Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: users

Exim4, Authentication and Sender, Reurn-Path rewriting (exim-4.63-10.el5)

 

 

exim users RSS feed   Index | Next | Previous | View Threaded


laurent.rahuel at gmail

May 31, 2012, 5:59 AM

Post #1 of 8 (890 views)
Permalink
Exim4, Authentication and Sender, Reurn-Path rewriting (exim-4.63-10.el5)

Hi,

I know this has been asked many times but none of my googling requests
gave a suitable answer.
I wan't to get rid of Return-Path and Sender rewriting when an email is
send via an authenticated connexion.

Sending email via my smtp on port 25 without authentication will leave
return-path and sender as configured in my mail client
firstname.lastname [at] mydomain
Sending email via the same smtp server on port 465 with an
authentication will change return-path and sender with
login [at] my

I tried many of the possible solutions I found on the Internet but none
of them worked (submission/retain_sender, submission/domain=,
submission/domain=domain.com/name=...)

Does anoybody have any clue ?

Regards,

Laurent

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


tlyons at ivenue

May 31, 2012, 12:24 PM

Post #2 of 8 (876 views)
Permalink
Re: Exim4, Authentication and Sender, Reurn-Path rewriting (exim-4.63-10.el5) [In reply to]

On Thu, May 31, 2012 at 5:59 AM, Laurent Rahuel
<laurent.rahuel [at] gmail> wrote:
> Hi,
>
> I know this has been asked many times but none of my googling requests gave
> a suitable answer.
> I wan't to get rid of Return-Path and Sender rewriting when an email is send
> via an authenticated connexion.

I guess I don't understand the goal. Why do you want to get rid of
any auditing information that could be used to track abused accounts?
What you are asking for is the ability to change the values that a
mail server would normally insert in the headers for abuse tracking to
something that can be spoofed. What's the use case? What am I not
understanding?

...Todd
--
Always code as if the guy who ends up maintaining your code will be a
violent psychopath who knows where you live. -- Martin Golding

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


wbh at conducive

May 31, 2012, 1:12 PM

Post #3 of 8 (871 views)
Permalink
Re: Exim4, Authentication and Sender, Reurn-Path rewriting (exim-4.63-10.el5) [In reply to]

Laurent Rahuel wrote:
> Hi,
>
> I know this has been asked many times but none of my googling requests
> gave a suitable answer.
> I wan't to get rid of Return-Path and Sender rewriting when an email is
> send via an authenticated connexion.
>
> Sending email via my smtp on port 25 without authentication will leave
> return-path and sender as configured in my mail client
> firstname.lastname [at] mydomain
> Sending email via the same smtp server on port 465 with an
> authentication will change return-path and sender with
> login [at] my
>
> I tried many of the possible solutions I found on the Internet but none
> of them worked (submission/retain_sender, submission/domain=,
> submission/domain=domain.com/name=...)
>
> Does anoybody have any clue ?
>
> Regards,
>
> Laurent
>

Mine have long done what you seek - preserved wot the MUA OR Webmail
daemon supplied - but 'Seniour Moment' as to remembering why and how.

See also options for:

local_sender_retain

local_from_check

Then check the 'big picture' to insure you are not fighting a default
... or other of your own settings ..

Bill
--
韓家標

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


wbh at conducive

May 31, 2012, 2:13 PM

Post #4 of 8 (871 views)
Permalink
Re: Exim4, Authentication and Sender, Reurn-Path rewriting (exim-4.63-10.el5) [In reply to]

Todd Lyons wrote:
> On Thu, May 31, 2012 at 5:59 AM, Laurent Rahuel
> <laurent.rahuel [at] gmail> wrote:
>> Hi,
>>
>> I know this has been asked many times but none of my googling requests gave
>> a suitable answer.
>> I wan't to get rid of Return-Path and Sender rewriting when an email is send
>> via an authenticated connexion.
>
> I guess I don't understand the goal. Why do you want to get rid of
> any auditing information that could be used to track abused accounts?

OP's question was actually peripheral to all that...

But FWIW, it doesn't 'get rid of' auditing information.

Just leaves it in logs and archives, where it belongs, easily matched-up
if/as/when ... from much leaner fingerprints...

.. instead of carrying accurate-maybe, useful-rarely, but
bloated-always, ....and annoying-often .. 'fat' .. in every header-set
constructed ...to every destination.

So much 'fat' that folks are forced to keep their 'display headers'
shut-off in an MUA so as to not scroll clear off the view-page before
the first line of content shows up.

Thereby missing even the 'basics' that ARE useful nearly all the time.

To the USER.

> What you are asking for is the ability to change the values that a
> mail server would normally insert in the headers for abuse tracking to
> something that can be spoofed. What's the use case? What am I not
> understanding?
>
> ...Todd

'normally' is a wastrel.

Do a byte-count of header and another of body on your post, above.

Roughly ten times the overhead as payload... granted - not all of it
yours. Tahini and sputniks have diarrhea, too.

Despite which, if one does not have access to ALL of the server AND MLM
logs from origination to destination... very little of it can be taken
as 'gospel'.

Not even the time-stamps.

Less intrusive to have left all that on-box, stripped at final outbound
delivery for a lean and clean header set. Match to it if/as/when
actually *needed* for forensics. ELSE NOT.

Also harder for an adversary to 'spoof' if they've no clue how much you
are testing and recording -- but NOT displaying externally.

MUCH harder..

Give the poor end-user a break and smack a ration of 'lean' into the output.

.... they didn't ask to be buried in headers for the sometime-maybe
convenience of mailadmins.

Bill
--
韓家標

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


wbh at conducive

May 31, 2012, 2:26 PM

Post #5 of 8 (875 views)
Permalink
Re: Exim4, Authentication and Sender, Reurn-Path rewriting (exim-4.63-10.el5) [In reply to]

Laurent Rahuel wrote:
> Hi,
>
> I know this has been asked many times but none of my googling requests
> gave a suitable answer.
> I wan't to get rid of Return-Path and Sender rewriting when an email is
> send via an authenticated connexion.
>
> Sending email via my smtp on port 25 without authentication

You really, really do not want to permit that.

I hope it was only for a SHORT testing period, was limited to local
recipients only, and otherwise protected by source IP restriction,
cert-matching, yadda, yadda.

If nothing else, your MUA should almost certainly have failed the rDNS
test that is a 'Very Good Idea' to apply on port 25 arrivals. That
discriminates 'at once' between real servers with the proper records
required ... and the brazillion legions of 'bots ... who have them not.

Which test you can then EXEMPT a logged-in-with-TLS user from on port 587.

Bill
--
韓家標

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


laurent.rahuel at gmail

May 31, 2012, 3:22 PM

Post #6 of 8 (877 views)
Permalink
Re: Exim4, Authentication and Sender, Reurn-Path rewriting (exim-4.63-10.el5) [In reply to]

Le 31 mai 2012 21:24, Todd Lyons a crit :

> On Thu, May 31, 2012 at 5:59 AM, Laurent Rahuel
> <laurent.rahuel [at] gmail> wrote:
>> Hi,
>>
>> I know this has been asked many times but none of my googling requests gave
>> a suitable answer.
>> I wan't to get rid of Return-Path and Sender rewriting when an email is send
>> via an authenticated connexion.
>
> I guess I don't understand the goal. Why do you want to get rid of
> any auditing information that could be used to track abused accounts?
> What you are asking for is the ability to change the values that a
> mail server would normally insert in the headers for abuse tracking to
> something that can be spoofed. What's the use case? What am I not
> understanding?
>
> ...Todd
> --
> Always code as if the guy who ends up maintaining your code will be a
> violent psychopath who knows where you live. -- Martin Golding

I guess you could understand that someone setting up an smtp server with auth and tls for security reasons would search for user login not to be displayed in each email.
I guess that's why /etc/aliases exists.

Laurent


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


wbh at conducive

May 31, 2012, 3:47 PM

Post #7 of 8 (878 views)
Permalink
Re: Exim4, Authentication and Sender, Reurn-Path rewriting (exim-4.63-10.el5) [In reply to]

Laurent Rahuel wrote:
>
> Le 31 mai 2012 à 21:24, Todd Lyons a écrit :
>
>> On Thu, May 31, 2012 at 5:59 AM, Laurent Rahuel
>> <laurent.rahuel [at] gmail> wrote:
>>> Hi,
>>>
>>> I know this has been asked many times but none of my googling requests gave
>>> a suitable answer.
>>> I wan't to get rid of Return-Path and Sender rewriting when an email is send
>>> via an authenticated connexion.
>>
>> I guess I don't understand the goal. Why do you want to get rid of
>> any auditing information that could be used to track abused accounts?
>> What you are asking for is the ability to change the values that a
>> mail server would normally insert in the headers for abuse tracking to
>> something that can be spoofed. What's the use case? What am I not
>> understanding?
>>
>> ...Todd
>> --
>> Always code as if the guy who ends up maintaining your code will be a
>> violent psychopath who knows where you live. -- Martin Golding
>
> I guess you could understand that someone setting up an smtp server with auth and tls for security reasons would search for user login not to be displayed in each email.
> I guess that's why /etc/aliases exists.
>
> Laurent
>
>

For sure.

.. or why some among us use an SQL DB in Unicode so the UID:PWD need not
have the slightest resemblance WHATSOEVER to an email address. Or even
same native language or encoding. Exim gets the associated email,
domain.tld, mailstore location, (and a great deal more), from the DB
where and when needed.

The SQL part isn't required, either.

Just more flexible than simpler stuff that Exim is equally happy to use
'most of the time'. SQL being usable from essentially anywhere in Exim
with identical syntax. Not always true of the many other options. And
/etc/aliases in Chinese? Actually haven't tried that....

Bill
--
韓家標

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim-users at spodhuis

May 31, 2012, 8:58 PM

Post #8 of 8 (880 views)
Permalink
Re: Exim4, Authentication and Sender, Reurn-Path rewriting (exim-4.63-10.el5) [In reply to]

On 2012-05-31 at 14:59 +0200, Laurent Rahuel wrote:
> I know this has been asked many times but none of my googling requests
> gave a suitable answer.
> I wan't to get rid of Return-Path and Sender rewriting when an email is
> send via an authenticated connexion.
>
> Sending email via my smtp on port 25 without authentication will leave
> return-path and sender as configured in my mail client
> firstname.lastname [at] mydomain
> Sending email via the same smtp server on port 465 with an
> authentication will change return-path and sender with
> login [at] my
>
> I tried many of the possible solutions I found on the Internet but none
> of them worked (submission/retain_sender, submission/domain=,
> submission/domain=domain.com/name=...)
>
> Does anybody have any clue ?

I suspect that your RCPT ACL is doing "accept authenticated = *"
*Before* the submission checks you talk about.

Look at the headers of this mail; I think it does what you want. I'm
using authenticated SMTP over TLS to talk to the mail-server.

*Early* in my RCPT ACL I have:

warn authenticated = *
set acl_m_sign_message = yes
control = submission/sender_retain

The $acl_m_sign_message variable is used to DKIM-sign the message later.
I set it to "no" at the beginning of the ACL.

To limit the Received: header I use:

received_header_text = "Received: \
${if def:authenticated_id {from authenticated user }{\
${if def:sender_rcvhost {from $sender_rcvhost\
${if def:sender_helo_name { (helo=$sender_helo_name)}}\n\t}}}}\
by ${primary_hostname} \
${if def:received_protocol {with $received_protocol}} \
${if def:tls_cipher {($tls_cipher)}}\
\n\tid $message_exim_id"

That's all it takes.

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.