[opendmarc-users] opendmarc not detecting SMTP auth
Dan Mahoney, System Admin
danm at prime.gushi.org
Wed Sep 3 23:27:54 PDT 2014
On Wed, 3 Sep 2014, Murray S. Kucherawy wrote:
> On Tue, 2 Sep 2014, Dan Mahoney, System Admin wrote:
>> What I believe I have happening is a user talking directly to port 25 on my
>> system. They're doing SMTP auth, so this is valid, per the spec (i.e. they
>> should not have to be forced to switch to port 587). Because it's the MTA,
>> I can't take opendmarc out of the path like I'd be able to do with the MSA.
>>
>> Their mail gets detected and signed by domainkeys/opendkim. Other milters
>> (like milter-greylist) seem to have been able to detect that this user did
>> SMTP auth.
>>
>> Naturally, I have set:
>>
>> ## IgnoreAuthenticatedClients { true | false }
>> ## default "false"
>> ##
>> ## If set, causes mail from authenticated clients (i.e., those that used
>> ## SMTP AUTH) to be ignored by the filter.
>> #
>> IgnoreAuthenticatedClients true
>>
>> But OpenDMARC seems to not be ignoring. (I don't know the semantics of how
>> this works -- if the mta passes the authenticated bit along as part of the
>> milter interface, or if opendmarc just scans the header).
>
> The logic applied is: At MAIL FROM, if the "auth_authen" MTA macro is set (to
> anything), then the client authenticated and the transaction is ignored by
> the filter. This is the way open source sendmail typically passes that
> information to filters, inasmuch as their stock configuration file arranges
> such.
>
> In sendmail.cf, there's a line that looks like this:
>
> O Milter.macros.envfrom=i, {auth_type}, {auth_authen}, {auth_ssf},
> {auth_author}, {mail_mailer}, {mail_host}, {mail_addr}
>
> That's the list of macros that are passed to the filter when MAIL FROM is
> received. {auth_authen} is the authenticated name of the client, so for an
> SMTP AUTH session, it shouldn't be NULL.
>
> You could confirm that the macro is being set and sent to the filter using
> either milter debugging (opendmarc's MilterDebug setting) and/or sendmail's
> Milter.LogLevel setting.
What would I set this to? I had tried "10" and the milter logged nothing
more than previous to my /var/log/all.log (which has *.* in syslog.conf).
>> I'll note as well that it would be nice if the milter could include the
>> "Received" headers, if it has access to them.
>
> It does have access to them. I don't know what you mean though: Include them
> where?
In reports that are mailed to the admin, such as the one I pasted. While
it was a paste, you saw what I saw. Specifically, the Received header
connecting to my system is where I normally look to see if Auth has
happened.
-Dan
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
More information about the opendmarc-users
mailing list