.gitlab-ci.yml

+include: "https://git.autistici.org/pipelines/debian/raw/master/common.yml"

README.md

@@ -8,3 +8,23 @@ recipient.
 The reason for the existence of this tool is that we don't know how to
 tell Postfix to combine a LDAP map as the check_policy_service
 backend.
+
+# Usage
+
+The proxying behavior is controlled by a configuration file, in YAML
+format, which supports the following attributes:
+
+* `not_found_action` - (default: DUNNO) action to return to Postfix
+  when the user is not found in the database
+* `ldap`
+  * `uri` - connection string
+  * `bind_dn` - bind DN, for authentication
+  * `bind_pw` - bind password
+  * `base_dn` - base DN for the lookup query
+  * `filter` - filter for the lookup query
+  * `attr` - result attribute for the lookup query
+  * `result_fmt` - result format string to obtain the upstream
+    host:port address, where the literal token `%s` is replaced by the
+    value of the *attr* attribute
+
+The LDAP parameters are pretty much all mandatory.

cmd/policyd-proxy/main.go

@@ -9,7 +9,7 @@ import (
 	"syscall"
 
 	"git.autistici.org/ai3/go-common/unix"
-	"github.com/coreos/go-systemd/daemon"
+	"github.com/coreos/go-systemd/v22/daemon"
 	"gopkg.in/yaml.v3"
 
 	"git.autistici.org/ai3/tools/postfix-policyd-proxy"

debian/changelog

+postfix-policyd-proxy (1.0) unstable; urgency=medium
+
+  * Initial Release.
+
+ -- ale <ale@incal.net>  Mon, 01 Jun 2020 14:58:00 +0100

debian/control

+Source: postfix-policyd-proxy
+Section: unknown
+Priority: optional
+Maintainer: ale <ale@incal.net>
+Build-Depends: debhelper-compat (= 12), dh-golang, golang-any
+Standards-Version: 4.1.3
+XS-Go-Import-Path: git.autistici.org/ai3/tools/postfix-policyd-proxy
+
+Package: postfix-policyd-proxy
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Built-Using: ${misc:Built-Using}
+Description: Postfix policyd proxy
+ Proxy for postfix policy services, directed by a LDAP backend.

debian/copyright

+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: postfix-policyd-proxy
+Source: <https://git.autistici.org/ai3/tools/postfix-policyd-proxy>
+
+Files: *
+Copyright: 2020 <ale@incal.net>
+License: GPL-3.0+
+
+Files: debian/*
+Copyright: 2020 <ale@incal.net>
+License: GPL-3.0+
+
+License: GPL-3.0+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>.
+ .
+ On Debian systems, the complete text of the GNU General
+ Public License version 3 can be found in "/usr/share/common-licenses/GPL-3".

debian/rules

+#!/usr/bin/make -f
+
+export DH_VERBOSE := 1
+export DH_GOLANG_EXCLUDES := vendor
+export GO111MODULE := off
+
+%:
+	dh $@ --with=golang --buildsystem=golang
+
+override_dh_auto_install:
+	dh_auto_install -- --no-source

debian/source/format

+3.0 (native)

go.mod

 module git.autistici.org/ai3/tools/postfix-policyd-proxy
 
+go 1.14
+
 require (
-	git.autistici.org/ai3/go-common v0.0.0-20200511175437-130368249b31
-	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.1 // indirect
-	gopkg.in/ldap.v3 v3.1.0
-	gopkg.in/yaml.v3 v3.0.0-20200506231410-2ff61e1afc86
+	git.autistici.org/ai3/go-common v0.0.0-20210118064555-73f00db54723
+	github.com/coreos/go-systemd/v22 v22.5.0
+	github.com/go-ldap/ldap/v3 v3.2.4
+	gopkg.in/yaml.v3 v3.0.1
 )

ldap.go

@@ -6,7 +6,7 @@ import (
 	"strings"
 
 	"git.autistici.org/ai3/go-common/ldap"
-	"gopkg.in/ldap.v3"
+	"github.com/go-ldap/ldap/v3"
 )
 
 const poolSize = 3

renovate.json

+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:base"
+  ]
+}

vendor/git.autistici.org/ai3/go-common/ldap/parse.go

@@ -3,7 +3,7 @@ package ldaputil
 import (
 	"fmt"
 
-	"gopkg.in/ldap.v3"
+	"github.com/go-ldap/ldap/v3"
 )
 
 // ParseScope parses a string representation of an LDAP scope into the

vendor/git.autistici.org/ai3/go-common/ldap/pool.go

@@ -7,10 +7,10 @@ import (
 	"net/url"
 	"time"
 
-	"github.com/cenkalti/backoff"
+	"github.com/cenkalti/backoff/v4"
+	"github.com/go-ldap/ldap/v3"
 	"github.com/prometheus/client_golang/prometheus"
 	"go.opencensus.io/trace"
-	"gopkg.in/ldap.v3"
 )
 
 // Parameters that define the exponential backoff algorithm used.

vendor/git.autistici.org/ai3/go-common/unix/server.go

@@ -14,7 +14,7 @@ import (
 	"sync/atomic"
 	"time"
 
-	"github.com/coreos/go-systemd/activation"
+	"github.com/coreos/go-systemd/v22/activation"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/theckman/go-flock"
 )

vendor/github.com/Azure/go-ntlmssp/.travis.yml

+sudo: false
+
+language: go
+
+before_script:
+  - go get -u golang.org/x/lint/golint
+
+go:
+  - 1.10.x
+  - master
+
+script:
+  - test -z "$(gofmt -s -l . | tee /dev/stderr)"
+  - test -z "$(golint ./... |  tee /dev/stderr)"
+  - go vet ./...
+  - go build -v ./...
+  - go test -v ./...

vendor/github.com/Azure/go-ntlmssp/LICENSE

+The MIT License (MIT)
+
+Copyright (c) 2016 Microsoft
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

vendor/github.com/Azure/go-ntlmssp/README.md

+# go-ntlmssp
+Golang package that provides NTLM/Negotiate authentication over HTTP
+
+[![GoDoc](https://godoc.org/github.com/Azure/go-ntlmssp?status.svg)](https://godoc.org/github.com/Azure/go-ntlmssp) [![Build Status](https://travis-ci.org/Azure/go-ntlmssp.svg?branch=dev)](https://travis-ci.org/Azure/go-ntlmssp)
+
+Protocol details from https://msdn.microsoft.com/en-us/library/cc236621.aspx
+Implementation hints from http://davenport.sourceforge.net/ntlm.html
+
+This package only implements authentication, no key exchange or encryption. It
+only supports Unicode (UTF16LE) encoding of protocol strings, no OEM encoding.
+This package implements NTLMv2.
+
+# Usage
+
+```
+url, user, password := "http://www.example.com/secrets", "robpike", "pw123"
+client := &http.Client{
+  Transport: ntlmssp.Negotiator{
+    RoundTripper:&http.Transport{},
+  },
+}
+
+req, _ := http.NewRequest("GET", url, nil)
+req.SetBasicAuth(user, password)
+res, _ := client.Do(req)
+```
+
+-----
+This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.

vendor/github.com/Azure/go-ntlmssp/authenticate_message.go

+package ntlmssp
+
+import (
+	"bytes"
+	"crypto/rand"
+	"encoding/binary"
+	"encoding/hex"
+	"errors"
+	"strings"
+	"time"
+)
+
+type authenicateMessage struct {
+	LmChallengeResponse []byte
+	NtChallengeResponse []byte
+
+	TargetName string
+	UserName   string
+
+	// only set if negotiateFlag_NTLMSSP_NEGOTIATE_KEY_EXCH
+	EncryptedRandomSessionKey []byte
+
+	NegotiateFlags negotiateFlags
+
+	MIC []byte
+}
+
+type authenticateMessageFields struct {
+	messageHeader
+	LmChallengeResponse varField
+	NtChallengeResponse varField
+	TargetName          varField
+	UserName            varField
+	Workstation         varField
+	_                   [8]byte
+	NegotiateFlags      negotiateFlags
+}
+
+func (m authenicateMessage) MarshalBinary() ([]byte, error) {
+	if !m.NegotiateFlags.Has(negotiateFlagNTLMSSPNEGOTIATEUNICODE) {
+		return nil, errors.New("Only unicode is supported")
+	}
+
+	target, user := toUnicode(m.TargetName), toUnicode(m.UserName)
+	workstation := toUnicode("go-ntlmssp")
+
+	ptr := binary.Size(&authenticateMessageFields{})
+	f := authenticateMessageFields{
+		messageHeader:       newMessageHeader(3),
+		NegotiateFlags:      m.NegotiateFlags,
+		LmChallengeResponse: newVarField(&ptr, len(m.LmChallengeResponse)),
+		NtChallengeResponse: newVarField(&ptr, len(m.NtChallengeResponse)),
+		TargetName:          newVarField(&ptr, len(target)),
+		UserName:            newVarField(&ptr, len(user)),
+		Workstation:         newVarField(&ptr, len(workstation)),
+	}
+
+	f.NegotiateFlags.Unset(negotiateFlagNTLMSSPNEGOTIATEVERSION)
+
+	b := bytes.Buffer{}
+	if err := binary.Write(&b, binary.LittleEndian, &f); err != nil {
+		return nil, err
+	}
+	if err := binary.Write(&b, binary.LittleEndian, &m.LmChallengeResponse); err != nil {
+		return nil, err
+	}
+	if err := binary.Write(&b, binary.LittleEndian, &m.NtChallengeResponse); err != nil {
+		return nil, err
+	}
+	if err := binary.Write(&b, binary.LittleEndian, &target); err != nil {
+		return nil, err
+	}
+	if err := binary.Write(&b, binary.LittleEndian, &user); err != nil {
+		return nil, err
+	}
+	if err := binary.Write(&b, binary.LittleEndian, &workstation); err != nil {
+		return nil, err
+	}
+
+	return b.Bytes(), nil
+}
+
+//ProcessChallenge crafts an AUTHENTICATE message in response to the CHALLENGE message
+//that was received from the server
+func ProcessChallenge(challengeMessageData []byte, user, password string) ([]byte, error) {
+	if user == "" && password == "" {
+		return nil, errors.New("Anonymous authentication not supported")
+	}
+
+	var cm challengeMessage
+	if err := cm.UnmarshalBinary(challengeMessageData); err != nil {
+		return nil, err
+	}
+
+	if cm.NegotiateFlags.Has(negotiateFlagNTLMSSPNEGOTIATELMKEY) {
+		return nil, errors.New("Only NTLM v2 is supported, but server requested v1 (NTLMSSP_NEGOTIATE_LM_KEY)")
+	}
+	if cm.NegotiateFlags.Has(negotiateFlagNTLMSSPNEGOTIATEKEYEXCH) {
+		return nil, errors.New("Key exchange requested but not supported (NTLMSSP_NEGOTIATE_KEY_EXCH)")
+	}
+
+	am := authenicateMessage{
+		UserName:       user,
+		TargetName:     cm.TargetName,
+		NegotiateFlags: cm.NegotiateFlags,
+	}
+
+	timestamp := cm.TargetInfo[avIDMsvAvTimestamp]
+	if timestamp == nil { // no time sent, take current time
+		ft := uint64(time.Now().UnixNano()) / 100
+		ft += 116444736000000000 // add time between unix & windows offset
+		timestamp = make([]byte, 8)
+		binary.LittleEndian.PutUint64(timestamp, ft)
+	}
+
+	clientChallenge := make([]byte, 8)
+	rand.Reader.Read(clientChallenge)
+
+	ntlmV2Hash := getNtlmV2Hash(password, user, cm.TargetName)
+
+	am.NtChallengeResponse = computeNtlmV2Response(ntlmV2Hash,
+		cm.ServerChallenge[:], clientChallenge, timestamp, cm.TargetInfoRaw)
+
+	if cm.TargetInfoRaw == nil {
+		am.LmChallengeResponse = computeLmV2Response(ntlmV2Hash,
+			cm.ServerChallenge[:], clientChallenge)
+	}
+	return am.MarshalBinary()
+}
+
+func ProcessChallengeWithHash(challengeMessageData []byte, user, hash string) ([]byte, error) {
+	if user == "" && hash == "" {
+		return nil, errors.New("Anonymous authentication not supported")
+	}
+
+	var cm challengeMessage
+	if err := cm.UnmarshalBinary(challengeMessageData); err != nil {
+		return nil, err
+	}
+
+	if cm.NegotiateFlags.Has(negotiateFlagNTLMSSPNEGOTIATELMKEY) {
+		return nil, errors.New("Only NTLM v2 is supported, but server requested v1 (NTLMSSP_NEGOTIATE_LM_KEY)")
+	}
+	if cm.NegotiateFlags.Has(negotiateFlagNTLMSSPNEGOTIATEKEYEXCH) {
+		return nil, errors.New("Key exchange requested but not supported (NTLMSSP_NEGOTIATE_KEY_EXCH)")
+	}
+
+	am := authenicateMessage{
+		UserName:       user,
+		TargetName:     cm.TargetName,
+		NegotiateFlags: cm.NegotiateFlags,
+	}
+
+	timestamp := cm.TargetInfo[avIDMsvAvTimestamp]
+	if timestamp == nil { // no time sent, take current time
+		ft := uint64(time.Now().UnixNano()) / 100
+		ft += 116444736000000000 // add time between unix & windows offset
+		timestamp = make([]byte, 8)
+		binary.LittleEndian.PutUint64(timestamp, ft)
+	}
+
+	clientChallenge := make([]byte, 8)
+	rand.Reader.Read(clientChallenge)
+
+	hashParts := strings.Split(hash, ":")
+	if len(hashParts) > 1 {
+		hash = hashParts[1]
+	}
+	hashBytes, err := hex.DecodeString(hash)
+	if err != nil {
+		return nil, err
+	}
+	ntlmV2Hash := hmacMd5(hashBytes, toUnicode(strings.ToUpper(user)+cm.TargetName))
+
+	am.NtChallengeResponse = computeNtlmV2Response(ntlmV2Hash,
+		cm.ServerChallenge[:], clientChallenge, timestamp, cm.TargetInfoRaw)
+
+	if cm.TargetInfoRaw == nil {
+		am.LmChallengeResponse = computeLmV2Response(ntlmV2Hash,
+			cm.ServerChallenge[:], clientChallenge)
+	}
+	return am.MarshalBinary()
+}