I posted a few days ago asking if sendmail could require that a sender's
"From:" address match that of a certificate presented at STARTTLS to allow
relaying.

Since I haven't heard back, I'll assume the answer is 'no'.

Is there *any* way to require clients to only use a correct sender address?

In article <pan.2007.08.20.18.08.53.41906@kretz.net>,
Kevin K <c.m.s@kretz.net> wrote:

> I posted a few days ago asking if sendmail could require that a sender's
> "From:" address match that of a certificate presented at STARTTLS to allow
> relaying.
>
> Since I haven't heard back, I'll assume the answer is 'no'.

You probably want to reconsider your trust in the reliability of this
newsgroup.

The answer is actually "yes" but I don't have a handy pointer to the .cf
code to do it. The cert subject DN would be available for checking in
the check_* rulesets and/or a custom From header ruleset.


> Is there *any* way to require clients to only use a correct sender address?

Absolutely. There are probably a dozen unique ways to do it, and at
least four could be referred to as 'standard' in that they use
technologies described in various RFC's. What are you willing to demand
that your users adopt?

If you want to do this on a machine that accepts mail from people that
you cannot dictate specific technologies to (i.e. an inbound MX) then
you can forget it. That's not a technical problem, but a social one.

--
Now where did I hide that website...

On Tue, 21 Aug 2007 00:14:27 -0400, Bill Cole wrote:

> In article <pan.2007.08.20.18.08.53.41906@kretz.net>,
> Kevin K <c.m.s@kretz.net> wrote:
>
>> I posted a few days ago asking if sendmail could require that a sender's
>> "From:" address match that of a certificate presented at STARTTLS to
>> allow relaying.
(snip)
> The answer is actually "yes" but I don't have a handy pointer to the .cf
> code to do it. The cert subject DN would be available for checking in the
> check_* rulesets and/or a custom From header ruleset.

Thanks - I'll do some more searching, then.




>
>
>> Is there *any* way to require clients to only use a correct sender
>> address?
>
> Absolutely. There are probably a dozen unique ways to do it, and at least
> four could be referred to as 'standard' in that they use technologies
> described in various RFC's. What are you willing to demand that your users
> adopt?

The users of this relay are a small group whose mails have increased
integrity and security requirements. Often the messages they send are
generated by software (which is why I was asking about using a certificate).

They'll do whatever I insist on. (how often can admins say that?)


> If you want to do this on a machine that accepts mail from people that you
> cannot dictate specific technologies to (i.e. an inbound MX) then you can
> forget it. That's not a technical problem, but a social one.

Nope. I have a captive audience.

In article <pan.2007.08.21.15.57.25.613035@kretz.net>,
Kevin K <c.m.s@kretz.net> wrote:

> On Tue, 21 Aug 2007 00:14:27 -0400, Bill Cole wrote:
>
> > In article <pan.2007.08.20.18.08.53.41906@kretz.net>,
> > Kevin K <c.m.s@kretz.net> wrote:
> >
> >> I posted a few days ago asking if sendmail could require that a sender's
> >> "From:" address match that of a certificate presented at STARTTLS to
> >> allow relaying.
> (snip)
> > The answer is actually "yes" but I don't have a handy pointer to the .cf
> > code to do it. The cert subject DN would be available for checking in the
> > check_* rulesets and/or a custom From header ruleset.
>
> Thanks - I'll do some more searching, then.

It should be a pretty simple ruleset *conceptually* but I don't have one
written. I also know of no public source.

The sendmail.cf macro {cert_subject} is the subject DN of the client
certificate, and that can/might/should (depending on who you ask)
contain an email address or the components to build one. In check_mail
you could reject the mail if the envelope sender does not match that
address and in a custom From header ruleset you could check against the
From header. There are a lot of potential edge cases in checking whether
one address is equivalent to another, but in a controlled environment
they should be manageable.


> >> Is there *any* way to require clients to only use a correct sender
> >> address?
> >
> > Absolutely. There are probably a dozen unique ways to do it, and at least
> > four could be referred to as 'standard' in that they use technologies
> > described in various RFC's. What are you willing to demand that your users
> > adopt?
>
> The users of this relay are a small group whose mails have increased
> integrity and security requirements. Often the messages they send are
> generated by software (which is why I was asking about using a certificate).
>
> They'll do whatever I insist on. (how often can admins say that?)

Lucky bastard

You might also want to consider the alternative of a content signature
(e.g. S/MIME or PGP) and a milter to validate that and match it to
envelope sender and/or From header. The STARTTLS cert is only used for
transport encryption, so validating against that only tells you that the
claimed senders/authors are the same people talking SMTP to you, but it
doesn't tell you that specific message content is really theirs.

--
Now where did I hide that website...