[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Message submission via authenticated SMTP

On Fri, Aug 27, 1999 at 02:34:47PM +0200, Artur Urbanowicz wrote:
> Thanks to the patches and the script attached to my message a
> multihomed machine can be configured as a mail exchanger and Message
> Submission Agent (RFC 2476) with client authentication for users of
> the multiple POP3/IMAP servers. Please check if the modifications can
> be incorporated into the standard distribution of the zmailer:
>   1. New, boolean parameter "MSA-mode" in smtpserver.conf. When
>      enabled, smtpserver *requires* the users outside of the trusted
>      network to authenticate themselves. In the MSA mode, smtpserver
>      replaces "Sender:" field in message coming from a verified user
>      with the user name (zmailer-msa-mode.patch).

	About that "Sender:" editing I am not quite certain it is
	really usefull...  RFC 2475 tells:

8.1.  Add 'Sender'

   The MSA MAY add or replace the 'Sender' field, if the identity of the
   sender is known and this is not given in the 'From' field.

   The MSA MUST ensure that any address it places in a 'Sender' field is
   in fact a valid mail address.

	This does give a leave-way of *not* touching at the Sender: header.

	Ok, Add its own 'Sender:', however authenticated *username* is not
	valid email address as is!  Think of multihoming system which
	has several domains ...

	E.g. will   <userid@some.hostname>  be *valid* address for any given
	user ?

	(Any pre-existing 'Sender:' headers can be rewritten to be:
	 or some such..)

	At Sonera ISP operations I could map login account to people's
	real email address, but that is rather non-generic thing to do.

>   2. Virtual SMTP service:
>      a) "-x" command-line parameter for specifying the IPv4
>         address the smtpserver binds to (zmailer-bindaddr4.patch);

	For having selective multi-homing instances ?  Right...

	... well, it *sucks* that way.  I added parameters:

		PARAM BindPort    25
		PARAM BindAddress []
		PARAM BindAddress [IPv6.::ffff:]

>      b) "-I" command-line parameter for setting the PID file name
>         of the smtpserver (zmailer-pidfile.patch);
>      c) zmailer.sh patch for managing smtpserver instances if
>         $MAILVAR/smtpserver.conf is a directory of configuration
>         files (zmailer-multihome.patch);

	That's quiant idea :)

>      d) new "-d <dbdir>" parameter in policy-builder.sh for managing
>         policy directories (zmailer-multihome.patch).

	Sounds sensible.

	Rest requires much further reading before comments.

	A README / Guide about the issue would be nice.

> There are two facts about Netscape Communicator 4.6 and Microsoft
> Outlook Express 4.72 you should be aware of when implementing user
> authentication:
>   1. If Microsoft Outlook Express 4.72 was told the SMTP server
>      "requires authentication", it expects "530 Authorization
>      Required" (or similar) after submitting "MAIL FROM:" to the
>      server. The Outlook does not just authenticate a user first,
>      even if the SMTP server indicates authentication capability.

	It can be pushed to do SMTP authentication without this patch;
	I have seen my friends to do it successfully.
	(But it wasn't trivial, I think.)

>   2. Netscape Communicator 4.6 refuses to submit a message when
>      SMTP server indicates authentication capability and user name
>      for the server is not configured (Edit> Preferences> Mail &
>      Newsgroups> Mail Servers> Outgoing Mail Server). The Netscape
>      *must* authenticate if SMTP server claims such capability.
> If you want to use the same configuration of the programs in your
> trusted network and the Internet, the strange behaviour prevents
> a single Mail Submission Agent from requiring authentication of the
> Internet users only. To keep things simple you should run a Mail
> Submission Agent requiring authentication from everybody (no trusted
> network at all).
> There are many servers here, in the Metropolitan Area Network of
> Lublin, with POP3-accessible accounts and poor SMTP implementation.
> The patches mentioned above applied to zmailer-2.99.51 allow our users
> to submit messages through spam-safe (and ORBS-safe), TLS- and
> SSL-aware mail server msa.lublin.pl disregarding the location: from
> local network and the Internet.
> Regards,
> Artur Urbanowicz
> P.S. Polish readers can access the additional documentation at
>      http://msa.lublin.pl. If you are interested in testing
>      msa.lublin.pl, just put a letter to my wife:
>         Ewa.Urbanowicz@man.lublin.pl
>      The passwords passed to msa.lublin.pl are not logged, of course.

/Matti Aarnio	<mea@nic.funet.fi>