7.4. AUTH¶
The AUTH script allows trusted SMTP clients. The SASL mechanisms LOGIN and PLAIN are implemented in the SMTP engine and will populate the username and password argument. If you add support for custom authentication mechanisms you will need to use the mechanism, state and response arguments instead.
7.4.1. Variables¶
These are the pre-defined variables available.
| Variable | Type | Read-only | Description |
|---|---|---|---|
| $arguments | array | yes | Context/hook arguments |
| $connection | array | yes | Connection/session bound |
| $transaction | array | yes | Transaction bound |
| $context | any | no | Connection bound user-defined (default none) |
7.4.1.1. Arguments¶
| Array item | Type | Example | Description |
|---|---|---|---|
| username | string | “mailuser” | SASL username (only available with LOGIN or PLAIN) |
| password | string | “secret” | SASL password (only available with LOGIN or PLAIN) |
| mechanism | string | “PLAIN” | SASL mechanism (always in uppercase) |
| state | number | 0 | SASL state, incremeted per Reply (not available with LOGIN or PLAIN) |
| response | string | none | SASL response (not available with LOGIN or PLAIN) |
7.4.1.2. Connection¶
| Array item | Type | Example | Description |
|---|---|---|---|
| remoteip | string | “192.168.1.11” | IP address of the connected client |
| remoteport | number | 41666 | TCP port of connected client |
| localip | string | “10.0.0.1” | IP address of the server |
| localport | number | 25 | TCP port of the server |
| serverid | string | “inbound” | ID of the server |
| helo | array | HELO information (not always available) | |
| tls | array | TLS information (if TLS was started) |
7.4.1.2.1. HELO¶
| Array item | Type | Example | Description |
|---|---|---|---|
| verb | string | “EHLO” | HELO or EHLO command |
| host | string | “mail.example.com” | HELO hostname |
7.4.1.3. Transaction¶
| Array item | Type | Example | Description |
|---|---|---|---|
| id | string | “18c190a3-93f-47d7-bd...” | ID of the transaction |
7.4.2. Functions¶
-
Accept([options])¶ Authorize the login request.
Parameters: options (array) – an options array Returns: doesn’t return, script is terminated The following options are available in the options array.
- username (string) Set or change the username. The default is the
usernameargument (if available). - reason (string) The reason to report. The default is a system generated message.
- reply_codes (array) The array may contain code (number) and enhanced (array of three numbers). The default is pre-defined.
- username (string) Set or change the username. The default is the
-
Reject([reason[, options]])¶ Reject the login request with a permanent (535) error.
Parameters: - reason (string or array) – reject message with reason
- options (array) – an options array
Returns: doesn’t return, script is terminated
The following options are available in the options array.
- disconnect (boolean) Disconnect the client. The default is
false. - reply_codes (array) The array may contain code (number) and enhanced (array of three numbers). The default is pre-defined.
-
Defer([reason[, options]])¶ Defer the login request with a temporary (454) error.
Parameters: - reason (string or array) – defer message with reason
- options (array) – an options array
Returns: doesn’t return, script is terminated
The following options are available in the options array.
- disconnect (boolean) Disconnect the client. The default is
false. - reply_codes (array) The array may contain code (number) and enhanced (array of three numbers). The default is pre-defined.
-
Reply([reply[, options]])¶ Send a reply (334) message. The reply will be base64 encoded before sent to the client. This function is used to implement custom authentication mechanisms.
Parameters: - reply (string) – the reply message
- options (array) – an options array
Increments: stateargumentReturns: doesn’t return, script is terminated
The following options are available in the options array.
- disconnect (boolean) Disconnect the client. The default is
false. - reply_codes (array) The array may contain code (number) and enhanced (array of three numbers). The default is pre-defined.
-
GetMailQueueMetric([options])¶ Return metric information about the mail queue, it can be used to enforce quotas.
Parameters: options (array) – options array Return type: number
The following options are available in the options array.
- metric (string) Metric to be returned; count or bytes. The default is
count.- filter (array) Any of the available filters, see below. The default is no filters.
The following filters are available in the filters array.
Type Example remoteip $connection[“remoteip”] saslusername $connection[“auth”][“username”] sender $transaction[“sender”] senderdomain $transaction[“senderaddress”][“domain”] recipient $transaction[“recipients”][0][“recipient”] recipientdomain $transaction[“recipients”][0][“address”][“domain”] transportid $transaction[“recipients”][0][“transportid”] retry 1 metadata.x any metadata $queuesize = GetMailQueueMetric( [ "metric" => "bytes", "filter" => [ "senderdomain" => ["example.com" , "example.net"], "transportid" => "mailtransport:2" ] ] ) / 1024 / 1024; if ($queuesize > 500) { Defer("Current queue for mailtransport:2 exceeds 500 MiB"); }Note
If multiple filters of the same type are given using array notation, any of them may match.
7.4.5. Authentication diagram¶
A flow chart diagram of how custom authentication is implemented:
+--------------+
| AUTH request |
+--------------+
|
|
v
+---------------------------------------+
| state = 0 |
+---------------------------------------+ Accept() +-------------------+
| > AUTH mechanism [response] | ---- Reject() ---> | AUTH request done |
+---------------------------------------+ Defer() +-------------------+
| ^
| |
Reply() <------------------+ |
| | |
| | |
v | |
+---------------------------------------+ | |
| state += 1 | | |
+---------------------------------------+ | |
| > response | ---+----+
+---------------------------------------+ |
| |
| |
+------------------------+