Date: Sun, 18 Feb 2001 16:05:49 +0000 From: ian j hart <ianjhart@freeloader.freeserve.co.uk> To: freebsd-questions@FreeBSD.ORG Subject: Sendmail and Identd Message-ID: <3A8FF2DD.5F7C9DFD@freeloader.freeserve.co.uk>
next in thread | raw e-mail | index | archive | help
Not strictly FreeBSD this one, but I can't find anything on
comp.mail.sendmail. deja->google(cannot post)
Background: A feature of Win95 + IE5 + roving profiles means that some
users may get the default mail profile when they log on. In effect
this results in random spoofing of mail. This is the mail system for a
school, so I cannot rely on the users spotting the error.
What I need is to add a *sanity check* to the internal mail hub. I have
an identd server I can run in the clients NT logon script.
I've had a look at writing a check_* rule ( Is $g == $_? ), but it
doesn't seem that you can _compare_ two values.
I wrote/stole some code for checkcompat() which almost works okay. The
problem with this is that the mail is already accepted. Idealy I need
the transaction to fail *before* delivery so the users get an error
message. A logoff/logon will usually fix the problem.
I had a look at SASL but I can't get it to work. In any case this means
all the users (kids remember) changing their mailer settings.
Can any sendmail experts offer any sage advise.
Notes:
o Can you please CC me as the volume on stable is enough for my poor
(home) modem.
o Ditching '95 is not an option ;)
o Reverting to OE4 would have to wait until the summer
o It's half-term here, so now is the time to fix it.
o I'm masqerading, including envelope.
o Recieved mail is via IMAP
This will wrap - sorry
int
checkcompat(to, e)
register ADDRESS *to;
register ENVELOPE *e;
{
char *ident, *at;
ptrdiff_t len;
static char old_name[MAXHOSTNAMELEN];
if (tTd(49, 1))
dprintf("checkcompat(to=%s, from=%s)\n",
to->q_paddr, e->e_from.q_paddr);
if ((ident = macvalue('_', e)) == NULL)
return(EX_OK);
if (strncasecmp(ident, old_name, MAXHOSTNAMELEN - 1) == 0)
return(EX_OK);
else
(void)sprintf(old_name, "%.*s", MAXHOSTNAMELEN - 1, ident);
/* pass if no identd */
if ((at = strchr(ident, '@')) == NULL)
return(EX_OK);
else
len = at - ident; /* safe? */
if (strncasecmp(e->e_from.q_user, ident, len) != 0)
{
/*
This is WRONG. We know the sender is a spoof.
OTOH the 'real user' may not be reading their mail.
Especially if their setting are == default user
*/
auth_warning(e, "$g=%s doesn't match $_=%s", e->e_from.q_user,
ident);
usrerr("553 Your email settings are incorrect");
e->e_flags |= EF_NO_BODY_RETN;/* to suppress body on
return */
to->q_status = "5.7.1";
return EX_UNAVAILABLE;
}
return EX_OK;
}
TIA
--
ianjhart
ICT Technician.
Cardinal Newman School.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A8FF2DD.5F7C9DFD>