[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AUTH, MSA-mode and FULLTRUST



On Fri, Dec 03, 2004 at 04:55:07PM -0300, Nicolas Baumgarten wrote:
> Checking the ChangeLog:
> 
> 2004-06-22  Matti Aarnio  <mea@zmailer.org>
>         * smtpserver/policytest.c:
>             When in MSA-mode, _ignore_ 'relaycustnet +' attributes.
>             Will then always demand user to authenticate!
> 
> So obviously its a feature not a bug :-)

I think that test has been obsoleted by 

2004-10-19  Matti Aarnio  <mea@zmailer.org>
	* smtpserver/smtpcmds.c:
	    Demand user to authenticate for SUBMISSION/MSA mode
	    MAIL/RCPT commands.

This relates on running SMTP and SUBMISSION in same server, and
needing to have separate rulesets for them.  This relates also
to the developments of closing direct SMTP from user connection
lines to the world at large, while leaving SUBMISSION wide open
access to the world...

So that SUBMISSION can not be used to deliver spam into the system
from outside (without authentication, anyway), simplest is to
demand authentication at all times thru that port.

Another problem with the original "MSA-mode" was, that it was
global and happened also at SMTP port, which it by spec wasn't
intended.

To get SUBMISSION to work for you would be:
  - 'relaycustnet +' or authenticate
  - verify sender and recipient DNS MX data existence
  - ignore SMTP-like inbound MX and 'this is local' rules
    (no reception based on 'this is local' or 'we do MX')
  - to obey possible blocking rules


> Any idea for a work-around?
> 
> The need for this, us I previously said, is to control 
> from the mail server point of view (not firewall o smtp client
> configuration)
> who can send and who must authenticate.
> 
> Thanks


Besides quick fixed that will get around and bite again...
A major rewrite of the rule machinery and rule composition
might be necessary.  And even smtpserver's configuration
setup.  Separate policy rules for each bound service port ?
Separate overall configuration sets for each bound port,
or 3 ports for config 1, and 1 port for config 2, just to
raise some ideas...


  /Matti Aarnio


 
> > -----Original Message-----
> > From: Nicolas Baumgarten 
> > Sent: Friday, December 03, 2004 3:34 PM
> > To: 'Jeff Warnica'
> > Cc: Zmailer List
> > Subject: RE: AUTH, MSA-mode and FULLTRUST
> > 
> > 
> > Jeff,
> > 
> > what I'm telling was possible and we are currently using it in many
> > production servers.
> > The exact version is: zmailer-2.99.56-patch1pre-cvs20040312
> > 
> > When we set up a test install of cvs20041104 we find that it's not 
> > posible anymore.
> > 
> > Our current setup includes many client networks which are 
> > "fulltrust" (including individual users or corporate MTA's)
> > which don't need to authenticate.
> > The rest of the  world have to, if using our servers as 
> > outgoing relay.
> > 
> > 
> > 
> > 
> > 
> > > -----Original Message-----
> > > From: Jeff Warnica [mailto:jeffw@chebucto.ns.ca]
> > > Sent: Thursday, December 02, 2004 10:48 PM
> > > To: Nicolas Baumgarten
> > > Cc: Zmailer List
> > > Subject: Re: AUTH, MSA-mode and FULLTRUST
> > > 
> > > 
> > > 
> > > I suspect that the path of least resistance would be to have local
> > > systems submit to :25. But if you are going to reconfigure 
> > > each client,
> > > you might as well tell it to send the username/password. I 
> > suppose you
> > > could do some port redirection magic (ie, iptables with 
> > > Linux) such that
> > > connections to :587 are transparently redirected to :25.
> > > 
> > > I don't know if what you ask about ZMailer is possible, but 
> > this might
> > > provide a quick solution until something else comes along.
> > > 
> > > On Thu, 2004-02-12 at 20:51 -0300, Nicolas Baumgarten wrote:
> > > > Hi,
> > > > 
> > > > in previous versions we used authentication 
> > > > like is descripted in this old smtpserver.conf sample
> > > > -------
> > > > PARAM  MSA-mode        # Message Submission Agent mode. Require
> > > > #                       # successful user authentication 
> > during SMTP
> > > > #                       # sessions initiated from outside 
> > > of the trusted
> > > > #                       # networks or the networks with 
> > > relaying enabled
> > > > #                       # (see "fulltrustnet" and 
> > "relaycustnet" in
> > > > #                       # smtp-policy.src file).
> > > > -------
> > > > 
> > > > having this and "smtp-auth" was enough.
> > > > 
> > > > The problem we have now is that if MSA mode is enabled 
> > > > (via MSA-mode keyword or BindSubmit ) then we cant avoid
> > > > authentication from fulltrustnet networks.
> > > > The answer is always:
> > > > 503 5.5.1 Hello [192.168.1.21], In SUBMISSION mode must 
> > > authenticate first!
> > > > 
> > > > Is this something we doing wrong?
> > > > 
> > > > Thanks ....
> > > > -
> > > > To unsubscribe from this list: send the line "unsubscribe 
> > > zmailer" in
> > > > the body of a message to majordomo@nic.funet.fi
> > > > 
> > > > 
> > > 
> > > -
> > > To unsubscribe from this list: send the line "unsubscribe 
> > zmailer" in
> > > the body of a message to majordomo@nic.funet.fi
> > > 
> > 
> -
> To unsubscribe from this list: send the line "unsubscribe zmailer" in
> the body of a message to majordomo@nic.funet.fi

-- 
/Matti Aarnio	<mea@nic.funet.fi>
FUNET:  Finnish Academic and Research Network
	Network Information/Software Archival Service
-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi