Autor: Dave C. Data: Para: Odhiambo Washington CC: Exim Users Asunto: Re: [Exim] Relaying for a specified user
On Tue, 28 Aug 2001, Odhiambo Washington wrote:
> * Dave C. <djc@???> [20010828 18:36]: writing on the subject 'Re: [Exim] Relaying for a specified user'
> |
> | If you do this, then ANYONE can claim to be that user (or a user in the
> | domain, and relay mail through your server, forging that persons
> | identity in the process.
> |
> | The problem with a setup like this is that there it doesnt verify that
> | the sender really is the person/company you want to relay for.
> |
> | Sender relay checks should always be by IP address (which is *very*
> | difficult to fake), or some sort of ID/password (eg, SMTP auth, or
> | pop-before-smtp, where the pop session validates the ID/password) For
> | roaming users, SMTP AUTH really is the best solution.
> |
> | Sender email address is just too easy to forge. (In fact, its laughably
> | easy - you use MS Outlook express? Go in your Tools/Accounts/Properties,
> | and enter 'president@???' in the 'email address' field, and
> | save. There - Now you are the President of the USA. If the US government
> | SMTP server permits relay by sender email address [I'm sure they don't],
> | you could relay your mail through there too, making it look even more
> | like you are legitimately sending from that address)
> |
> | Relaying 'for' a domain means you accept mail that is addressed *to*
> | users in that domain.
>
>
>
> This _thoroughly_ makes sense to me and that is why I am now going the
> AUTH way.
>
> Sort of good programming skills, now I believe that if the perms on the
> master.passwd aren't gonna allow Exim to read it, then a small script
> (let's call it auth) can help me out. All I need to get is a Makefile with
> commands to extract the username:encryptedpasswd pair and update a file
> which Exim will read, instead of the master.passwd
> Everytime I add a new user to the system, I'll need to go into the dir
> with the Makefile and type 'make' - a bit easy, yes?
From a security standpoint, it would be better to have exim pass a
username/password pair to the script, and then have the script pass back
a pass/fail indication. That way you dont provide the encrypted password
to a any non-root process.
From a paranoid security standpoint, the script should have two
functions. One, where exim would pass it a username, and it would pass
back the 'salt' of the crypted password for that user. Then exim would
crypt the supplied password using that salt, and then call the script
for function Two, compare the crypted passwords and pass back a
pass/fail indication. This way nothing is passing the known good crypted
password, nor any plaintext password.
The second way would truly be nuts to implement, and only the most
clinically paranoid need try.
>
>
>
> |
> |
> | On Tue, 28 Aug 2001, Odhiambo Washington wrote:
> |
> | > Hello listers,
> | >
> | > I am a bit stuck with a situation that might be quite simple for the rest
> | > of you.
> | >
> | > I am hosting the domain "aapas.com" and so I do relay for it.
> | > There is a user from this domain who's travelled to the UK and he connects
> | > using AOL. He still has his MUA configured to use my server
> | > smtp.wananchi.com as his SMTP server but my server rejects his mail
> | > saying this (from rejectlog):
> | >
> | > 2001-08-23 12:07:46 refused relay (host) to <some@???>
> | > from <user@???> H=(wlori080) [172.188.137.254]
> | >
> | >
> | > Is there a way I can allow relay for some specific users (without
> | > involving AUTH)? Something like
> | >
> | > sender_accept_relay = lsearch;/some/file
> | >
> | > Forgive my stupidity ;-)
> | >
> | >
> | > -Wash
> | >
> | > --
> | > Odhiambo Washington
> | > Wananchi Online Ltd.,
> | > wash@??? 1st Flr Loita Hse.
> | > Tel: 254 2 313985 Loita Street.,
> | > Fax: 254 2 313922 PO Box 10286,00100-NAIROBI,KE.
> | >
> | > If scientific reasoning were limited to the logical processes of arithmetic,
> | > we should not get very far in our understanding of the physical world. One
> | > might as well attempt to grasp the game of poker entirely by the use of the
> | > mathematics of probability.
> | > -Vannevar Bush
> | > (contributed by Chris Johnston)
> | >
> |
> | --
> |
> |
>
> -Wash
>
> --
> Odhiambo Washington
> Wananchi Online Ltd.,
> wash@??? 1st Flr Loita Hse.
> Tel: 254 2 313985 Loita Street.,
> Fax: 254 2 313922 PO Box 10286,00100-NAIROBI,KE.
>
> Beauty is a form of genius - is higher, indeed, than genius, as it needs no
> explanation. It is of the great facts in the world like sunlight, or
> springtime, or the reflection in dark water of that silver shell we call the
> moon.
> -Oscar Wilde
>