[opendmarc-users] opendmarc not detecting SMTP auth

Murray S. Kucherawy msk at blackops.org
Wed Sep 3 22:44:26 PDT 2014 

On Tue, 2 Sep 2014, Dan Mahoney, System Admin wrote:
> What I believe I have happening is a user talking directly to port 25 on 
> my system.  They're doing SMTP auth, so this is valid, per the spec 
> (i.e. they should not have to be forced to switch to port 587). 
> Because it's the MTA, I can't take opendmarc out of the path like I'd be 
> able to do with the MSA.
>
> Their mail gets detected and signed by domainkeys/opendkim.  Other milters 
> (like milter-greylist) seem to have been able to detect that this user did 
> SMTP auth.
>
> Naturally, I have set:
>
> ##  IgnoreAuthenticatedClients { true | false }
> ##      default "false"
> ##
> ##  If set, causes mail from authenticated clients (i.e., those that used
> ##  SMTP AUTH) to be ignored by the filter.
> #
> IgnoreAuthenticatedClients true
>
> But OpenDMARC seems to not be ignoring.  (I don't know the semantics of how 
> this works -- if the mta passes the authenticated bit along as part of the 
> milter interface, or if opendmarc just scans the header).

The logic applied is: At MAIL FROM, if the "auth_authen" MTA macro is set 
(to anything), then the client authenticated and the transaction is 
ignored by the filter.  This is the way open source sendmail typically 
passes that information to filters, inasmuch as their stock configuration 
file arranges such.

In sendmail.cf, there's a line that looks like this:

O Milter.macros.envfrom=i, {auth_type}, {auth_authen}, {auth_ssf}, {auth_author}, {mail_mailer}, {mail_host}, {mail_addr}

That's the list of macros that are passed to the filter when MAIL FROM is 
received.  {auth_authen} is the authenticated name of the client, so for 
an SMTP AUTH session, it shouldn't be NULL.

You could confirm that the macro is being set and sent to the filter using 
either milter debugging (opendmarc's MilterDebug setting) and/or 
sendmail's Milter.LogLevel setting.

> I'll note as well that it would be nice if the milter could include the 
> "Received" headers, if it has access to them.

It does have access to them.  I don't know what you mean though: Include 
them where?

-MSK

More information about the opendmarc-users mailing list