Re: [exim] SMTP-Auth, specific users addicted to specific em…

Góra strony
Delete this message
Reply to this message
Autor: Tony Finch
Data:  
Dla: Mirko Grÿffffe4fen
CC: exim-users
Temat: Re: [exim] SMTP-Auth, specific users addicted to specific email adresses
On Thu, 4 Nov 2004, Mirko Grÿffffe4fen wrote:

> because i´m hosting some domains for different people,
> i need to know how a user can authenticate at exim and
> send mails only by his real email adress.
> so, that also autherized senders can´t fake their
> adresses.


I have two prototype configurations which do this. I haven't tested them
but they should give you the right idea.

Note that this will only restrict the envelope sender address (not
addresses in the message header), and it will only do so for authenticated
users. You can't make this kind of restriction for unauthenticated
messages, so there's still plenty of scope for forgery. (However you can
extend the following techniques by adding some clever address rewriting to
do general purpose envelope sender forgery detection including collateral
spam detection, but I won't describe that in this message.)

----------------------------------------------------------------

I assume that you have a router setup for delivering messages to your
users, for example delivery to the message store. The idea is to add an
extra verification router immediately before it, which checks whether it
is permissable to use the address as the envelope sender.

hermes_bounce:
  driver        = redirect
  domains        = hermes.cam.ac.uk
  senders        = :
  data            = ${if and{{ def:$authenticated_id } \
                       { !eq{$local_part}{$authenticated_id} }} \
                   {:fail: Forged bounce address} }
  allow_fail
  retry_use_local_part


The senders = : precondition ensures that this router is only used for
sender addresses or for bounce messages.

The redirection data checks if the user is authenticated (if they are not
the message is either a bounce or it's an uncheckable forgery) and if so
it checks that their username is the same as the local part of the
address. If the checks fail, routing fails with a nice error message. If
the checks succeed, the redirect data is an empty string so the router
declines, and the address is handled by the usual delivery router which is
next in the configuration file.

If your users have alias addresses (for example, tony.finch@???
-> fanf2@??? -> fanf2@???) then when Exim is routing an
address in order to verify it (because of verify = sender in an ACL), it
will trace through all the aliases to the user's ultimate address which
will be handled by the _bounce router. This deals with cases like my @ucs
address where the username is not obvious from the email address.

Exim stops verifying when it encounters an alias which expands to more
than one address. Therefore this technique will allow people to use such
aliases as envelope sender addresses. This might or might not be
desirable. If you want to prevent it only in certain cases you might want
to have something like the following before your virtual domain router.

domain_bounce:
  driver        = redirect
  domains        = +local_domains
  senders        = :
  data            = ${lookup{$local_part} \
                cdb{DOMAINS/nosender/${domain}.cdb} \
                   {:fail: Forged bounce address} }
  check_ancestor
  allow_fail
  retry_use_local_part


----------------------------------------------------------------

If your requirement is that users must use one of their own addresses (not
a multi-destination alias), there's a completely different technique which
you will be able to use with Exim 4.44 when it is released. In your main
delivery router, add an address_data statement like the following:

hermes_lmtp:
  driver        = manualroute
  no_verify
  domains        = hermes.cam.ac.uk
  address_data        = $local_part
  host_find_failed    = defer
  route_data        = ${lookup{$local_part}cdb{USERS/cyrus.cdb}}
  retry_use_local_part
  transport        = hermes_lmtp


As before, when Exim is verifying an address it will trace it through to
the final router, which will set the address_data identifying the user
that owns the address. If the address has multiple recipients Exim will
halt verification so no address_data will be set.

The final address data is then available in your ACLs, so you can check it
with something like:

  require verify    = sender
          condition = ${if eq{$sender_address_data}{$authenticated_id} \
                           {yes} {no} }


$sender_address_data is a new feature in 4.44.

Tony.
--
f.a.n.finch <dot@???> http://dotat.at/
MALIN HEBRIDES: NORTHEAST 4 OR 5 INCREASING 6. RAIN LATER. GOOD BECOMING
MODERATE.