From: Alain NAKACHE (alainalinto.net)
Date: Fri Aug 11 2006 - 09:58:41 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Alain NAKACHE a écrit :
> Wietse Venema a écrit :
>> Alain NAKACHE:
>>
>>> Wietse Venema a ?crit :
>>>
>>>>> pipe(8) already have this extension since we can use ${sasl_username}.
>>>>> Then cleanup/qmgr/pipe don't have to be modified. I'm wrong ? If yes,
>>>>> how pipe(8) can be called with ${sasl*} environment ?
>>>>>
>>>> Who says that there is only SASL and nothing else? I expect that
>>>> other people will be more interested in TLS attributes, because
>>>> they use certificates instead of passwords. In a few months we can
>>>> expect to have the exact same discussion for TLS attributes, and
>>>> I am trying to get ahead of things.
>>>>
>>>>
>>> It was ont my intention to ask for $sasl* only information. All smtpd
>>> collected informations are welcome for me. In fact, we have coded our
>>> own deliver frontend that decide or not to allow senders to write to a
>>> batch ("|<cmd>") mail address base on SMTP authentication. For the
>>> moment, we are using a patched version of QMail which insert/replace a
>>> special header containing these informations.
>>>
>>
>> Postfix can place such a special header too:
>>
>> smtpd_sasl_authenticated_header = yes
>>
>> Of course headers can be spoofed, but that applies to qmail too.
>>
>>
> In our case we replace the header. It then overwrite the spoofed
> header. Does Postfix behave like that ?
>
After reading the documentation i realized that Postfix inserts the sasl
username in a Received header. Then spoofed header is difficult to prevent.

I our case we create a X-SMTP-Authentication header containing
"<authentication login><IP address>" or only "<IP address>" if SMTP
session is not authenticated.

Can I simulate such a mechanism with Postfix (builtin content filter, ...) ?

Alain

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]