Mailing List Archive: SPF: Discuss

Forwarder whitelisting reloaded: Forwarders SMTP-AUTH to receivers?

Index | Next | Previous | View Threaded

julian at mehnle

Jan 9, 2008, 8:11 AM

Post #1 of 4 (849 views)
Permalink

Forwarder whitelisting reloaded: Forwarders SMTP-AUTH to receivers?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frank Ellermann wrote:
> Mark wrote:
> > As parameter to the MAIL command?? We're not talking the SMTP verb
> > "AUTH" (RFC 2554) here.
>
> Right, I'm not sure about this, my CRAM-MD5 test (1) did not cover it, I
> also never tried to use another MAIL FROM with this account. They kept
> the concept in RFC 4954 (successor of 2554), so I guess it's no hopeless
> case.

http://tools.ietf.org/html/rfc4954#section-5 says:

| 5. The AUTH Parameter to the MAIL FROM command
|
| AUTH=mailbox
|
| Arguments:
| A <mailbox> (see Section 4.1.2 of [SMTP]) that is associated
| with the identity that submitted the message to the delivery
| system, or the two character sequence "<>" indicating such an
| identity is unknown or insufficiently authenticated. To comply
| with restrictions imposed on ESMTP parameters, the <mailbox> is
| encoded inside an xtext. The syntax of an xtext is described in
| Section 4 of [ESMTP-DSN].
|
| Note:
| For the purposes of this discussion, "authenticated identity"
| refers to the identity (if any) derived from the authorization
| identity of previous AUTH command, while the terms "authorized
| identity" and "supplied <mailbox>" refer to the sender identity
| that is being associated with a particular message. Note that
| one authenticated identity may be able to identify messages as
| being sent by any number of authorized identities within a
| single session. For example, this may be the case when an SMTP
| server (one authenticated identity) is processing its queue
| (many messages with distinct authorized identities).
|
| Discussion:
| The optional AUTH parameter to the MAIL FROM command allows
| cooperating agents in a trusted environment to communicate the
| authorization identity associated with individual messages.
|
| If the server trusts the authenticated identity of the client to
| assert that the message was originally submitted by the supplied
| <mailbox>, then the server SHOULD supply the same <mailbox> in
| an AUTH parameter when relaying the message to any other server
| which supports the AUTH extension.
|
| For this reason, servers that advertise support for this
| extension MUST support the AUTH parameter to the MAIL FROM
| command even when the client has not authenticated itself to the
| server.
|
| A MAIL FROM parameter of AUTH=<> indicates that the original
| submitter of the message is not known. The server MUST NOT
| treat the message as having been originally submitted by the
| authenticated identity that resulted from the AUTH command.
|
| [...]

Hmmmm.

So, could it be argued that forwarders could just authenticate to the
receiver (their customer!) using SMTP-AUTH when forwarding mail, no
sophisticated forwarder whitelisting required?

Could this be a concept that we can pitch as some kind of "Forwarding NG"?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHhPIdwL7PKlBZWjsRAhYZAJ4xMVqHGE4L1m1U/ilOHOGk9Eh1AwCg4dxB
sgZE/5vX5DfkvidOWXNPJC8=
=tSGU
-----END PGP SIGNATURE-----

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=83733691-8f31d5
Powered by Listbox: http://www.listbox.com

admin at asarian-host

Jan 9, 2008, 9:16 PM

Post #2 of 4 (799 views)
Permalink

RE: Forwarder whitelisting reloaded: Forwarders SMTP-AUTH to receivers? [In reply to]

-----Original Message-----
From: Julian Mehnle [mailto:julian [at] mehnle]
Sent: woensdag 9 januari 2008 17:12
To: spf-discuss [at] v2
Subject: [spf-discuss] Forwarder whitelisting reloaded: Forwarders SMTP-AUTH to receivers?

Fascinating stuff. :) I wonder how come we never looked at this before.

> > For this reason, servers that advertise support for this
> > extension MUST support the AUTH parameter to the MAIL FROM
> > command even when the client has not authenticated itself to the
> > server.

Hmmmm, how exactly does an MTA "advertise support" for the AUTH parameter
to the MAIL command? It's not a VERB (like ENHANCEDSTATUSCODES, or DSN)
that can be advertised in the regular fashion. Or should we simply assume
the AUTH extension to the MAIL FROM command is implemented?

> > The optional AUTH parameter to the MAIL FROM command allows
> > cooperating agents in a trusted environment to communicate the
> > authorization identity associated with individual messages.

> So, could it be argued that forwarders could just authenticate to
> the receiver (their customer!) using SMTP-AUTH when forwarding mail,
> no sophisticated forwarder whitelisting required?

It would appear that way. :) I did some initial testing, and sendmail, at
least, defines the macro:

${auth_author}
The authorization identity (the AUTH= parameter of the SMTP MAIL command
if supplied.

Furthermore, we read (RFC 2554):

If the server does not sufficiently trust the authenticated
identity of the client, or if the client is not authenticated,
then the server MUST behave as if the AUTH=<> parameter was
supplied. The server MAY, however, write the value of the AUTH
parameter to a log file.

In other words: there's no 'penalty' for having a value in the AUTH=
parameter the MTA doesn't sufficiently trust enough. So then, what's to
prevent a forwarder from doing?

C: MAIL FROM:<bla [at] example> AUTH=forwarder.org

As per the RFC, my sendmail (8.14.2) DOES log an authentication failure:

Jan 10 05:51:17 asarian-host sendmail[28526]: ruleset=trust_auth,
arg1=forwarder.org, relay=localhost [127.0.0.1], reject=550 5.7.1
<bla [at] example>... not authenticated

But outwardly just replies with:

S: 250 2.1.0 <bla [at] example>... Sender ok

Perhaps we oughta prefix the forwarder identity? Like:

C: MAIL FROM:<bla [at] example> AUTH=spf_.forwarder.org

Where "spf_." is just a prefix to distinguish the use of the AUTH= param
from other cases.

Which brings me to another thought. How about this?

C: MAIL FROM:<bla [at] example> AUTH=<spf_>

Which senders can optionally supply as a courtesy to indicate the message
is NOT being forwarded? It might make receivers more confident to REJECT
on FAIL.

I must say I'm fair excited about this. :)

- Mark

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=84110643-0c2e6d
Powered by Listbox: http://www.listbox.com

nobody at xyzzy

Jan 10, 2008, 5:25 AM

Post #3 of 4 (802 views)
Permalink

Re: Forwarder whitelisting reloaded: Forwarders SMTP-AUTH to receivers? [In reply to]

Mark wrote:

> how exactly does an MTA "advertise support" for the AUTH parameter
> to the MAIL command?

It's only used in conjunction with SMTP AUTH (ESMTPA or ESMTPSA).

> should we simply assume the AUTH extension to the MAIL FROM
> command is implemented?

If the server doesn't offer AUTH it might not like this idea :-)

If the server offers AUTH, the client doesn't use it, but later
still tries the MAIL FROM parameter I'd expect a 5xy error reply.

>| C: MAIL FROM:<bla [at] example> AUTH=forwarder.org

> As per the RFC, my sendmail (8.14.2) DOES log an authentication
> failure:

>| Jan 10 05:51:17 asarian-host sendmail[28526]: ruleset=trust_auth,
>| arg1=forwarder.org, relay=localhost [127.0.0.1], reject=550 5.7.1
>| <bla [at] example>... not authenticated

> But outwardly just replies with:

>| S: 250 2.1.0 <bla [at] example>... Sender ok

<g> A kind of mixed strategy, the log has what *would* happen in
an AUTH-session, but the real reply is to ignore the AUTH outside
of an AUTH-session.

> I must say I'm fair excited about this. :)

I think you have to throw in the old TENBOX idea of a (dummy) SASL
mechanism for a (dummy) AUTH, after that the real magic can happen
in an AUTH-parameter (if you want "forwader.org"). Maybe one of
the existing dummy SASL mechanisms (EXTERNAL or ANONYMOUS, IIRC)
is good enough for this dummy AUTH...

...or maybe not, if servers use them for something real in their
own network. So let's say there's a new SASL mechanism NOOP, then
the server can offer AUTH NOOP, the client (a forwarder) accepts
with AUTH NOOP, after that it can use the AUTH-parameter. But if
that requires a worldwide upgrade of SASL-libraries used by MTAs
we can forget this NOOP idea... :-|

Frank

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=84187254-1496d6
Powered by Listbox: http://www.listbox.com

stuart at bmsi

Jan 10, 2008, 8:05 AM

Post #4 of 4 (800 views)
Permalink

RE: Forwarder whitelisting reloaded: Forwarders SMTP-AUTH to receivers? [In reply to]

On Thu, 10 Jan 2008, Mark wrote:

> In other words: there's no 'penalty' for having a value in the AUTH=
> parameter the MTA doesn't sufficiently trust enough. So then, what's to
> prevent a forwarder from doing?
>
> C: MAIL FROM:<bla [at] example> AUTH=forwarder.org

You would want

C: MAIL FROM:<bla [at] example> AUTH=mailbox [at] forwarder

A receiver might want to whitelist only selected mailboxes at
a forwarder (e.g. their own).

--
Stuart D. Gathman <stuart [at] bmsi>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=84233741-51c32d
Powered by Listbox: http://www.listbox.com

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads