[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: while on the topic of SMTP AUTH policy

Returning on this topic..

On Wed, Jun 02, 2004 at 06:16:48PM -0300, Mariano Absatz wrote:
> while on the topic of SMTP AUTH policy...
> I've configured a server only for authenticated mail relaying with
> That is, the server's only job is accepting local users mail (after 
> authentication) and relaying it outside... even if it's for our own
> local domain, it will go via MX (to our MX server) relayed from this
> server.
> The problem I have is that, when a user is authenticated, he is able to 
> use whatever mail from domain he wants... even if it doesn't exist in 
> DNS...
> How can I prevent this? That is, how can I force dns verification even 
> for authenticated connections?

The reason for this is that deep in the  policytest.c  code you can
find following:

static int pt_mailfrom(state, str, len)
     struct policystate *state;
     const char *str;
     const int len;
 ..  (variable declarations/inits, and SPF tests omitted for brevity) ..

    if (state->always_reject)
	return -1;
    if (state->always_freeze)
	return 1;
    if (state->full_trust || state->authuser)
	return 0;

That is, when user has authenticated, system is hardwired to trust him

Reading that function, I do think that   state->authuser  test for
acceptance could be moved onwards ...  right before WHOSON stuff ?

The related question of "can we have policy verification of sender's
MAIL FROM address vs. his authentication" -- we could have a hook to
handle the thing.  Indeed I have thought about adding enbedded perl
into smtpserver so that people can hook up their own policy codes
(or parts of policy codes) as they want.

With recipient acceptance I am a lot less sure of what would be
usefull approach.  Right now there is early 'user is authenticated,
accept anything' approach in  pt_rcptto()  function.
Adding even a 'do verify at least domain DNS data existence' is..
perhaps doable, but is it worth it ?

> Relevant settings of smtpserver.conf are:
> PARAM  smtp-auth
> PARAM  AUTH-LOGIN-also-without-TLS
> PARAM  MSA-mode
> PARAM rcvd-auth-user
> SMTPOPTIONS is '-sve -s sloppy -l ${LOGDIR}/smtpserver'
> (bloody Outlook Express 'MAIL FROM: <').

Actually 'S' flag in the tail-end of the smtpserver.conf  file
"HELO patterns" should do that slightly sloppy behaviour.
The fully sloppy one is where no HELO is required, and several
other such stupid things..

> smtp-policy.mx and smtp-policy.relay are empty.
> I'm using the standard smtp-policy.src (zmailer 2.99.56 from CVS 2004-03-
> 12, that is, _before_ latest policy management changes).
> --
> Mariano Absatz
> El Baby
/Matti Aarnio	<mea@nic.funet.fi>
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi