HSL Mail Authentication
The Mail Authentication extension to the HSL is used when designing flows handling SASL authentication requests, usually when configuring "outgoing" SMTP. Since the recipient domain of an SMTP session is not yet known when processing an authentication request (AUTH LOGIN happens before RCPT TO), these flows are not configured per domain, but rather per SMTP listener (mail_server__X configuration key).
The most common application for these flows are to forward the SASL username and password to another server using the smtp_lookup_auth() core function in order to verify its validity.
If a scripting error occurs Reject() will be called.
Contents |
Pre-defined variables
These are the read-only pre-defined SMTP and SASL variables that mailpolicyd makes available for each authentication request.
| Name | Example | Description |
|---|---|---|
| $serverid | "mailserver:1" | ID of the incoming listener. |
| $saslusername | "mailuser" | Username |
| $saslpassword | "password" | Password |
| $senderip | "10.0.0.1" | IP address of the sending server |
Context-specific functions
Most of the usable functions for Mail Authentication flows are core functions. Below are the two functions that are provided by mailpolicyd, that operates specifically on SASL authentication requests.
Accept()
Should be used to allow a user access. This is a final action, the execution of the script will terminate after a final action.
echo "$saslusername successfully SMTP authenticated";
Accept();
Reject($reason)
Should be used to deny a user access. This is a final action, the execution of the script will terminate after a final action.
Reject("Sorry");
Code example
Below is a common (but un-cached) SASL authentication example, forwarding the authentication request to a configured back-end mail server (mailtransport:X shortcut).
// SMTP Forwarding Authentication
if (smtp_lookup_auth("mailtransport:1", $saslusername, $saslpassword) == 1) {
echo "$saslusername successfully SMTP authenticated";
Accept();
}
Reject("You failed ($saslusername)");
