trusted users with SMTPAuth and sasldb2 ?

19/09/2006, 22h26

Hi,
I'm running sendmail 8.13.8 with SMTPAuth and sasldb2 on Slackware
10.2.
Now the behavior is, a user who has successful authenticated with
SMTPAuth can use any FROM: adress he would like.
I would like to configure sendmail that a user can only send mail with
the mail adress that belongs to him (and perhaps some more (virtual
adresses which are belonging to the user), but not arbitrary adresses).
Normaly this is configured with genericstable and trusted users. But
how does it work when I'm using SMTPAuth and sasldb2 (not saslauthd!)?
Do I have to change the authentification backend or is it possible
another way?

Thanks for .
Regards Andi

20/09/2006, 09h50

Hi again,

is this such an abnormal wish that nobody can tell my how to
do/configure it?
Or do you need more info about my system?
I build my sendmail from source.
Is it clear what I want?

Andi

20/09/2006, 09h52

On Wed, 20 Sep 2006 01:50:26 -0700 Andi wrote:

> Hi again,
>
> is this such an abnormal wish that nobody can tell my how to
> do/configure it?
> Or do you need more info about my system?
> I build my sendmail from source.
> Is it clear what I want?
>
> Andi

You find the answer to your original setup question in the group's
archive. It was recently asked and answered.

Alexander

--
Alexander Dalloz | Löhne, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp
Serendipity 10:51:19 up 2 days, 10:13, load average: 0.38, 0.23, 0.09

20/09/2006, 12h32

Hi Alexander,

> You find the answer to your original setup question in the group's
> archive. It was recently asked and answered.

Please be so kind and show me a link to this question/answer, because I
already searched the archive and didn't find something what fits to my
needs. Perhaps because I searched with the wrong question/words...
That's why I posted this question.

Thanks Andi

20/09/2006, 13h19

On Wed, 20 Sep 2006 04:32:47 -0700 Andi wrote:

> Hi Alexander,
>
>> You find the answer to your original setup question in the group's
>> archive. It was recently asked and answered.
>
> Please be so kind and show me a link to this question/answer, because I
> already searched the archive and didn't find something what fits to my
> needs. Perhaps because I searched with the wrong question/words...
> That's why I posted this question.
>
> Thanks Andi

<1157392090.705949.10730@b28g2000cwb.googlegroups. com>

Alexander

--
Alexander Dalloz | Löhne, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp
Serendipity 14:17:55 up 2 days, 13:39, load average: 0.19, 0.19, 0.15

06/10/2006, 12h44

Hi Alexander,

Alexander Dalloz schrieb:
>
> <1157392090.705949.10730@b28g2000cwb.googlegroups. com>
>
> Alexander

In this post there is a link to the site where I found this patch,
which is exactly what I want:
http://www.jmaimon.com/sendmail/patc..._sender.tar.gz

I did everything explained in the file rewrite_sender.design.txt, but
it isn't working.
The rulesets in the file rewrite_sender.design.txt and
rewrite_sender.rulsets.txt are different. Which one to use? Any idea?
I used the one from rewrite_sender.design.txt.

insert in sendmail.mc and rebuild sendmail.cf. sendmail.cf looks now
like this:
....
#Line 166
Kcompare program /usr/local/bin/smcompare
Kfromaddrs btree -A -o -t -z, /etc/mail/fromaddrs
....
#Line 1657
Srewrite_sender
R$* $: $1 $| $&{auth_authen} $|
R$* $| $| $@ $1
R$* $| $+ $| $: $1 $| <M> $|
$>ParseRecipient $1
R$* $| <M> $| $+ < $* > $: $1 $| $2 < $3 >
R$* $| <M> $* $: $1 $| <M> $|
$>ParseRecipient $(fromaddrs User:$&{auth_authen} $: $)
R$* $| <M> $| $+ < $* > $@ $(fromaddrs
Name:$&{auth_authen} $: $) < $2 $3 >
R$* $| <M> $* $@ $1
R$* $| $+ < $* > $: $1 $| $2 < $3 > $|
$(fromaddrs Email:$2$3 $: $) $|
R$* $| $+ < $* > $| $| $: $1 $| $2 < $3 > $|
$(fromaddrs Email:$2@ $: $) $|
R$* $| $+ < $* > $| $| $: $1 $| $2 < $3 > $|
$(fromaddrs Email:$3 $: $) $|
R$* $| $+ < $* > $| $| $: $1 $| $2 < $3 > $|
$(fromaddrs Email:$2 $: $) $|
R$* $| $+ < @$* > $| $| $: $1 $| $2 < @$3 > $|
$(fromaddrs Email:$3 $: $) $|
R$* $| $+ < $* > $| $| $: $1 $| <M> $| $2 < $3 > $|
$>ParseRecipient $(fromaddrs User:$&{auth_authen} $: $)
R$* $| <M> $| $+ < $* > $| < @ > $@ $1
R$* $| <M> $| $+ < $* > $| $+ < $* > $: $1 $| <M> $| $2 < $3 > $|
$(storage {COMPARE} $@ $4 < $5 > $) $4 < $5 >
R$* $| <M> $| $&{COMPARE} $| $+ < $* > $@ $1
R$* $| <M> $| $* $| $+ < $* > $@ $(fromaddrs
Name:$&{auth_authen} $: $) < $3 $4 >
R$* $| <M> $* $@ $1 #Uhoh, should never
happen
R$* $| $+ < $* > $| $* $| $: $1 $| $4 $|
R$* $| $* $&{auth_authen} $* $@ $1
R$* $| $* $: $1 $| $>ParseRecipient
$(fromaddrs User:$&{auth_authen} $: $)
R$* $| $+ < $* > $@ $(fromaddrs
Name:$&{auth_authen} $: $) < $2 $3 >
R$* $| $* $@

Scheck_rewrite_sender
R$* $: $1 $| $>rewrite_sender $1
R$* $| $* $: $1 $| $2 $| $(compare $1:$2
$)
R$* $| $* $| MATCH $#OK
R$* $#error $@ 5.7.3 $: "Your from
address is not permitted to your identity"

I created the smcompare prog:
#touch /usr/local/bin/smcompare
-------------------
#!/bin/bash
arg1=`echo $1 | cut -f1 -d':'`
arg2=`echo $1 | cut -f2 -d':'`
if [[ "$arg1" == "$arg2" ]]; then
echo MATCH
fi
-------------------
#chmod +x /usr/local/bin/smcompare

My fromaddr looks like this:
user:clever@andis.mine.nu flanders@andis.mine.nu
email:rewrite@andis.mine.nu clever@andis.mine.nu
name:clever@andis.mine.nu FlandersHome

#makemap btree -de fromaddr < fromaddr

Points 4 to 11 from rewrite_sender.design.txt are ok.
Sending mail from andreas.voss@onedomain.com through relay
andis.mine.nu with authid=clever@andis.mine.nu to
andreas.voss@otherdomain.de is still possible. I tried it also with
user:clever in fromaddr - same behavior.

The ruleset rewrite_sender and check_rewrite is below the Sauthinfo and
above MAIL FILTER DEFINITIONS section in sendmail.cf. But it seems that
the two new rulesets aren't active.

#sendmail -bt
#>-d21.12
#>rewrite_sender,check_rewrite_sender hello@example.net
rewrite_sender input: hello @ example . net
-----trying rule: $*
-----rule matches: $: $1 $| $&{auth_authen} $|
rewrite: RHS $&{auth_authen} => "(NULL)"
rewritten as: hello @ example . net $| $|
-----trying rule: $* $| $|
-----rule matches: $@ $1
rewritten as: hello @ example . net
rewrite_sender returns: hello @ example . net
check_rewrite_se input: hello @ example . net
-----trying rule: $*
-----rule matches: $: $1 $| $> rewrite_sender $1
rewrite_sender input: hello @ example . net
-----trying rule: $*
-----rule matches: $: $1 $| $&{auth_authen} $|
rewrite: RHS $&{auth_authen} => "(NULL)"
rewritten as: hello @ example . net $| $|
-----trying rule: $* $| $|
-----rule matches: $@ $1
rewritten as: hello @ example . net
rewrite_sender returns: hello @ example . net
rewritten as: hello @ example . net $| hello @ example . net
-----trying rule: $* $| $*
-----rule matches: $: $1 $| $2 $| $( compare $1 : $2 $)
prog_map_lookup(compare, hello@example.net:hello@example.net)
/usr/local/bin/smcompare
rewritten as: hello @ example . net $| hello @ example . net $| MATCH
-----trying rule: $* $| $* $| MATCH
-----rule matches: $# OK
rewritten as: $# OK
check_rewrite_se returns: $# OK
^^^^^^^^^^^^^^^^^^^
This should not be OK with this adress !?

I don't know what's wrong here, and I also don't know in which format I
have to give the adress for testing to the rulesets.

When I remove the fromaddr file for testing and restarting sendmail,
everything works normal, so the new rulesets aren't used I think.
Any ideas?

Thanks for .
Andi

06/10/2006, 13h39

Andi wrote:
> Hi Alexander,
>
> Alexander Dalloz schrieb:
> >
> > <1157392090.705949.10730@b28g2000cwb.googlegroups. com>
> >
> > Alexander
>
> In this post there is a link to the site where I found this patch,
> which is exactly what I want:
> http://www.jmaimon.com/sendmail/patc..._sender.tar.gz
>
> I did everything explained in the file rewrite_sender.design.txt, but
> it isn't working.
> The rulesets in the file rewrite_sender.design.txt and
> rewrite_sender.rulsets.txt are different. Which one to use? Any idea?
> I used the one from rewrite_sender.design.txt.

Use the one from the text file. The design doc is like all
documentation everywhere -- possibly out of date.

The LHS of the map should be containing the SMTP AUTH usernames for the
user: tag and should contain the email address you want to share
amongst multiple users for the email tag.

Are you sure that the below is correct?

For example, if you want to restrict the user clever to the
flanders@andis.mine.nu, the below is what you want.

user:clever flanders@andis.mine.nu
name:clever "Clevers Full Name"

Or if you wanted to allow the users clever and his brother sly to
utilize the from address flanders@andis.mine.nu you would use

email:flanders@andis.mine.nu clever,sly

>
> My fromaddr looks like this:
> user:clever@andis.mine.nu flanders@andis.mine.nu
> email:rewrite@andis.mine.nu clever@andis.mine.nu
> name:clever@andis.mine.nu FlandersHome
>
> #makemap btree -de fromaddr < fromaddr

If you expect to do rewrites (where you fix the address) you need to
hook the header rulesets.

>
> The ruleset rewrite_sender and check_rewrite is below the Sauthinfo and
> above MAIL FILTER DEFINITIONS section in sendmail.cf. But it seems that
> the two new rulesets aren't active.
>

They dont activate by themselves. You must take steps to insert them
into sendmails order of execution.

That can be done a number of different ways.

- the supplied milter which requires the milter-rrres patch

- using confFROM_HEADER() see cf/README

- calling it from SLocal_check_mail

- (untested) using it a mailer rulesets in the mailer definitions

In practice, I have found confFROM_HEADER() and SLocal_check_mail to be
sufficient.

Something like this:

============<>============
define(`confFROM_HEADER',`$>check_rewrite_sender $g ')dnl

LOCAL_RULESETS
SLocal_check_mail
R$* $: $>check_rewrite_sender $1
============<>============

Now which ruleset do you insert?

You use rewrite_sender if you intend to "fix" the incorrect from
address.

You use check_rewrite_sender if you intend to "stop" the incorect from
address

> #sendmail -bt
> #>-d21.12
> #>rewrite_sender,check_rewrite_sender hello@example.net
> rewrite_sender input: hello @ example . net
> -----trying rule: $*
> -----rule matches: $: $1 $| $&{auth_authen} $|
> rewrite: RHS $&{auth_authen} => "(NULL)"
> rewritten as: hello @ example . net $| $|
> -----trying rule: $* $| $|
> -----rule matches: $@ $1

Nope.

>
> I don't know what's wrong here, and I also don't know in which format I
> have to give the adress for testing to the rulesets.

echo -e ".D{auth_authen}clever\ncheck_rewrite_sender
flanders@andis.mine.nu" | sendmail -bt -21.20

>
> When I remove the fromaddr file for testing and restarting sendmail,
> everything works normal, so the new rulesets aren't used I think.
> Any ideas?

If the file is missing and declared optional (default) then the checks
should all fail and not demand that the from address be different and
therefore life will go on completely normally.

It is designed to fail "open" (in the door sense, not electrical sense)

>
> Thanks for .
> Andi

Enjoy!

07/10/2006, 22h01

jmaimon@ttec.com schrieb:
> Use the one from the text file. The design doc is like all
> documentation everywhere -- possibly out of date.

OK I changed it.

> The LHS of the map should be containing the SMTP AUTH usernames for the
> user: tag and should contain the email address you want to share
> amongst multiple users for the email tag.
>
> Are you sure that the below is correct?

Yes I am.
My SMTP AUTH username is a full email adress, not only a name.
clever@andis.mine.nu is correct for the SMTP AUTH username.
#sasldblistusers2
....
clever@andis.mine.nu: cmusaslsecretOTP
....

Log excerpt:
Oct 7 21:30:39 Homer sm-mta-rx[21058]: STARTTLS=server,
relay=IDENT:1000@Tingeltangelbob.andis.mine.nu [192.168.0.2],
version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
Oct 7 21:30:39 Homer sm-mta-rx[21058]: AUTH=server,
relay=IDENT:1000@Tingeltangelbob.andis.mine.nu [192.168.0.2],
authid=clever@andis.mine.nu, mech=DIGEST-MD5, bits=0
Oct 7 21:30:39 Homer sm-mta-rx[21058]: k97JUd5L021058:
from=<andreas.voss@eurogastro.com>, size=510, class=0, nrcpts=1,
msgid=<200610072234.34863.andreas.voss@eurogastro. com>, proto=ESMTP,
daemon=MTA-RX, relay=IDENT:1000@Tingeltangelbob.andis.mine.nu
[192.168.0.2]
Oct 7 21:30:39 Homer sm-mta-rx[21058]: k97JUd5L021058:
to=<andreas.voss@mbm-service.de>, delay=00:00:00, mailer=esmtp,
pri=30510, stat=queued
Oct 7 21:30:44 Homer sm-mta-tx[21070]: k97JUh4o021070:
from=<andreas.voss@eurogastro.com>, size=1131, class=0, nrcpts=1,
msgid=<200610072234.34863.andreas.voss@eurogastro. com>,
bodytype=8BITMIME, proto=ESMTP, daemon=MTA-TX, relay=localhost
[127.0.0.1]
Oct 7 21:30:44 Homer sm-mta-rx[21066]: k97JUd5L021058:
to=<andreas.voss@mbm-service.de>, delay=00:00:05, xdelay=00:00:02,
mailer=esmtp, pri=120510, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0,
stat=Sent

> For example, if you want to restrict the user clever to the
> flanders@andis.mine.nu, the below is what you want.
>
> user:clever flanders@andis.mine.nu
> name:clever "Clevers Full Name"
>
> Or if you wanted to allow the users clever and his brother sly to
> utilize the from address flanders@andis.mine.nu you would use
>
> email:flanders@andis.mine.nu clever,sly
>
> >
> > My fromaddr looks like this:
> > user:clever@andis.mine.nu flanders@andis.mine.nu
> > email:rewrite@andis.mine.nu clever@andis.mine.nu
> > name:clever@andis.mine.nu FlandersHome
> >
> > #makemap btree -de fromaddr < fromaddr

Ok, I think my fromaddr file is correct.
I only changed:
name:clever@andis.mine.nu "Flanders Home"

When I do:
#makemap btree -de fromaddr < fromaddr
a fromaddr.db is build, but in the .cf file there is this entry:
Kfromaddrs btree -A -o -t -z, /etc/mail/fromaddrs
Should it be "fromaddrs.db" or "fromaddr" in .cf file?

> They dont activate by themselves. You must take steps to insert them
> into sendmails order of execution.

Ah ok - so no rule was active in my sendmail.

> That can be done a number of different ways.
>
> - the supplied milter which requires the milter-rrres patch
>
> - using confFROM_HEADER() see cf/README
>
> - calling it from SLocal_check_mail
>
> - (untested) using it a mailer rulesets in the mailer definitions
>
> In practice, I have found confFROM_HEADER() and SLocal_check_mail to be
> sufficient.
>
> Something like this:
>
> ============<>============
> define(`confFROM_HEADER',`$>check_rewrite_sender $g ')dnl
>
> LOCAL_RULESETS
> SLocal_check_mail
> R$* $: $>check_rewrite_sender $1
> ============<>============
>
> Now which ruleset do you insert?

This is what I added to my sendmail.mc:
-----------snip----------------
LOCAL_CONFIG
Kcompare program /usr/local/bin/smcompare
Kfromaddrs btree -A -o -t -z, /etc/mail/fromaddrs

LOCAL_RULESETS
Srewrite_sender
......RULE.....

Scheck_rewrite_sender
......RULE.....

define(`confFROM_HEADER',`$>check_rewrite_sender $g')dnl
--------------snip------------------

For understanding:
I put the definition of the rulesets rewrite_sender and
check_rewrite_sender below LOCAL_RULSETS like I did - right?
Then I've to define how to use the rulesets. I choosed the
define(...)variant. Or do I have to put the
SLocal_check_mail
R$* $: $>check_rewrite_sender $1
entry also in the .mc file?
I put it for testing also in, but the result is the same like without.
The entry is then below the definition of the rewrite_sender and
check_rewrite_sender rulesets, but the first entry of SLocal_check_mail
is 1000 lines before. I put it for testing in the first section in .cf
file, but nothing changed.
Is it important in which order the rulesets are called?

In the "Format of headers" of sendmail.cf there is now this entry:
H?F?Resent-From: $>check_rewrite_sender $g
H?F?From: $>check_rewrite_sender $g

Here the check_rewrite_sender rule normaly should be called - right?

> You use rewrite_sender if you intend to "fix" the incorrect from
> address.
>
> You use check_rewrite_sender if you intend to "stop" the incorect from
> address

At first I want to use check_rewrite_sender, so I inserted it in
confFROM_HEADER

> echo -e ".D{auth_authen}clever\ncheck_rewrite_sender
> flanders@andis.mine.nu" | sendmail -bt -21.20

With this testing, the output is everytime with every email and name
constitution:
....
....
rewritten as: < @ >
ParseRecipient returns: < @ >
rewritten as: flanders @ andis . mine . nu $| < M > $| flanders < @
andis . mine . nu > $| < @ >
-----trying rule: $* $| < M > $| $+ < $* > $| < @ >
-----rule matches: $@ $1
rewritten as: flanders @ andis . mine . nu
rewrite_sender returns: flanders @ andis . mine . nu
rewritten as: flanders @ andis . mine . nu $| flanders @ andis . mine .
nu
-----trying rule: $* $| $*
-----rule matches: $: $1 $| $2 $| $( compare $1 : $2 $)
rewritten as: flanders @ andis . mine . nu $| flanders @ andis . mine .
nu $| MATCH
-----trying rule: $* $| $* $| MATCH
-----rule matches: $# OK
rewritten as: $# OK

So it doesn't work.
I'm still able to send mails with any FROM adresses.

It seems that I don't understand how it should work and that I forgot
something important to do. I've the sendmail book Bryan Costales and
Eric Allman and read a lot about rulesets etc. but I've no idea why
this is not working here.
It would be nice if you could and explain me once more, because I
would like to understand what I'm doing, not only getting it to work.

> Enjoy!

I hope later ;-)
Andi

09/10/2006, 06h01

Andi wrote:
> jmaimon@ttec.com schrieb:

> I put it for testing also in, but the result is the same like without.
> The entry is then below the definition of the rewrite_sender and
> check_rewrite_sender rulesets, but the first entry of SLocal_check_mail
> is 1000 lines before. I put it for testing in the first section in .cf
> file, but nothing changed.
> Is it important in which order the rulesets are called?

S appends, so no it doesnt matter if the custom stuff is well below the
call in the cf file.

>
> In the "Format of headers" of sendmail.cf there is now this entry:
> H?F?Resent-From: $>check_rewrite_sender $g
> H?F?From: $>check_rewrite_sender $g
>
> Here the check_rewrite_sender rule normaly should be called - right?

Yes

However, you need to be aware that envelope sender and Header From:
fields need have nothing in common, even if in practice most mua use
the same value.

You may wish to use SLocal_check_mail as well.

>
> > echo -e ".D{auth_authen}clever\ncheck_rewrite_sender
> > flanders@andis.mine.nu" | sendmail -bt -21.20
>
> With this testing, the output is everytime with every email and name
> constitution:
> ...
> ...
> rewritten as: < @ >
> ParseRecipient returns: < @ >
> rewritten as: flanders @ andis . mine . nu $| < M > $| flanders < @
> andis . mine . nu > $| < @ >
> -----trying rule: $* $| < M > $| $+ < $* > $| < @ >

It looks like neither the Email: or User: lookups in the map returned
any information.

Why dont you use editmap(8) to check that the map contains the proper
information?

Make sure its being built properly.

Or you can try building it as a hash db.

> It would be nice if you could and explain me once more, because I
> would like to understand what I'm doing, not only getting it to work.

Explain why its not working or explain how it works?

>
> > Enjoy!
>
> I hope later ;-)
> Andi

09/10/2006, 06h16

"Andi" <andi@andis.mine.nu> writes:

> In the "Format of headers" of sendmail.cf there is now this entry:
> H?F?Resent-From: $>check_rewrite_sender $g
> H?F?From: $>check_rewrite_sender $g

This is header check call. Not rewriting.

For rewriting sendmail passess addresses from headers through rulesets
anyway.

/ Kari Hurtta

19/09/2006, 22h26	#1
Andi Messages: n/a Hébergeur:	trusted users with SMTPAuth and sasldb2 ? Hi, I'm running sendmail 8.13.8 with SMTPAuth and sasldb2 on Slackware 10.2. Now the behavior is, a user who has successful authenticated with SMTPAuth can use any FROM: adress he would like. I would like to configure sendmail that a user can only send mail with the mail adress that belongs to him (and perhaps some more (virtual adresses which are belonging to the user), but not arbitrary adresses). Normaly this is configured with genericstable and trusted users. But how does it work when I'm using SMTPAuth and sasldb2 (not saslauthd!)? Do I have to change the authentification backend or is it possible another way? Thanks for . Regards Andi

20/09/2006, 09h50	#2
Andi Messages: n/a Hébergeur:	Re: trusted users with SMTPAuth and sasldb2 ? Hi again, is this such an abnormal wish that nobody can tell my how to do/configure it? Or do you need more info about my system? I build my sendmail from source. Is it clear what I want? Andi

20/09/2006, 09h52	#3
Alexander Dalloz Messages: n/a Hébergeur:	Re: trusted users with SMTPAuth and sasldb2 ? On Wed, 20 Sep 2006 01:50:26 -0700 Andi wrote: > Hi again, > > is this such an abnormal wish that nobody can tell my how to > do/configure it? > Or do you need more info about my system? > I build my sendmail from source. > Is it clear what I want? > > Andi You find the answer to your original setup question in the group's archive. It was recently asked and answered. Alexander -- Alexander Dalloz \| Löhne, Germany \| GPG http://pgp.mit.edu 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp Serendipity 10:51:19 up 2 days, 10:13, load average: 0.38, 0.23, 0.09

20/09/2006, 12h32	#4
Andi Messages: n/a Hébergeur:	Re: trusted users with SMTPAuth and sasldb2 ? Hi Alexander, > You find the answer to your original setup question in the group's > archive. It was recently asked and answered. Please be so kind and show me a link to this question/answer, because I already searched the archive and didn't find something what fits to my needs. Perhaps because I searched with the wrong question/words... That's why I posted this question. Thanks Andi

20/09/2006, 13h19	#5
Alexander Dalloz Messages: n/a Hébergeur:	Re: trusted users with SMTPAuth and sasldb2 ? On Wed, 20 Sep 2006 04:32:47 -0700 Andi wrote: > Hi Alexander, > >> You find the answer to your original setup question in the group's >> archive. It was recently asked and answered. > > Please be so kind and show me a link to this question/answer, because I > already searched the archive and didn't find something what fits to my > needs. Perhaps because I searched with the wrong question/words... > That's why I posted this question. > > Thanks Andi <1157392090.705949.10730@b28g2000cwb.googlegroups. com> Alexander -- Alexander Dalloz \| Löhne, Germany \| GPG http://pgp.mit.edu 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp Serendipity 14:17:55 up 2 days, 13:39, load average: 0.19, 0.19, 0.15

06/10/2006, 12h44	#6
Andi Messages: n/a Hébergeur:	Re: trusted users with SMTPAuth and sasldb2 ? Hi Alexander, Alexander Dalloz schrieb: > > <1157392090.705949.10730@b28g2000cwb.googlegroups. com> > > Alexander In this post there is a link to the site where I found this patch, which is exactly what I want: http://www.jmaimon.com/sendmail/patc..._sender.tar.gz I did everything explained in the file rewrite_sender.design.txt, but it isn't working. The rulesets in the file rewrite_sender.design.txt and rewrite_sender.rulsets.txt are different. Which one to use? Any idea? I used the one from rewrite_sender.design.txt. insert in sendmail.mc and rebuild sendmail.cf. sendmail.cf looks now like this: .... #Line 166 Kcompare program /usr/local/bin/smcompare Kfromaddrs btree -A -o -t -z, /etc/mail/fromaddrs .... #Line 1657 Srewrite_sender R$* $: $1 $\| $&{auth_authen} $\| R$* $\| $\| $@ $1 R$* $\| $+ $\| $: $1 $\| <M> $\| $>ParseRecipient $1 R$* $\| <M> $\| $+ < $* > $: $1 $\| $2 < $3 > R$* $\| <M> $* $: $1 $\| <M> $\| $>ParseRecipient $(fromaddrs User:$&{auth_authen} $: $) R$* $\| <M> $\| $+ < $* > $@ $(fromaddrs Name:$&{auth_authen} $: $) < $2 $3 > R$* $\| <M> $* $@ $1 R$* $\| $+ < $* > $: $1 $\| $2 < $3 > $\| $(fromaddrs Email:$2$3 $: $) $\| R$* $\| $+ < $* > $\| $\| $: $1 $\| $2 < $3 > $\| $(fromaddrs Email:$2@ $: $) $\| R$* $\| $+ < $* > $\| $\| $: $1 $\| $2 < $3 > $\| $(fromaddrs Email:$3 $: $) $\| R$* $\| $+ < $* > $\| $\| $: $1 $\| $2 < $3 > $\| $(fromaddrs Email:$2 $: $) $\| R$* $\| $+ < @$* > $\| $\| $: $1 $\| $2 < @$3 > $\| $(fromaddrs Email:$3 $: $) $\| R$* $\| $+ < $* > $\| $\| $: $1 $\| <M> $\| $2 < $3 > $\| $>ParseRecipient $(fromaddrs User:$&{auth_authen} $: $) R$* $\| <M> $\| $+ < $* > $\| < @ > $@ $1 R$* $\| <M> $\| $+ < $* > $\| $+ < $* > $: $1 $\| <M> $\| $2 < $3 > $\| $(storage {COMPARE} $@ $4 < $5 > $) $4 < $5 > R$* $\| <M> $\| $&{COMPARE} $\| $+ < $* > $@ $1 R$* $\| <M> $\| $* $\| $+ < $* > $@ $(fromaddrs Name:$&{auth_authen} $: $) < $3 $4 > R$* $\| <M> $* $@ $1 #Uhoh, should never happen R$* $\| $+ < $* > $\| $* $\| $: $1 $\| $4 $\| R$* $\| $* $&{auth_authen} $* $@ $1 R$* $\| $* $: $1 $\| $>ParseRecipient $(fromaddrs User:$&{auth_authen} $: $) R$* $\| $+ < $* > $@ $(fromaddrs Name:$&{auth_authen} $: $) < $2 $3 > R$* $\| $* $@ Scheck_rewrite_sender R$* $: $1 $\| $>rewrite_sender $1 R$* $\| $* $: $1 $\| $2 $\| $(compare $1:$2 $) R$* $\| $* $\| MATCH $#OK R$* $#error $@ 5.7.3 $: "Your from address is not permitted to your identity" I created the smcompare prog: #touch /usr/local/bin/smcompare ------------------- #!/bin/bash arg1=`echo $1 \| cut -f1 -d':'` arg2=`echo $1 \| cut -f2 -d':'` if [[ "$arg1" == "$arg2" ]]; then echo MATCH fi ------------------- #chmod +x /usr/local/bin/smcompare My fromaddr looks like this: user:clever@andis.mine.nu flanders@andis.mine.nu email:rewrite@andis.mine.nu clever@andis.mine.nu name:clever@andis.mine.nu FlandersHome #makemap btree -de fromaddr < fromaddr Points 4 to 11 from rewrite_sender.design.txt are ok. Sending mail from andreas.voss@onedomain.com through relay andis.mine.nu with authid=clever@andis.mine.nu to andreas.voss@otherdomain.de is still possible. I tried it also with user:clever in fromaddr - same behavior. The ruleset rewrite_sender and check_rewrite is below the Sauthinfo and above MAIL FILTER DEFINITIONS section in sendmail.cf. But it seems that the two new rulesets aren't active. #sendmail -bt #>-d21.12 #>rewrite_sender,check_rewrite_sender hello@example.net rewrite_sender input: hello @ example . net -----trying rule: $* -----rule matches: $: $1 $\| $&{auth_authen} $\| rewrite: RHS $&{auth_authen} => "(NULL)" rewritten as: hello @ example . net $\| $\| -----trying rule: $* $\| $\| -----rule matches: $@ $1 rewritten as: hello @ example . net rewrite_sender returns: hello @ example . net check_rewrite_se input: hello @ example . net -----trying rule: $* -----rule matches: $: $1 $\| $> rewrite_sender $1 rewrite_sender input: hello @ example . net -----trying rule: $* -----rule matches: $: $1 $\| $&{auth_authen} $\| rewrite: RHS $&{auth_authen} => "(NULL)" rewritten as: hello @ example . net $\| $\| -----trying rule: $* $\| $\| -----rule matches: $@ $1 rewritten as: hello @ example . net rewrite_sender returns: hello @ example . net rewritten as: hello @ example . net $\| hello @ example . net -----trying rule: $* $\| $* -----rule matches: $: $1 $\| $2 $\| $( compare $1 : $2 $) prog_map_lookup(compare, hello@example.net:hello@example.net) /usr/local/bin/smcompare rewritten as: hello @ example . net $\| hello @ example . net $\| MATCH -----trying rule: $* $\| $* $\| MATCH -----rule matches: $# OK rewritten as: $# OK check_rewrite_se returns: $# OK ^^^^^^^^^^^^^^^^^^^ This should not be OK with this adress !? I don't know what's wrong here, and I also don't know in which format I have to give the adress for testing to the rulesets. When I remove the fromaddr file for testing and restarting sendmail, everything works normal, so the new rulesets aren't used I think. Any ideas? Thanks for . Andi

06/10/2006, 13h39	#7
jmaimon@ttec.com Messages: n/a Hébergeur:	Re: trusted users with SMTPAuth and sasldb2 ? Andi wrote: > Hi Alexander, > > Alexander Dalloz schrieb: > > > > <1157392090.705949.10730@b28g2000cwb.googlegroups. com> > > > > Alexander > > In this post there is a link to the site where I found this patch, > which is exactly what I want: > http://www.jmaimon.com/sendmail/patc..._sender.tar.gz > > I did everything explained in the file rewrite_sender.design.txt, but > it isn't working. > The rulesets in the file rewrite_sender.design.txt and > rewrite_sender.rulsets.txt are different. Which one to use? Any idea? > I used the one from rewrite_sender.design.txt. Use the one from the text file. The design doc is like all documentation everywhere -- possibly out of date. The LHS of the map should be containing the SMTP AUTH usernames for the user: tag and should contain the email address you want to share amongst multiple users for the email tag. Are you sure that the below is correct? For example, if you want to restrict the user clever to the flanders@andis.mine.nu, the below is what you want. user:clever flanders@andis.mine.nu name:clever "Clevers Full Name" Or if you wanted to allow the users clever and his brother sly to utilize the from address flanders@andis.mine.nu you would use email:flanders@andis.mine.nu clever,sly > > My fromaddr looks like this: > user:clever@andis.mine.nu flanders@andis.mine.nu > email:rewrite@andis.mine.nu clever@andis.mine.nu > name:clever@andis.mine.nu FlandersHome > > #makemap btree -de fromaddr < fromaddr If you expect to do rewrites (where you fix the address) you need to hook the header rulesets. > > The ruleset rewrite_sender and check_rewrite is below the Sauthinfo and > above MAIL FILTER DEFINITIONS section in sendmail.cf. But it seems that > the two new rulesets aren't active. > They dont activate by themselves. You must take steps to insert them into sendmails order of execution. That can be done a number of different ways. - the supplied milter which requires the milter-rrres patch - using confFROM_HEADER() see cf/README - calling it from SLocal_check_mail - (untested) using it a mailer rulesets in the mailer definitions In practice, I have found confFROM_HEADER() and SLocal_check_mail to be sufficient. Something like this: ============<>============ define(`confFROM_HEADER',`$>check_rewrite_sender $g ')dnl LOCAL_RULESETS SLocal_check_mail R$* $: $>check_rewrite_sender $1 ============<>============ Now which ruleset do you insert? You use rewrite_sender if you intend to "fix" the incorrect from address. You use check_rewrite_sender if you intend to "stop" the incorect from address > #sendmail -bt > #>-d21.12 > #>rewrite_sender,check_rewrite_sender hello@example.net > rewrite_sender input: hello @ example . net > -----trying rule: $* > -----rule matches: $: $1 $\| $&{auth_authen} $\| > rewrite: RHS $&{auth_authen} => "(NULL)" > rewritten as: hello @ example . net $\| $\| > -----trying rule: $* $\| $\| > -----rule matches: $@ $1 Nope. > > I don't know what's wrong here, and I also don't know in which format I > have to give the adress for testing to the rulesets. echo -e ".D{auth_authen}clever\ncheck_rewrite_sender flanders@andis.mine.nu" \| sendmail -bt -21.20 > > When I remove the fromaddr file for testing and restarting sendmail, > everything works normal, so the new rulesets aren't used I think. > Any ideas? If the file is missing and declared optional (default) then the checks should all fail and not demand that the from address be different and therefore life will go on completely normally. It is designed to fail "open" (in the door sense, not electrical sense) > > Thanks for . > Andi Enjoy!

07/10/2006, 22h01	#8
Andi Messages: n/a Hébergeur:	Re: trusted users with SMTPAuth and sasldb2 ? jmaimon@ttec.com schrieb: > Use the one from the text file. The design doc is like all > documentation everywhere -- possibly out of date. OK I changed it. > The LHS of the map should be containing the SMTP AUTH usernames for the > user: tag and should contain the email address you want to share > amongst multiple users for the email tag. > > Are you sure that the below is correct? Yes I am. My SMTP AUTH username is a full email adress, not only a name. clever@andis.mine.nu is correct for the SMTP AUTH username. #sasldblistusers2 .... clever@andis.mine.nu: cmusaslsecretOTP .... Log excerpt: Oct 7 21:30:39 Homer sm-mta-rx[21058]: STARTTLS=server, relay=IDENT:1000@Tingeltangelbob.andis.mine.nu [192.168.0.2], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256 Oct 7 21:30:39 Homer sm-mta-rx[21058]: AUTH=server, relay=IDENT:1000@Tingeltangelbob.andis.mine.nu [192.168.0.2], authid=clever@andis.mine.nu, mech=DIGEST-MD5, bits=0 Oct 7 21:30:39 Homer sm-mta-rx[21058]: k97JUd5L021058: from=<andreas.voss@eurogastro.com>, size=510, class=0, nrcpts=1, msgid=<200610072234.34863.andreas.voss@eurogastro. com>, proto=ESMTP, daemon=MTA-RX, relay=IDENT:1000@Tingeltangelbob.andis.mine.nu [192.168.0.2] Oct 7 21:30:39 Homer sm-mta-rx[21058]: k97JUd5L021058: to=<andreas.voss@mbm-service.de>, delay=00:00:00, mailer=esmtp, pri=30510, stat=queued Oct 7 21:30:44 Homer sm-mta-tx[21070]: k97JUh4o021070: from=<andreas.voss@eurogastro.com>, size=1131, class=0, nrcpts=1, msgid=<200610072234.34863.andreas.voss@eurogastro. com>, bodytype=8BITMIME, proto=ESMTP, daemon=MTA-TX, relay=localhost [127.0.0.1] Oct 7 21:30:44 Homer sm-mta-rx[21066]: k97JUd5L021058: to=<andreas.voss@mbm-service.de>, delay=00:00:05, xdelay=00:00:02, mailer=esmtp, pri=120510, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent > For example, if you want to restrict the user clever to the > flanders@andis.mine.nu, the below is what you want. > > user:clever flanders@andis.mine.nu > name:clever "Clevers Full Name" > > Or if you wanted to allow the users clever and his brother sly to > utilize the from address flanders@andis.mine.nu you would use > > email:flanders@andis.mine.nu clever,sly > > > > > My fromaddr looks like this: > > user:clever@andis.mine.nu flanders@andis.mine.nu > > email:rewrite@andis.mine.nu clever@andis.mine.nu > > name:clever@andis.mine.nu FlandersHome > > > > #makemap btree -de fromaddr < fromaddr Ok, I think my fromaddr file is correct. I only changed: name:clever@andis.mine.nu "Flanders Home" When I do: #makemap btree -de fromaddr < fromaddr a fromaddr.db is build, but in the .cf file there is this entry: Kfromaddrs btree -A -o -t -z, /etc/mail/fromaddrs Should it be "fromaddrs.db" or "fromaddr" in .cf file? > They dont activate by themselves. You must take steps to insert them > into sendmails order of execution. Ah ok - so no rule was active in my sendmail. > That can be done a number of different ways. > > - the supplied milter which requires the milter-rrres patch > > - using confFROM_HEADER() see cf/README > > - calling it from SLocal_check_mail > > - (untested) using it a mailer rulesets in the mailer definitions > > In practice, I have found confFROM_HEADER() and SLocal_check_mail to be > sufficient. > > Something like this: > > ============<>============ > define(`confFROM_HEADER',`$>check_rewrite_sender $g ')dnl > > LOCAL_RULESETS > SLocal_check_mail > R$* $: $>check_rewrite_sender $1 > ============<>============ > > Now which ruleset do you insert? This is what I added to my sendmail.mc: -----------snip---------------- LOCAL_CONFIG Kcompare program /usr/local/bin/smcompare Kfromaddrs btree -A -o -t -z, /etc/mail/fromaddrs LOCAL_RULESETS Srewrite_sender ......RULE..... Scheck_rewrite_sender ......RULE..... define(`confFROM_HEADER',`$>check_rewrite_sender $g')dnl --------------snip------------------ For understanding: I put the definition of the rulesets rewrite_sender and check_rewrite_sender below LOCAL_RULSETS like I did - right? Then I've to define how to use the rulesets. I choosed the define(...)variant. Or do I have to put the SLocal_check_mail R$* $: $>check_rewrite_sender $1 entry also in the .mc file? I put it for testing also in, but the result is the same like without. The entry is then below the definition of the rewrite_sender and check_rewrite_sender rulesets, but the first entry of SLocal_check_mail is 1000 lines before. I put it for testing in the first section in .cf file, but nothing changed. Is it important in which order the rulesets are called? In the "Format of headers" of sendmail.cf there is now this entry: H?F?Resent-From: $>check_rewrite_sender $g H?F?From: $>check_rewrite_sender $g Here the check_rewrite_sender rule normaly should be called - right? > You use rewrite_sender if you intend to "fix" the incorrect from > address. > > You use check_rewrite_sender if you intend to "stop" the incorect from > address At first I want to use check_rewrite_sender, so I inserted it in confFROM_HEADER > echo -e ".D{auth_authen}clever\ncheck_rewrite_sender > flanders@andis.mine.nu" \| sendmail -bt -21.20 With this testing, the output is everytime with every email and name constitution: .... .... rewritten as: < @ > ParseRecipient returns: < @ > rewritten as: flanders @ andis . mine . nu $\| < M > $\| flanders < @ andis . mine . nu > $\| < @ > -----trying rule: $* $\| < M > $\| $+ < $* > $\| < @ > -----rule matches: $@ $1 rewritten as: flanders @ andis . mine . nu rewrite_sender returns: flanders @ andis . mine . nu rewritten as: flanders @ andis . mine . nu $\| flanders @ andis . mine . nu -----trying rule: $* $\| $* -----rule matches: $: $1 $\| $2 $\| $( compare $1 : $2 $) rewritten as: flanders @ andis . mine . nu $\| flanders @ andis . mine . nu $\| MATCH -----trying rule: $* $\| $* $\| MATCH -----rule matches: $# OK rewritten as: $# OK So it doesn't work. I'm still able to send mails with any FROM adresses. It seems that I don't understand how it should work and that I forgot something important to do. I've the sendmail book Bryan Costales and Eric Allman and read a lot about rulesets etc. but I've no idea why this is not working here. It would be nice if you could and explain me once more, because I would like to understand what I'm doing, not only getting it to work. > Enjoy! I hope later ;-) Andi

09/10/2006, 06h01	#9
jmaimon@ttec.com Messages: n/a Hébergeur:	Re: trusted users with SMTPAuth and sasldb2 ? Andi wrote: > jmaimon@ttec.com schrieb: > I put it for testing also in, but the result is the same like without. > The entry is then below the definition of the rewrite_sender and > check_rewrite_sender rulesets, but the first entry of SLocal_check_mail > is 1000 lines before. I put it for testing in the first section in .cf > file, but nothing changed. > Is it important in which order the rulesets are called? S appends, so no it doesnt matter if the custom stuff is well below the call in the cf file. > > In the "Format of headers" of sendmail.cf there is now this entry: > H?F?Resent-From: $>check_rewrite_sender $g > H?F?From: $>check_rewrite_sender $g > > Here the check_rewrite_sender rule normaly should be called - right? Yes However, you need to be aware that envelope sender and Header From: fields need have nothing in common, even if in practice most mua use the same value. You may wish to use SLocal_check_mail as well. > > > echo -e ".D{auth_authen}clever\ncheck_rewrite_sender > > flanders@andis.mine.nu" \| sendmail -bt -21.20 > > With this testing, the output is everytime with every email and name > constitution: > ... > ... > rewritten as: < @ > > ParseRecipient returns: < @ > > rewritten as: flanders @ andis . mine . nu $\| < M > $\| flanders < @ > andis . mine . nu > $\| < @ > > -----trying rule: $* $\| < M > $\| $+ < $* > $\| < @ > It looks like neither the Email: or User: lookups in the map returned any information. Why dont you use editmap(8) to check that the map contains the proper information? Make sure its being built properly. Or you can try building it as a hash db. > It would be nice if you could and explain me once more, because I > would like to understand what I'm doing, not only getting it to work. Explain why its not working or explain how it works? > > > Enjoy! > > I hope later ;-) > Andi

09/10/2006, 06h16	#10
Kari Hurtta Messages: n/a Hébergeur:	Re: trusted users with SMTPAuth and sasldb2 ? "Andi" <andi@andis.mine.nu> writes: > In the "Format of headers" of sendmail.cf there is now this entry: > H?F?Resent-From: $>check_rewrite_sender $g > H?F?From: $>check_rewrite_sender $g This is header check call. Not rewriting. For rewriting sendmail passess addresses from headers through rulesets anyway. / Kari Hurtta

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email