'Re: [AMaViS-user] AUTH parameter to MAIL FROM'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       amavis-user
Subject:    Re: [AMaViS-user] AUTH parameter to MAIL FROM
From:       Mark Martinec <Mark.Martinec+amavis () ijs ! si>
Date:       2007-06-18 16:19:42
Message-ID: 200706181819.42988.Mark.Martinec+amavis () ijs ! si
[Download RAW message or body]

Leo,

> I'm using amavisd-new as a postfix smtpd_proxy_filter.
> I've noticed that some mailers (some sendmail configurations) include an
> AUTH parameter to the MAIL FROM command, which apparently postfix passes
> to amavisd. However, amavisd rejects those mails because I have not
> defined @auth_mech_avail.
>
> Jun 12 14:25:37 strike postfix/smtpd[611]: warning: proxy
> 127.0.0.1:10024 rejected "MAIL From:<xxx@yyy> SIZE=1841 AUTH=<>": "503
> 5.7.4 Error: authentication disabled".
>
> I've read Marks post on this topic some years ago:
> http://thread.gmane.org/gmane.mail.virus.amavis.user/15970/focus=16013
> ... in which he argued that amavisd should not accept the AUTH parameter
> if it isn't configured for authentication.

I know, a postfix proxy smtp server is supposed to cut a few corners,
deviating from RFC2821 in some details.

Try the patch below (for 2.5.1), it will turn a fatal
  503 5.7.4 Error: authentication disabled
into an informative log entry and ignore the AUTH parameter.

> However, will simply enabling authentication by adding
> @auth_mech_avail = qw(PLAIN LOGIN);
> fix the problem for me? This will cause amavis accept the AUTH parameter
> in "MAIL TO" commands. But amavisd will then also handle the AUTH 
> command.

It used to achieve the effect I think, although since the use
of Net::SMTP (= libnet) was dropped in 2.5.0, the authentication
in amavisd is even more crippled than it used to be.
Luckily noone depends on it I believe.

> Will postfix still block SMTP sessions using authentication 
> with wrong credentials before the mail is passed to amavis? (I believe,
> amavis will reply with a positive "235 2.7.1 Authentication successful"
> to every (supported and syntactically correct) authentication attempt
> without checking the credentials if @auth_mech_avail is not empty.)

Yes, it would reply with Authentication successful, it has no way
to check credentials.

> As the SMTPD_PROXY_README says "Postfix sends no other SMTP commands.",
> postfix most likely won't pass an AUTH command to amavis anyway. So I'm
> just looking for a confirmation in order to be able to put my mind at rest.

I believe it is so.



--- amavisd.orig	Thu May 31 14:10:01 2007
+++ amavisd	Mon Jun 18 18:04:06 2007
@@ -13629,11 +13629,17 @@
               if (!defined($dsn_envid)) { $dsn_envid = $val }
               else { $msg = "501 5.5.4 Syntax error in MAIL parameter: $name" }
-            } elsif ($name eq 'AUTH' && @{ca('auth_mech_avail')} &&
-                     !defined($submitter) ) {  # rfc2554
-              $submitter = xtext_decode($val); # encoded as xtext: rfc3461
-              do_log(5, "MAIL command, %s, submitter: %s",
-                        $authenticated,$submitter);
-            } elsif ($name eq 'AUTH' && !@{ca('auth_mech_avail')}) {
-              $msg = "503 5.7.4 Error: authentication disabled";
+            } elsif ($name eq 'AUTH') {   # rfc2554
+              my($s) = xtext_decode($val);  # encoded as xtext: rfc3461
+              do_log(5, "MAIL command, %s, submitter: %s", $authenticated,$s);
+              if (defined $submitter) {
+                $msg = "504 5.5.4 MAIL command duplicate param.: $name=$val";
+              } elsif (!@{ca('auth_mech_avail')}) {
+              # $msg = "503 5.7.4 Error: authentication disabled";
+                do_log(3, "MAIL command parameter AUTH supplied, ".
+                          "but authentication is disabled, ignored");
+                $submitter = '<>';
+              } else {
+                $submitter = $s;
+              }
             } else {
               $msg = "504 5.5.4 MAIL command parameter error: $name=$val";



Mark

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic