From f00a0c289360b0163952b6a774db74fa0ee934f4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Posp=C3=AD=C5=A1ek?=
 <tpo_deb@sourcepole.ch>
Date: Wed, 21 Aug 2019 10:45:13 +0200
Subject: [PATCH 1/4] note filesystem constraints for nullmailer directories

both /var/spool/nullmailer/tmp and /var/spool/nullmailer/queue have to reside on the same filesystem
---
 doc/nullmailer-queue.8 | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/doc/nullmailer-queue.8 b/doc/nullmailer-queue.8
index 291ea65..f410939 100644
--- a/doc/nullmailer-queue.8
+++ b/doc/nullmailer-queue.8
@@ -45,6 +45,17 @@ The directory in which messages are formed temporarily.
 A pipe used to trigger
 .BR nullmailer-send
 to immediately start sending the message from the queue.
+.PP
+Note that due to
+.B nullmailer-queue
+using hard links to manage emails both
+.I /var/spool/nullmailer/queue
+and
+.I /var/spool/nullmailer/tmp
+.I have
+to reside on the
+.I same
+filesystem.
 .SH SEE ALSO
 nullmailer-inject(1),
 nullmailer-send(8)

From e1b692918ae7e1be2ba7dccf1f3fb6cf981d4ab3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
Date: Thu, 3 Mar 2022 18:46:34 +0100
Subject: [PATCH 2/4] Add "AUTH EXTERNAL" option for certificate authentication
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Bjørn Mork <bjorn@mork.no>
---
 doc/nullmailer-send.8 | 3 +++
 protocols/protocol.cc | 2 ++
 protocols/protocol.h  | 1 +
 protocols/smtp.cc     | 9 ++++++++-
 4 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/doc/nullmailer-send.8 b/doc/nullmailer-send.8
index 34e5f96..85b705c 100644
--- a/doc/nullmailer-send.8
+++ b/doc/nullmailer-send.8
@@ -137,6 +137,9 @@ Set the source address for connections to the remote host.
 .B auth-login
 Force SMTP "AUTH LOGIN" mode instead of auto-detecting.
 .TP
+.B auth-external
+Use SMTP "AUTH EXTERNAL" for TLS client certificate authentication.
+.TP
 .B tls
 Connect using TLS.
 This will automatically switch the default port to
diff --git a/protocols/protocol.cc b/protocols/protocol.cc
index 6c43d55..edf9cfc 100644
--- a/protocols/protocol.cc
+++ b/protocols/protocol.cc
@@ -55,6 +55,8 @@ cli_option cli_options[] = {
   { 0, "source", cli_option::string, 0, &source,
     "Source address for connections", 0 },
 #ifdef HAVE_TLS
+  { 0, "auth-external", cli_option::flag, AUTH_EXTERNAL, &auth_method,
+    "Use AUTH EXTERNAL for certificate based authentication", 0 },
   { 0, "tls", cli_option::flag, 1, &use_tls,
     "Connect using TLS (on an alternate port by default)", 0 },
   { 0, "ssl", cli_option::flag, 1, &use_tls,
diff --git a/protocols/protocol.h b/protocols/protocol.h
index 2b1c9f6..1a13e0a 100644
--- a/protocols/protocol.h
+++ b/protocols/protocol.h
@@ -13,6 +13,7 @@ extern void protocol_succ(const char* msg);
 #define AUTH_DETECT 0
 #define AUTH_LOGIN 1
 #define AUTH_PLAIN 2
+#define AUTH_EXTERNAL 3
 extern const char* user;
 extern const char* pass;
 extern int auth_method;
diff --git a/protocols/smtp.cc b/protocols/smtp.cc
index de6be32..00f076e 100644
--- a/protocols/smtp.cc
+++ b/protocols/smtp.cc
@@ -231,7 +231,14 @@ void protocol_send(fdibuf& in, fdibuf& netin, fdobuf& netout)
   if (!did_starttls)
     conn.docmd("", 200);
 
-  if (user != 0 && pass != 0) {
+  if (auth_method == AUTH_EXTERNAL) {
+    conn.dohelo(true);
+    if (conn.hascap("AUTH", "EXTERNAL"))
+      conn.docmd("AUTH EXTERNAL =", 200, ERR_AUTH_FAILED);
+    else
+      protocol_fail(ERR_MSG_TEMPFAIL, "Server does not advertise certificate authentication");
+  }
+  else if (user != 0 && pass != 0) {
     conn.dohelo(true);
     if (auth_method == AUTH_LOGIN)
       conn.auth_login();

From a326be666befa8723e96113fb55208b0c744819a Mon Sep 17 00:00:00 2001
From: Bruce Guenter <bruce@untroubled.org>
Date: Sun, 20 Mar 2022 23:09:16 -0600
Subject: [PATCH 3/4] test: Provide complete EHLO response in SMTP dummy script

---
 test/accept-smtp.sh | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/test/accept-smtp.sh b/test/accept-smtp.sh
index 541c375..5555372 100644
--- a/test/accept-smtp.sh
+++ b/test/accept-smtp.sh
@@ -1,3 +1,9 @@
+echo 250-domain.com
+echo 250-8BITMIME
+echo 250-ENHANCEDSTATUSCODES
+echo 250-SIZE 36700160
+echo 250-DSN
+echo 250-AUTH PLAIN LOGIN
 echo 250 OK
 echo 250 OK
 echo 250 OK

From 7ed88a0137b2d9910bc99cce4473288a15d80cef Mon Sep 17 00:00:00 2001
From: Bruce Guenter <bruce@untroubled.org>
Date: Sun, 20 Mar 2022 23:20:57 -0600
Subject: [PATCH 4/4] doc: Clean up wording in nullmailer-queue man page

---
 doc/nullmailer-queue.8 | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/doc/nullmailer-queue.8 b/doc/nullmailer-queue.8
index f410939..97aa92f 100644
--- a/doc/nullmailer-queue.8
+++ b/doc/nullmailer-queue.8
@@ -52,10 +52,7 @@ using hard links to manage emails both
 .I /var/spool/nullmailer/queue
 and
 .I /var/spool/nullmailer/tmp
-.I have
-to reside on the
-.I same
-filesystem.
+MUST reside on the same filesystem.
 .SH SEE ALSO
 nullmailer-inject(1),
 nullmailer-send(8)