spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[spf-discuss] Re: Forwarder whitelisting reloaded: Forwarders SMTP-AUTH to receivers?

2008-01-10 06:34:09
from [Frank Ellermann] [Permanent Link] 
Mark wrote:


how exactly does an MTA "advertise support" for the AUTH parameter
to the MAIL command?


It's only used in conjunction with SMTP AUTH (ESMTPA or ESMTPSA).


should we simply assume the AUTH extension to the MAIL FROM
command is implemented?


If the server doesn't offer AUTH it might not like this idea :-)

If the server offers AUTH, the client doesn't use it, but later
still tries the MAIL FROM parameter I'd expect a 5xy error reply.


| C: MAIL FROM:<bla(_at_)example(_dot_)com> AUTH=forwarder.org



As per the RFC, my sendmail (8.14.2) DOES log an authentication
failure:



| Jan 10 05:51:17 asarian-host sendmail[28526]: ruleset=trust_auth,
| arg1=forwarder.org, relay=localhost [127.0.0.1], reject=550 5.7.1
| <bla(_at_)example(_dot_)com>... not authenticated



But outwardly just replies with:



| S: 250 2.1.0 <bla(_at_)example(_dot_)com>... Sender ok


<g>  A kind of mixed strategy, the log has what *would* happen in
an AUTH-session, but the real reply is to ignore the AUTH outside
of an AUTH-session.  


I must say I'm fair excited about this. :)


I think you have to throw in the old TENBOX idea of a (dummy) SASL
mechanism for a (dummy) AUTH, after that the real magic can happen
in an AUTH-parameter (if you want "forwader.org").  Maybe one of
the existing dummy SASL mechanisms (EXTERNAL or ANONYMOUS, IIRC)
is good enough for this dummy AUTH...

...or maybe not, if servers use them for something real in their
own network.  So let's say there's a new SASL mechanism NOOP, then
the server can offer AUTH NOOP, the client (a forwarder) accepts
with AUTH NOOP, after that it can use the AUTH-parameter.  But if
that requires a worldwide upgrade of SASL-libraries used by MTAs
we can forget this NOOP idea... :-|

 Frank

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: 
http://v2.listbox.com/member/?member_id=2183229&id_secret=84187896-e6579b
Powered by Listbox: http://www.listbox.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] Re: Revising FAIL, Alessandro Vesely
Next by Date:  RE: [spf-discuss] Forwarder whitelisting reloaded: Forwarders SMTP-AUTH to receivers?, Stuart D. Gathman
Previous by Thread:  RE: [spf-discuss] Forwarder whitelisting reloaded: Forwarders SMTP-AUTH to receivers?, Mark
Next by Thread:  RE: [spf-discuss] Forwarder whitelisting reloaded: Forwarders SMTP-AUTH to receivers?, Stuart D. Gathman
Indexes:  [Date] [Thread] [Top] [All Lists]