On Mon, 12 Dec 2005, Giuliano Gavazzi wrote:
> > I do this check in the ACLs rather than the routers, because messages may
> > come in to our email hub with a local user as the sender address for many
> > reasons other than message submission - email routing in Cambridge is
> > complicated, and there is lots of forwarding.
>
> yes, but does that mean that servers authenticate each other? If not (and they
> could authenticate using certificates, and I presume that would not
> necessarily set authenticated_id) the only case authenticated_id is set would
> be for message submission. The advantage of the router check (that is
> triggered by an acl of course) is that the aliases are resolved. Can you get
> the alias resolution from an acl? I guess so, probably in
> $sender_address_local_part after verify = sender has been called for a local
> domains sender.
Ah, yes, I should have explained that in more detail. We use the address
data to pass the result of routing back to the ACLs, including any
username what results from alias resolution. The address data is then
saved in an ACL variable for later use (Exim doesn't preserve
$address_data or $sender_address_data).
At the moment we are in the middle of withdrawing insecure message
submission, so we have an "insecure" table which lists the 9,500 users who
haven't yet reconfigured securely. This leads to a bit of complexity in
the ACLs.
Note that alias resolution may fail to produce a username; this can occur
if the user is sending email with a role address, or if they are using a
personal address. These cases are going to be more tricky to lock down.
We have two separate outgoing SMTP services: smtp.hermes.cam.ac.uk is the
submission service for individual users; and ppsw.cam.ac.uk is the smart
host for random stuff such as departmental mail servers, mailing list
systems, cron email, etc. The security improvements only apply to the
former; the latter will remain unauthenticated for the forseeable future.
SMTP AUTH authenticates the system at the other end, not the sender of the
message, so it's hard to implement AUTH-based restrictions on general-
purpose relays (as opposed to submission servers).
# The following is used to populate the address data for local users.
#
HERMES_ADDRDATA = user="$local_part" \
suffix="$local_part_suffix" \
secure=${lookup {$local_part} \
cdb {USERS/insecure.cdb} \
{no} {yes} } \
${lookup {$local_part} cdb {USERS/addrdata.cdb} }
# ... in the ACLs ...
# Do return address verification compatible with the mx service,
# and save any resulting address data. We add any authentication
# information here because it is independent of the sender address.
require
verify = sender
acl = aux_verify_sender
set SENDER = ${sender_address_data} \
${if def:sender_host_authenticated \
{auth=$sender_host_authenticated:$authenticated_id} }
# If the connection is not authenticated, and the user is
# required to make secure connections, reject the message.
# If the routers could not identify the user then the result of
# the expansion will be blank so the message will not be rejected.
deny
message = Insecure access forbidden: turn on TLS+AUTH;\n\
See http://www.cam.ac.uk/cs/email/securehermes.html
! authenticated = *
condition = ${extract {secure}{$SENDER} }
# Log details of insecure submissions for use by an audit script.
warn
log_message = Insecure message submission from \
${extract {user}{$SENDER} \
{$value} {unknown user $sender_address} }
! authenticated = *
# Check that authenticated users aren't pretending to be someone else.
deny
message = Sender address ${extract {user}{$SENDER} } \
does not match authenticated user $authenticated_id
authenticated = *
condition = ${extract {user}{$SENDER} \
{${if eq{$value}{$authenticated_id} \
{no} {yes} }} }
# ... in the routers ...
# Verify Hermes addresses that are destined for the Cyrus message
# stores in a separate router in order to avoid callouts. We fill
# in the address data for use by the ACLs.
hermes_verify:
driver = accept
local_part_suffix = +*
local_part_suffix_optional
verify_only
domains = hermes.cam.ac.uk
local_parts = +hermes_active
address_data = HERMES_ADDRDATA
Tony.
--
<fanf@???> <dot@???>
http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}
