Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#33 Allow SMTP-AUTH users to get their mail signed

v2.4.4
closed-invalid
5
2008-03-12
2008-03-12
Jens Maus
No

I haven't found an option in dkim-filter to enable external users (roadwarriors) connecting via SMTP-AUTH to get their mail DKIM signed when they use the very mail server which is used as the outbound mail server and has DKIM signing active. Here I always get the

external host [X.X.X.X] attempted to sen
d as example.com

message. And as the IP adress of the sender changes dynamically, I can't use the external list feature in dkim-filter.

Other milters also have such a kind of functionality which uses:

define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')

to be able to get the authentication information and therefore skip/enable certains things depending on the SMTP-AUTH mode.

Discussion

  • Jens Maus
    Jens Maus
    2008-03-12

    • assigned_to: nobody --> sm-msk
     
  • Logged In: YES
    user_id=1048957
    Originator: NO

    You could have an "internal list" of 0.0.0.0/0, which would make any client pass the IP address test. Then you can test {auth_authen} and it should work.

     
  • Jens Maus
    Jens Maus
    2008-03-12

    Logged In: YES
    user_id=34749
    Originator: YES

    But wouldn't a 0.0.0.0/0 open my mail server for every IP address? So when I set 0.0.0.0/0 in an internal list, dkim will sign for every IP adress? And how can I test for {auth_authen}? What do you mean?

     
  • Jens Maus
    Jens Maus
    2008-03-12

    Logged In: YES
    user_id=34749
    Originator: YES

    And reading the documentation correctly, it states the following for the internal list:

    ## InternalHosts filename
    ##
    ## Names a file from which a list of internal hosts is read. These are
    ## hosts from which mail should be signed rather than verified.
    ## Automatically contains 127.0.0.1. See man page for file format.

    Well, but the people sending mail via SMTP-AUTH are "external" and if I use 0.0.0.0/0 it will automatically set all foreign IP-adresses to DKIM sign rather than verified (according to the docs).

    And please note that not all connections to the MTA are SMTP-AUTH connections. Some connections are from a secondary mail server forwarding mails, so always checking for SMTP-AUTH won't work, I guess.

     
  • Logged In: YES
    user_id=1048957
    Originator: NO

    You're right, that was a faulty suggestion. I had to re-read this portion of the dkim-filter(8) man page to remind myself how it works:

    OPERATION
    A message will be verified unless it conforms to the signing criteria,
    which are: (1) the domain on the From: address or Sender: address (if
    present) must be listed by the -d command line switch or the Domain
    configuration file setting, and (2) (a) the client connecting to the
    MTA must have authenticated, or (b) the client connecting to the MTA
    must be listed in the file referenced by the -i command line switch (or
    be in the default list for that option), or (c) the client must be con-
    nected to a daemon port named by the -m command line switch, or (d) the
    MTA must have set one or more macros matching the criteria set by the
    -M command line switch.

    The test for (2)(a), client authentication, is to see if the {auth_type} macro is set to something. If you'd rather check {auth_authen} or some other macro, you just need to use "-M" from the command line or "MacroList" from the configuration file to perform that check.

    Is that sufficient for your needs?

     
  • Jens Maus
    Jens Maus
    2008-03-12

    • status: open --> closed-invalid
     
  • Jens Maus
    Jens Maus
    2008-03-12

    Logged In: YES
    user_id=34749
    Originator: YES

    Ah ok, this seems to work. The problem was that I had the ENVFROM macro overridden like I outlined above. This caused the {auth_type} not to be available to milters and hence dkim-filter was not able to query it.

    Perhaps it would be a good idea to add some documentation about how to setup the Milter, because I couldn't find any on how it should be setup in the sendmail.mc including paying attention to the ENVFROM macro for that case.

    Thanks for the help and sorry for the confusion ;)

     
  • Logged In: YES
    user_id=1048957
    Originator: NO

    The documentation (both INSTALL and dkim-filter/README) both mention adding INPUT_MAIL_FILTER() to sendmail.mc. This automatically adds the lines which select the macros to be reported by the MTA to the filter, and {auth_type} is in that list by default.

    I could add some warning about how things can break if you tinker with the defaults.