Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Question about Sendmail local rules

Status
Not open for further replies.
Apr 2, 2011
2
US
Hello,

I manage an open source Sendmail (8.14.4) implementation and I have a new requirement which I believe requires a custom local rule.
Basically we have two user accounts on the system used for AUTHenticated relay. I've been asked to require TLS for one of the two accounts. From what I've read so far about macros, it looks like {auth_authen} stores the user name used in AUTH and {verify} stores status of the client cert used for TLS.
The way I think I have to do this is to create a local rule to check that the user name in {auth_authen} equals the user name we want to require TLS for, and also check that {verify} doesn't equal "NONE". Depending on the results of those evaluations, I can store a string in a new {md_tag} macro and pass that to MIMEDefang, which can either accept or reject the message based on the results. For example, if user2 is required to use TLS, then the logic would be: if {auth_authen} equals "user2" AND {verify} doesn't equal "NONE" then set {md_tag} to "OK"
If possible, I would like assistance in writing the actual Sendmail rule to provide the information I'll need to pass to MIMEDefang. I'm ok with general Sendmail configuration, but writing custom rules is a little daunting and I've never done it before.

As far as I know, there's no way to intercept and evaluate the AUTH after the user name is provided but BEFORE the password is provided to see if a specific user has already enabled TLS. Please correct me if I'm wrong.
Also, I realize there's a general setting to require TLS for all AUTH attempts, but that's not an option at this point.

Thanks in advance,
Nate
 
Nevermind, I got it. Don't you love how you spend hours on something just to figure it out RIGHT after you ask for help?

All I had to do was make sure {auth_authen} was included in confMILTER_MACROS_ENVFROM and {verify} was included in confMILTER_MACROS_HELO. After that, I just added the following to MIMEDefang's filter_begin:

if ($SendmailMacros{"auth_authen"} eq "user2" && $SendmailMacros{"verify"} eq "") {
return action_bounce("You must enable TLS encryption");
md_syslog('warning', "Bouncing message from " . $SendmailMacros{"auth_authen"} . ". TLS is reqired but wasn't used.");
}

Turns out {verify} is empty if TLS isn't used. If something like Outlook Express uses TLS, {verify} is set to "NO".

Sorry, I read the following URL and it made it seem like doing this would require local Sendmail rules:
Thanks,
Nate
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top