[opendmarc-users] opendmarc not detecting SMTP auth

Dan Mahoney, System Admin danm at prime.gushi.org
Wed Sep 3 23:27:54 PDT 2014 

On Wed, 3 Sep 2014, Murray S. Kucherawy wrote:

> On Tue, 2 Sep 2014, Dan Mahoney, System Admin wrote:
>> What I believe I have happening is a user talking directly to port 25 on my 
>> system.  They're doing SMTP auth, so this is valid, per the spec (i.e. they 
>> should not have to be forced to switch to port 587). Because it's the MTA, 
>> I can't take opendmarc out of the path like I'd be able to do with the MSA.
>> 
>> Their mail gets detected and signed by domainkeys/opendkim.  Other milters 
>> (like milter-greylist) seem to have been able to detect that this user did 
>> SMTP auth.
>> 
>> Naturally, I have set:
>> 
>> ##  IgnoreAuthenticatedClients { true | false }
>> ##      default "false"
>> ##
>> ##  If set, causes mail from authenticated clients (i.e., those that used
>> ##  SMTP AUTH) to be ignored by the filter.
>> #
>> IgnoreAuthenticatedClients true
>> 
>> But OpenDMARC seems to not be ignoring.  (I don't know the semantics of how 
>> this works -- if the mta passes the authenticated bit along as part of the 
>> milter interface, or if opendmarc just scans the header).
>
> The logic applied is: At MAIL FROM, if the "auth_authen" MTA macro is set (to 
> anything), then the client authenticated and the transaction is ignored by 
> the filter.  This is the way open source sendmail typically passes that 
> information to filters, inasmuch as their stock configuration file arranges 
> such.
>
> In sendmail.cf, there's a line that looks like this:
>
> O Milter.macros.envfrom=i, {auth_type}, {auth_authen}, {auth_ssf}, 
> {auth_author}, {mail_mailer}, {mail_host}, {mail_addr}
>
> That's the list of macros that are passed to the filter when MAIL FROM is 
> received.  {auth_authen} is the authenticated name of the client, so for an 
> SMTP AUTH session, it shouldn't be NULL.
>
> You could confirm that the macro is being set and sent to the filter using 
> either milter debugging (opendmarc's MilterDebug setting) and/or sendmail's 
> Milter.LogLevel setting.

What would I set this to?  I had tried "10" and the milter logged nothing 
more than previous to my /var/log/all.log (which has *.* in syslog.conf).

>> I'll note as well that it would be nice if the milter could include the 
>> "Received" headers, if it has access to them.
>
> It does have access to them.  I don't know what you mean though: Include them 
> where?

In reports that are mailed to the admin, such as the one I pasted.  While 
it was a paste, you saw what I saw.  Specifically, the Received header 
connecting to my system is where I normally look to see if Auth has 
happened.

-Dan

-- 

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------

More information about the opendmarc-users mailing list