ssmtp: use the authPassFile option instead of authPass

This gives users the option of storing the authPass outside the world-readable Nix store.
author: Bas van Dijk <v.dijk.bas@gmail.com> 2017-03-25 02:46:51 +0100
committer: Bas van Dijk <v.dijk.bas@gmail.com> 2017-03-29 00:34:23 +0200
commit: 1d52c677bec5b1ede7534455a35c035b359cb9e8 (patch)
tree: 6a98c2326e216e6fdeb9434985965f213679a0f9
parent: 186cc512a68e228d8768f4c817f072b112b922d3 (diff)
4 files changed, 110 insertions, 10 deletions
diff --git a/lib/maintainers.nix b/lib/maintainers.nix
index 4f9754445fa95..5ce97379a12e5 100644
--- a/lib/maintainers.nix
+++ b/lib/maintainers.nix
@@ -59,6 +59,7 @@
   bachp = "Pascal Bach <pascal.bach@nextrem.ch>";
   badi = "Badi' Abdul-Wahid <abdulwahidc@gmail.com>";
   balajisivaraman = "Balaji Sivaraman<sivaraman.balaji@gmail.com>";
+  basvandijk = "Bas van Dijk <v.dijk.bas@gmail.com>";
   Baughn = "Svein Ove Aas <sveina@gmail.com>";
   bcarrell = "Brandon Carrell <brandoncarrell@gmail.com>";
   bcdarwin = "Ben Darwin <bcdarwin@gmail.com>";
diff --git a/nixos/modules/programs/ssmtp.nix b/nixos/modules/programs/ssmtp.nix
index 7d0cb33209958..1702edab6e4ea 100644
--- a/nixos/modules/programs/ssmtp.nix
+++ b/nixos/modules/programs/ssmtp.nix
@@ -95,9 +95,27 @@ in
         example = "correctHorseBatteryStaple";
         description = ''
           Password used for SMTP auth. (STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE)
+
+          It's recommended to use <option>authPassFile</option>
+          which takes precedence over <option>authPass</option>.
+        '';
+      };
+
+      authPassFile = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        example = "/run/keys/ssmtp-authpass";
+        description = ''
+          Path to a file that contains the password used for SMTP auth.
+          This file should be readable by the users that need to execute ssmtp.
+
+          <option>authPassFile</option> takes precedence over <option>authPass</option>.
+
+          Warning: when <option>authPass</option> is non-empty <option>authPassFile</option>
+          defaults to a file in the WORLD-READABLE Nix store containing that password.
         '';
       };
-      
+
       setSendmail = mkOption {
         type = types.bool;
         default = true;
@@ -111,21 +129,28 @@ in
 
   config = mkIf cfg.directDelivery {
 
+    networking.defaultMailServer.authPassFile = mkIf (cfg.authPass != "")
+      (mkDefault (toString (pkgs.writeTextFile {
+        name = "ssmtp-authpass";
+        text = cfg.authPass;
+      })));
+
     environment.etc."ssmtp/ssmtp.conf".text =
+      let yesNo = yes : if yes then "YES" else "NO"; in
       ''
         MailHub=${cfg.hostName}
         FromLineOverride=YES
-        ${if cfg.root != "" then "root=${cfg.root}" else ""}
-        ${if cfg.domain != "" then "rewriteDomain=${cfg.domain}" else ""}
-        UseTLS=${if cfg.useTLS then "YES" else "NO"}
-        UseSTARTTLS=${if cfg.useSTARTTLS then "YES" else "NO"}
+        ${optionalString (cfg.root   != "") "root=${cfg.root}"}
+        ${optionalString (cfg.domain != "") "rewriteDomain=${cfg.domain}"}
+        UseTLS=${yesNo cfg.useTLS}
+        UseSTARTTLS=${yesNo cfg.useSTARTTLS}
         #Debug=YES
-        ${if cfg.authUser != "" then "AuthUser=${cfg.authUser}" else ""}
-        ${if cfg.authPass != "" then "AuthPass=${cfg.authPass}" else ""}
+        ${optionalString (cfg.authUser != "")       "AuthUser=${cfg.authUser}"}
+        ${optionalString (!isNull cfg.authPassFile) "AuthPassFile=${cfg.authPassFile}"}
       '';
 
     environment.systemPackages = [pkgs.ssmtp];
-    
+
     services.mail.sendmailSetuidWrapper = mkIf cfg.setSendmail {
       program = "sendmail";
       source = "${pkgs.ssmtp}/bin/sendmail";
diff --git a/pkgs/tools/networking/ssmtp/default.nix b/pkgs/tools/networking/ssmtp/default.nix
index 7c47f2762dd61..ceac5a58800c0 100644
--- a/pkgs/tools/networking/ssmtp/default.nix
+++ b/pkgs/tools/networking/ssmtp/default.nix
@@ -10,6 +10,10 @@ stdenv.mkDerivation {
     sha256 = "0dps8s87ag4g3jr6dk88hs9zl46h3790marc5c2qw7l71k4pvhr2";
   };
 
+  # A request has been made to merge this patch into ssmtp.
+  # See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858781
+  patches = [ ./ssmtp_support_AuthPassFile_parameter.patch ];
+
   configureFlags = "--sysconfdir=/etc ${if tlsSupport then "--enable-ssl" else ""}";
 
   postConfigure =
@@ -27,7 +31,8 @@ stdenv.mkDerivation {
   
   buildInputs = stdenv.lib.optional tlsSupport openssl;
 
-  meta = {
-    platforms = stdenv.lib.platforms.linux;
+  meta = with stdenv.lib; {
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ basvandijk ];
   };
 }
diff --git a/pkgs/tools/networking/ssmtp/ssmtp_support_AuthPassFile_parameter.patch b/pkgs/tools/networking/ssmtp/ssmtp_support_AuthPassFile_parameter.patch
new file mode 100644
index 0000000000000..371c0f6de2b3e
--- /dev/null
+++ b/pkgs/tools/networking/ssmtp/ssmtp_support_AuthPassFile_parameter.patch
@@ -0,0 +1,69 @@
+diff -Naurb a/ssmtp.c b/ssmtp.c
+--- a/ssmtp.c	2009-11-23 10:55:11.000000000 +0100
++++ b/ssmtp.c	2017-03-25 03:00:26.508283016 +0100
+@@ -57,6 +57,7 @@
+ char arpadate[ARPADATE_LENGTH];
+ char *auth_user = (char)NULL;
+ char *auth_pass = (char)NULL;
++char *auth_passfile = (char)NULL;
+ char *auth_method = (char)NULL;		/* Mechanism for SMTP authentication */
+ char *mail_domain = (char)NULL;
+ char *from = (char)NULL;		/* Use this as the From: address */
+@@ -1053,6 +1054,15 @@
+ 					log_event(LOG_INFO, "Set AuthPass=\"%s\"\n", auth_pass);
+ 				}
+ 			}
++			else if(strcasecmp(p, "AuthPassFile") == 0 && !auth_passfile) {
++				if((auth_passfile = strdup(q)) == (char *)NULL) {
++					die("parse_config() -- strdup() failed");
++				}
++
++				if(log_level > 0) {
++					log_event(LOG_INFO, "Set AuthPassFile=\"%s\"\n", auth_passfile);
++				}
++			}
+ 			else if(strcasecmp(p, "AuthMethod") == 0 && !auth_method) {
+ 				if((auth_method = strdup(q)) == (char *)NULL) {
+ 					die("parse_config() -- strdup() failed");
+@@ -1415,6 +1425,8 @@
+ 	struct passwd *pw;
+ 	int i, sock;
+ 	uid_t uid;
++	FILE *fp;
++	char pass_buf[BUF_SZ+1];
+ 	bool_t minus_v_save, leadingdot, linestart = True;
+ 	int timeout = 0;
+ 	int bufsize = sizeof(b)-1;
+@@ -1433,6 +1445,17 @@
+ 		log_event(LOG_INFO, "%s not found", config_file);
+ 	}
+ 
++	if(auth_passfile != (char *)NULL) {
++		if((fp = fopen(auth_passfile, "r")) == (FILE *)NULL) {
++			  die("Could not open the AuthPassFile %s", auth_passfile);
++		}
++		if (fgets(pass_buf, BUF_SZ, fp) == NULL) {
++			die("Error while reading a line from the AuthPassFile %s, or it is empty", auth_passfile);
++		}
++		fclose(fp);
++		auth_pass = strdup(pass_buf);
++	}
++
+ 	if((p = strtok(pw->pw_gecos, ";,"))) {
+ 		if((gecos = strdup(p)) == (char *)NULL) {
+ 			die("ssmtp() -- strdup() failed");
+diff -Naurb a/ssmtp.conf.5 b/ssmtp.conf.5
+--- a/ssmtp.conf.5	2008-02-29 03:50:15.000000000 +0100
++++ b/ssmtp.conf.5	2017-03-25 01:45:52.890165426 +0100
+@@ -61,6 +61,11 @@
+ .Pp
+ .It Cm AuthPass
+ The password to use for SMTP AUTH.
++It is recommended to use AuthPassFile which also takes precedence over AuthPass.
++.Pp
++.It Cm AuthPassFile
++A file that should contain the password to use for SMTP AUTH.
++This takes precedence over AuthPass.
+ .Pp
+ .It Cm AuthMethod
+ The authorization method to use.
author	Bas van Dijk <v.dijk.bas@gmail.com>	2017-03-25 02:46:51 +0100
committer	Bas van Dijk <v.dijk.bas@gmail.com>	2017-03-29 00:34:23 +0200
commit	1d52c677bec5b1ede7534455a35c035b359cb9e8 (patch)
tree	6a98c2326e216e6fdeb9434985965f213679a0f9
parent	186cc512a68e228d8768f4c817f072b112b922d3 (diff)