Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Prevent SMTP AUTH users from chaging sender address

204 views
Skip to first unread message

ste...@rider.edu

unread,
Apr 25, 2013, 6:42:07 PM4/25/13
to

I'm trying to accomplish two things but don't want to reinvent the wheel. After several hours searching I still can't figure it out.

Our config has the following:

define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_OPTIONS', `A p y')dnl

SMTP AUTH via STARTTLS works fine. But an authenticated user can use any sender address and any rcpt address. So ideally, what I want to do is force an auth user to be the sender address. Or second best would be to prevent them from behaving like an open relay - that is, the sender address must be x...@domain.com.

Some users show authenticate as 'user', others 'us...@domain.com'.

In other words:

If auth user=user or us...@domain.com then mail from must be us...@domain.com
Or
mail from must be us...@domain.com

This is for roaming users only and port 587 would be open.

Any clues as how to accomplish this?

Thanks in advance.

David F. Skoll

unread,
Apr 26, 2013, 10:06:35 PM4/26/13
to
ste...@rider.edu wrote:

> In other words:

> If auth user=user or us...@domain.com then mail from must be
> us...@domain.com Or
> mail from must be us...@domain.com

> This is for roaming users only and port 587 would be open.

> Any clues as how to accomplish this?

I think you might need a milter. For example, in MIMEDefang
(www.mimedefang.org) you could use something like this in your filter
(untested!)

sub filter_sender
{
my ($sender) = @_;
read_commands_file();
if (defined($SendmailMacros{auth_authen})) {
my $auth_user = $SendmailMacros{auth_authen};
$auth_user .= '@domain.com' unless $auth_user =~ /@/;

if (lc($sender) ne lc("<$auth_user>")) {
return('REJECT', "$auth_user not authorized to claim to be $sender");
}
}
return ('CONTINUE', 'ok');
}

ste...@rider.edu

unread,
Apr 27, 2013, 12:34:49 PM4/27/13
to
Thanks Dave - I'm trying to keep it as simple as possible. We need to allow roaming users to send emails after the authenticate, however, we don't want to fully relay. I'm sure this has been done by changing rulesets but haven't been able to get to them. So if we cannot match the auth_user to the sender address, then at least do:

external_address -> internal_address - REJECT (we are not a mail server)
external_address -> external_address - REJECT (we don't allow relay)
internal_address -> external_address - RELAY (user is authenticated)
internal_address -> internal_address - RELAY (user is authenticated)

By default, once you authenticate, sendmail will allow RELAY for all the above cases. But we are trying to stop compromised accounts for being used to send spam out. I know my changes won't stop it, but at least it will slow them a bit more.

Thanks in advance.

ste...@rider.edu

unread,
Apr 27, 2013, 8:55:44 PM4/27/13
to
On Thursday, April 25, 2013 6:42:07 PM UTC-4, ste...@rider.edu wrote:
Hmm... not quiet working... but I guess it's close? I'm getting the following:

554 5.7.1 us...@domain.com not authorized to claim to be us...@domain.com

Looks like the match is not happening.

Carl Byington

unread,
Apr 27, 2013, 11:42:20 PM4/27/13
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 27 Apr 2013 09:34:49 -0700, stella wrote:

> But we are trying to stop compromised accounts for being
> used to send spam out. I know my changes won't stop it, but at least
> it
> will slow them a bit more.

You could use something specifically designed to impose rate limits on
authenticated users.

There are many options, http://www.five-ten-sg.com/dnsbl/ is one of
them.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAlF8mocACgkQL6j7milTFsFs3wCfdbruwdgAD3Azrv7fuffYEiv0
90gAnRlaRLPZseyss8jA20w3UhUNpAz/
=fFuX
-----END PGP SIGNATURE-----

Kees Theunissen

unread,
Apr 28, 2013, 1:46:09 AM4/28/13
to
ste...@rider.edu wrote:

>
> Hmm... not quiet working... but I guess it's close? I'm getting the following:
>
> 554 5.7.1 us...@domain.com not authorized to claim to be us...@domain.com
>
> Looks like the match is not happening.
>

You replied to your own initial message, not to the message from
David F. Skoll. But I assume that the above is the result from this
code posted by David:

if (lc($sender) ne lc("<$auth_user>")) {
return('REJECT', "$auth_user not authorized to claim to be $sender");
}

This code compared "us...@domain.com" (the sender address converted to
lower case) with "<us...@domain.com>" (the authenticated user converted
to lower case and enclosed between "<" and ">"). Obviously those strings
are not equal.

The RFC's specify that the sender address given with the smtp
"MAIL FROM" command must be enclosed between "<" and ">". But sendmail
accepts addresses without the "<" and ">" and you seem to be testing
without those.

Replace the above code with:

unless ($sender =~ /^<?${auth_user}>?$/i) {
return('REJECT', "$auth_user not authorized to claim to be $sender");
}

to make the test independent of the the presence of those "<" and ">".

The goals you specified in your initial message can be achieved without
the MIMEDefang overhead with a few custom rules in the Local_check_mail
rule set. I'll be happy to work this out if you want. But since you
seem to be dealing with compromised accounts and you already installed
MIMEDefang I think you should continue with MIMEDefang and extend
the functionality. Please consider to add spam and virus checking
and warn the user and the system administrators when you block messages
because of invalid sender addresses. This is easy to implement once
MIMEDefang is working.


Regards,

Kees.

--
Kees Theunissen.

Joe Zeff

unread,
Apr 28, 2013, 2:23:21 PM4/28/13
to
On Sat, 27 Apr 2013 09:34:49 -0700, stella wrote:

> external_address -> internal_address - REJECT (we are not a mail
> server)
> external_address -> external_address - REJECT (we don't allow relay)
> internal_address -> external_address - RELAY (user is authenticated)
> internal_address -> internal_address - RELAY (user is authenticated)

I'm not an expert on this, but it looks like the above boils down to this:

If external_address Then REJECT.

I don't know if that's possible, but I do know that it looks like what
you want.

--
Joe Zeff -- The Guy With The Sideburns:
http://www.zeff.us http://www.lasfs.info
"Always code as though the person who ends up
maintaining it will be a violent psychopath who knows where you live."

ste...@rider.edu

unread,
May 8, 2013, 9:15:45 PM5/8/13
to
On Sunday, April 28, 2013 1:46:09 AM UTC-4, Kees Theunissen wrote:
Thank you Kees... I would have preferred to do it with Local Rules but in the interest of time and desperation of coming up with a solution, I went ahead with MimeDefang as I had something to start with.

As a followup, here's the filter I ended up using. Note that I had to dig out my perl hat (which is made of paper so you can imagine... but seems to be working) and came up with this... Most of my initial testing was by doing a telnet from the command line so I was not getting the proper email format.

sub filter_sender
{
my ($sender) = @_;
$sender =~ s/.*\<//;
$sender =~ s/>.*//;

read_commands_file();
if (defined($SendmailMacros{auth_authen})) {
my $auth_user = $SendmailMacros{auth_authen};
$auth_user .= '@domain.com' unless $auth_user =~ /@/;

# if (lc($sender) ne lc("<$auth_user>")) {
if (lc($sender) ne lc($auth_user)) {
return('REJECT', "$auth_user not authorized to claim to
be $sender");
}
}
return ('CONTINUE', 'ok');
}

Please feel free to critique and simplify...
0 new messages