Re: [Exim] smtp-ident

Top Page
Delete this message
Reply to this message
Author: Nigel Metheringham
Date:  
To: Tobias Galitzien
CC: robert rotman, exim-users
Subject: Re: [Exim] smtp-ident
tg@??? said:
> As I´ve been told this is an ancient way of authentication.


This is a common mistake, at least partially resulting from the
incorrect naming of the protocol when it was first published (RFC913 if
my memory serves me correctly - there is at least one superceding RFC
which should be used instead).

The service on port 113 is an identification service, which allows a
target host to determine the user responsible making a connection to it
if the co-operating source host allows. It is useful for providing
additional information in an audit trail.

The data *should* not be used for authentication in any form *except*
on a closed secure network between co-operating hosts (probably not
even then). The information from the source host is only as reliable
as the host itself - ie if its not under your control then you have to
treat the information as opaque data that can be used by the sysadmin
of the source system to trace back connection data - and some ident
implementations send out opaque cookies or DES encrypted information.

> I think it is somewhat obsolete


Not really - it is hugely useful at times - especially for checking
back on connections from real multiuser machines (as opposed to one
person linux boxes).

> you can cut it off by adding "rfc1413_query_timeout = 0s" to
> exim.conf.


Yes, but its better to reduce the timeout and leave the service active 
- it costs very little, and in cases of mail forgery can track the 
sinner concerned very quickly.  In particular if you look at the first 
(bottom most) received header on this mail you will see I send mail by 
direct SMTP injection - forgers paradise... but you get the ident of 
the real user sending the mail in the header:-
  Received: from localhost
    ([127.0.0.1] helo=vdata.co.uk ident=nigel)
    [rest skipped]


Of course, as ever, this is not trusted data by the time it reaches
you, but gives you a decent traceback to investigate.

    Nigel.
-- 
[ - Opinions expressed are personal and may not be shared by VData - ]
[ Nigel Metheringham                  Nigel.Metheringham@??? ]
[ Phone: +44 1423 850000                         Fax +44 1423 858866 ]