostname_access\b;<a href="postconf.5.html#check_reverse_client_hostname_access">$&</a>;g;
      s;\bcheck_reverse_client_hostname_mx_access\b;<a href="postconf.5.html#check_reverse_client_hostname_mx_access">$&</a>;g;
      s;\bcheck_reverse_client_hostname_ns_access\b;<a href="postconf.5.html#check_reverse_client_hostname_ns_access">$&</a>;g;
+     s;\bcheck_sasl_access\b;<a href="postconf.5.html#check_sasl_access">$&</a>;g;
      s;\bpermit_inet_interfaces\b;<a href="postconf.5.html#permit_inet_interfaces">$&</a>;g;
      s;\bpermit_mynetworks\b;<a href="postconf.5.html#permit_mynetworks">$&</a>;g;
      s;\bper[-</bB>]*\n* *[<bB>]*mit_sasl_authenticated\b;<a href="postconf.5.html#permit_sasl_authenticated">$&</a>;g;
diff --exclude=man --exclude=html --exclude=README_FILES --exclude=INSTALL --exclude=.indent.pro --exclude=Makefile.in -r -cr --exclude=dict_pcre.c /tmp/postfix-2.11-20131001/proto/postconf.proto ./proto/postconf.proto
*** /tmp/postfix-2.11-20131001/proto/postconf.proto	Wed Oct  9 20:28:30 2013
--- ./proto/postconf.proto	Mon Oct 28 19:55:14 2013
***************
*** 4983,4988 ****
--- 4983,4998 ----
  Instead, use DUNNO in order to exclude specific hosts from blacklists.
  This feature is available in Postfix 2.7 and later.  </dd>
  
+ <dt><b><a name="check_sasl_access">check_sasl_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
+ 
+ <dd> Use the remote SMTP client SASL user name as lookup key for
+ the specified access(5) database. The lookup key has the form
+ "username@domainname" when the smtpd_sasl_local_domain parameter
+ value is non-empty.  Unlike the check_client_access feature,
+ check_sasl_access does not perform matches of parent domains or IP
+ subnet ranges.  This feature is available with Postfix version 2.11
+ and later. </dd>
+ 
  <dt><b><a name="permit_inet_interfaces">permit_inet_interfaces</a></b></dt>
  
  <dd>Permit the request when the client IP address matches
diff --exclude=man --exclude=html --exclude=README_FILES --exclude=INSTALL --exclude=.indent.pro --exclude=Makefile.in -r -cr --exclude=dict_pcre.c /tmp/postfix-2.11-20131001/src/global/mail_params.h ./src/global/mail_params.h
*** /tmp/postfix-2.11-20131001/src/global/mail_params.h	Sat Sep 28 19:33:42 2013
--- ./src/global/mail_params.h	Mon Oct 28 19:16:30 2013
***************
*** 2184,2189 ****
--- 2184,2190 ----
  #define CHECK_CLIENT_ACL	"check_client_access"
  #define CHECK_REVERSE_CLIENT_ACL "check_reverse_client_hostname_access"
  #define CHECK_CCERT_ACL		"check_ccert_access"
+ #define CHECK_SASL_ACL		"check_sasl_access"
  #define CHECK_HELO_ACL		"check_helo_access"
  #define CHECK_SENDER_ACL	"check_sender_access"
  #define CHECK_RECIP_ACL		"check_recipient_access"
diff --exclude=man --exclude=html --exclude=README_FILES --exclude=INSTALL --exclude=.indent.pro --exclude=Makefile.in -r -cr --exclude=dict_pcre.c /tmp/postfix-2.11-20131001/src/smtpd/smtpd_check.c ./src/smtpd/smtpd_check.c
*** /tmp/postfix-2.11-20131001/src/smtpd/smtpd_check.c	Tue Sep 17 09:40:38 2013
--- ./src/smtpd/smtpd_check.c	Mon Oct 28 19:36:01 2013
***************
*** 2823,2828 ****
--- 2823,2847 ----
      return (result);
  }
  
+ /* check_sasl_access - access by SASL user name */
+ 
+ #ifdef USE_SASL_AUTH
+ 
+ static int check_sasl_access(SMTPD_STATE *state, const char *table,
+ 			             const char *def_acl)
+ {
+     int     result;
+     int     unused_found;
+ 
+     result = check_access(state, table, state->sasl_username,
+ 			  DICT_FLAG_NONE, &unused_found,
+ 			  state->sasl_username,
+ 			  SMTPD_NAME_SASL_USER, def_acl);
+     return (result);
+ }
+ 
+ #endif
+ 
  /* check_mail_access - OK/FAIL based on mail address lookup */
  
  static int check_mail_access(SMTPD_STATE *state, const char *table,
***************
*** 3882,3887 ****
--- 3901,3913 ----
  	    }
  	} else if (is_map_command(state, name, CHECK_CCERT_ACL, &cpp)) {
  	    status = check_ccert_access(state, *cpp, def_acl);
+ #ifdef USE_SASL_AUTH
+ 	} else if (is_map_command(state, name, CHECK_SASL_ACL, &cpp)) {
+ 	    if (state->sasl_username && state->sasl_username[0])
+ 		status = check_sasl_access(state, *cpp, def_acl);
+ 	    else
+ #endif
+ 		msg_warn("restriction `%s' ignored: no SASL support", name);
  	} else if (is_map_command(state, name, CHECK_CLIENT_NS_ACL, &cpp)) {
  	    if (strcasecmp(state->name, "unknown") != 0) {
  		status = check_server_access(state, *cpp, state->name,
diff --exclude=man --exclude=html --exclude=README_FILES --exclude=INSTALL --exclude=.indent.pro --exclude=Makefile.in -r -cr --exclude=dict_pcre.c /tmp/postfix-2.11-20131001/src/smtpd/smtpd_dsn_fix.h ./src/smtpd/smtpd_dsn_fix.h
*** /tmp/postfix-2.11-20131001/src/smtpd/smtpd_dsn_fix.h	Tue Feb 12 20:45:11 2008
--- ./src/smtpd/smtpd_dsn_fix.h	Mon Oct 28 19:12:23 2013
***************
*** 15,20 ****
--- 15,21 ----
  #define SMTPD_NAME_CLIENT	"Client host"
  #define SMTPD_NAME_REV_CLIENT	"Unverified Client host"
  #define SMTPD_NAME_CCERT	"Client certificate"
+ #define SMTPD_NAME_SASL_USER	"SASL login name"
  #define SMTPD_NAME_HELO		"Helo command"
  #define SMTPD_NAME_SENDER	"Sender address"
  #define SMTPD_NAME_RECIPIENT	"Recipient address"