On Mon, 29 Sep 2008, Björn Keil wrote:
>
> I am trying to figure out how to figure best, that an authenticated_id
> somehow fits to whatever sender is given in the envelop of a mail. What I
> find confusing about it is firstly AUTH Parameter in the MAIL command seems
> to possibly contain a different email address than given in the FROM.
Note that $authenticated_id comes from the AUTH command (SASL
authentication) whereas $authenticated_sender corresponds to the AUTH=
parameter to the MAIL command.
SASL makes a distinction between authentication (establishing who you are)
and authorization (establishing what you are permitted to do). You can
provide two identities via SASL: an authentication ID which (together with
your other credentials, e.g. your password) establishes who you are; and
an authorization ID by which you say what authority you wish to exercise
(e.g. am I logging in to my own account or am I using my rootly powers to
examine someone else's). Exim generally doesn't use the authz ID and puts
the authn ID into $authenticated_id.
Internet email has a similar distinction. In the message header you have
Sender: which is supposed to be who sent it (an authn ID) and From: on
whose behalf they are acting (an authz ID). In SMTP the return path
argument to MAIL FROM: can be unrelated to either From: or Sender: so is
in many ways an authz ID (even though it is usually the same as the
Sender:). The AUTH= parameter to the MAIL command is supposed to hold an
email address corresponding to the authn ID from the SASL exchange when
the message was originally submitted. It's pretty useless because there's
no way to check its validity on subsequent unauthenticated SMTP hops. This
is what Exim puts into $authenticated_sender. You can ignore it.
> Isn't it normal to check for this, somehow?
Generally not. Yes this is a bit lame but it's still relatively early days
for deployment of authenticated message submission.
Our configuration does check that senders are not trying to spoof email.
This is a little bit involved because we have departmental virtual domains
that contain "friendly name" email addresses which don't relate to
authenticated user names. We solve this by using sender address
verification to call the routers, which trace through chains of aliases to
the actual user account on the Hermes message store. The result is stored
in the address_data and later used by the submit ACL to check that the
authenticated_id corresponds to the owner of the email address.
http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/conf/exim/etc/etc.ppsw/configure
> Secondly I am notquite sure how to deal with aliases... for example, several
> users may be allowed to respond for webmaster or for postmaster or root. If
> Id simply say a user may only use whatever email address is given in
> /etc/email-addresses that may be extremely limiting.
My scheme doesn't check aliases, mainly because I don't have good
information on who is allowed to use any given alias. When Exim is
verifying an address and it encounters an alias that expands to more than
one address, it stops verifying, which means my scheme can't work. So if
you do want to check who can use what alias, you'll probably need an
auxiliary database mapping email addresses to permitted senders.
> Thirdly I wonder wether it is possible or makes sense to somehow check
> From:-headers within the message body...
Exim does this when accepting a message in submission mode. If the From:
address doesn't match the sender address that Exim constructs based on
$authenticated_id, it adds a Sender: header. For details see
http://www.exim.org/exim-html-current/doc/html/spec_html/ch44.html
> If it is configured in default Debian (and therefore Ubuntu)
> configuration I must have missed in by now. The version I use is 4.63
> out of Debian Etch with the matching config package.
I'm afraid I can't help you with that.
Tony.
--
<fanf@???> <dot@???>
http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}
