[opendmarc-users] opendmarc not detecting SMTP auth
Murray S. Kucherawy
msk at blackops.org
Wed Sep 3 22:44:26 PDT 2014
On Tue, 2 Sep 2014, Dan Mahoney, System Admin wrote:
> What I believe I have happening is a user talking directly to port 25 on
> my system. They're doing SMTP auth, so this is valid, per the spec
> (i.e. they should not have to be forced to switch to port 587).
> Because it's the MTA, I can't take opendmarc out of the path like I'd be
> able to do with the MSA.
>
> Their mail gets detected and signed by domainkeys/opendkim. Other milters
> (like milter-greylist) seem to have been able to detect that this user did
> SMTP auth.
>
> Naturally, I have set:
>
> ## IgnoreAuthenticatedClients { true | false }
> ## default "false"
> ##
> ## If set, causes mail from authenticated clients (i.e., those that used
> ## SMTP AUTH) to be ignored by the filter.
> #
> IgnoreAuthenticatedClients true
>
> But OpenDMARC seems to not be ignoring. (I don't know the semantics of how
> this works -- if the mta passes the authenticated bit along as part of the
> milter interface, or if opendmarc just scans the header).
The logic applied is: At MAIL FROM, if the "auth_authen" MTA macro is set
(to anything), then the client authenticated and the transaction is
ignored by the filter. This is the way open source sendmail typically
passes that information to filters, inasmuch as their stock configuration
file arranges such.
In sendmail.cf, there's a line that looks like this:
O Milter.macros.envfrom=i, {auth_type}, {auth_authen}, {auth_ssf}, {auth_author}, {mail_mailer}, {mail_host}, {mail_addr}
That's the list of macros that are passed to the filter when MAIL FROM is
received. {auth_authen} is the authenticated name of the client, so for
an SMTP AUTH session, it shouldn't be NULL.
You could confirm that the macro is being set and sent to the filter using
either milter debugging (opendmarc's MilterDebug setting) and/or
sendmail's Milter.LogLevel setting.
> I'll note as well that it would be nice if the milter could include the
> "Received" headers, if it has access to them.
It does have access to them. I don't know what you mean though: Include
them where?
-MSK
More information about the opendmarc-users
mailing list