Milter-greylist

Hello,

	I'm trying to use milter-greylist with smtp authentification
	(sendmail 8.13.3 debian package).

	I have added:

include(`/etc/mail/sasl/sasl.m4')dnl
include(`/etc/mail/tls/starttls.m4')dnl

	to /etc/mail/sendmail.mc and smtp authentification semms to work.
	With mozilla mail, a popup asks for login and password. But a new
	popup appears with "greylisting in action...".

	In /etc/mail/greylist.conf, I have:

# Normally, clients that succeed SMTP AUTH are not
# greylisted. Uncomment this if you want to
# greylist them regardeless of SMTP AUTH
#noauth

	Where is the trouble ? Any idea ?

	Regards,

	JKB

BERTRAND Joël <joel.bertrand@...> wrote:

>       I'm trying to use milter-greylist with smtp authentification
>       (sendmail 8.13.3 debian package).
> 
>       I have added:
> 
> include(`/etc/mail/sasl/sasl.m4')dnl
> include(`/etc/mail/tls/starttls.m4')dnl
> 
>       to /etc/mail/sendmail.mc and smtp authentification semms to work.
>       With mozilla mail, a popup asks for login and password. But a new
>       popup appears with "greylisting in action...".
> 
>       In /etc/mail/greylist.conf, I have:
> 
> # Normally, clients that succeed SMTP AUTH are not
> # greylisted. Uncomment this if you want to
> # greylist them regardeless of SMTP AUTH
> #noauth
> 
>       Where is the trouble ? Any idea ?

It seems nobody can answers this question. Matthieu, you contributed the
STARTTLS support, maybe you'll have a hint?

-- 
Emmanuel Dreyfus
Le cahier de l'admin BSD 2eme ed. est dans toutes les bonnes librairies
http://www.eyrolles.com/Informatique/Livre/9782212114638/livre-bsd.php
manu@...

manu@... wrote:
> BERTRAND Joël <joel.bertrand@...> wrote:
> 
> 
>>      I'm trying to use milter-greylist with smtp authentification
>>      (sendmail 8.13.3 debian package).
>>
>>      I have added:
>>
>>include(`/etc/mail/sasl/sasl.m4')dnl
>>include(`/etc/mail/tls/starttls.m4')dnl
>>
>>      to /etc/mail/sendmail.mc and smtp authentification semms to work.
>>      With mozilla mail, a popup asks for login and password. But a new
>>      popup appears with "greylisting in action...".
>>
>>      In /etc/mail/greylist.conf, I have:
>>
>># Normally, clients that succeed SMTP AUTH are not
>># greylisted. Uncomment this if you want to
>># greylist them regardeless of SMTP AUTH
>>#noauth
>>
>>      Where is the trouble ? Any idea ?
> 
> 
> It seems nobody can answers this question. Matthieu, you contributed the
> STARTTLS support, maybe you'll have a hint?
> 
May be there's some incompatiblity in the current code between using 
STARTTLS with a client certificate and just using it to send SMTP AUTH 
over a secured channel. My code only handles the 1st case iirc.
I've not looked at the code yet to verify this though.

-- 
Matthieu Herrb

Matthieu Herrb <matthieu.herrb@...> wrote:

> May be there's some incompatiblity in the current code between using 
> STARTTLS with a client certificate and just using it to send SMTP AUTH
> over a secured channel. My code only handles the 1st case iirc.
> I've not looked at the code yet to verify this though.

You mean milter-greylist would be confused because  the client would use
both STARTTLS and SMTP AUTH afterwards?

-- 
Emmanuel Dreyfus
Le cahier de l'admin BSD 2eme ed. est dans toutes les bonnes librairies
http://www.eyrolles.com/Informatique/Livre/9782212114638/livre-bsd.php
manu@...

manu@... wrote:
> Matthieu Herrb <matthieu.herrb@...> wrote:
> 
> 
>>May be there's some incompatiblity in the current code between using 
>>STARTTLS with a client certificate and just using it to send SMTP AUTH
>>over a secured channel. My code only handles the 1st case iirc.
>>I've not looked at the code yet to verify this though.
> 
> 
> You mean milter-greylist would be confused because  the client would use
> both STARTTLS and SMTP AUTH afterwards?
> 
Yes. That's what I meant. But after looking at the code, it seems unlikely.
Better start by double-checking that ${auth_authen} is passed to 
milter-greylist. ie that:

define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')

is included somewhere in sendmail.mc.
-- 
Matthieu Herrb

On Tue, Mar 15, 2005 at 05:39:05PM +0100, Matthieu Herrb wrote:
> 
> manu@... wrote:
> > Matthieu Herrb <matthieu.herrb@...> wrote:
> > 
> > 
> >>May be there's some incompatiblity in the current code between using 
> >>STARTTLS with a client certificate and just using it to send SMTP AUTH
> >>over a secured channel. My code only handles the 1st case iirc.
> >>I've not looked at the code yet to verify this though.
> > 
> > 
> > You mean milter-greylist would be confused because  the client would use
> > both STARTTLS and SMTP AUTH afterwards?
> > 
> Yes. That's what I meant. But after looking at the code, it seems unlikely.
> Better start by double-checking that ${auth_authen} is passed to 
> milter-greylist. ie that:
> 
> define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')
> 
> is included somewhere in sendmail.mc.

	Matthieu,

	I have in my sendmail.cf :

O Milter.macros.envfrom=i, {auth_type}, {auth_authen}, {auth_ssf},
{auth_author}, {mail_mailer}, {mail_host}, {mail_addr}

	In my sendmail.mc (debian), I only have :

LOCAL_CONFIG
## Custom configurations below (will be preserved)
include(`/etc/mail/sasl/sasl.m4')dnl
include(`/etc/mail/tls/starttls.m4')dnl
TRUST_AUTH_MECH(`shadow')dnl
define(`confAUTH_MECHANISMS', `shadow')dnl
INPUT_MAIL_FILTER(`greylist', `S=local:/var/run/milter-greylist/greylist.sock')dnl
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/sendmail/spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clamav-milter.ctl, F=, T=S:4m;R:4m')dnl
define(`confINPUT_MAIL_FILTERS', `greylist,spamassassin,clamav')dnl

	I use a debian distribution.

	Regards,

	JKB

-- 
En plus c'est simple, je fais ce genre de trucs en g77 depuis des ann\ufffdes :
il suffit d'\ufffdcrire un wrapper en C. Et comme \ufffda, j'ai le meilleur des deux
mondes : la rigueur quasi-monacale du Fortran, et l'exub\ufffdrance p\ufffdtulante du C.

BERTRAND Joël <joel.bertrand@...> wrote:

>       I have in my sendmail.cf :
> 
> O Milter.macros.envfrom=i, {auth_type}, {auth_authen}, {auth_ssf},
> {auth_author}, {mail_mailer}, {mail_host}, {mail_addr}

Seems you are going to do add a few printf inside milter-greylist to
discover what is going on.

in milter-greylist.c, search for "Is the user authenticated?", and add
this before the test:

printf("conf.c_noauth = %d, auth_authen = \"%s\"\n",
    conf.c_noauth, smfi_getsymval(ctx, "{auth_authen}"));
    
Do the same for STARTTLS just below. 

printf("conf.c_noauth = %d, verify = \"%s\", cert_subject = \"%s\"\n",
    conf.c_noauth, smfi_getsymval(ctx, "{verify}"), 
    smfi_getsymval(ctx, "{cert_subject}"));

Run milter-greylist in the foreground and check what happens.

-- 
Emmanuel Dreyfus
Le cahier de l'admin BSD 2eme ed. est dans toutes les bonnes librairies
http://www.eyrolles.com/Informatique/Livre/9782212114638/livre-bsd.php
manu@...

Hello,

manu@... a \ufffdcrit :
> BERTRAND Jo\ufffdl <joel.bertrand@...> wrote:
> 
> 
>>      I have in my sendmail.cf :
>>
>>O Milter.macros.envfrom=i, {auth_type}, {auth_authen}, {auth_ssf},
>>{auth_author}, {mail_mailer}, {mail_host}, {mail_addr}
> 
> 
> Seems you are going to do add a few printf inside milter-greylist to
> discover what is going on.
> 
> in milter-greylist.c, search for "Is the user authenticated?", and add
> this before the test:
> 
> printf("conf.c_noauth = %d, auth_authen = \"%s\"\n",
>     conf.c_noauth, smfi_getsymval(ctx, "{auth_authen}"));

	I have added :

syslog(LOG_INFO, "conf.c_noauth = %d, auth_authen = \"%s\"\n", 
conf.c_noauth, smfi_getsymval(ctx, "{auth_authen}"));

	and milter-greylist returns :

Nov 23 10:45:44 kant milter-greylist: conf.c_noauth = 0, auth_authen = 
"(null)"
Nov 23 10:45:44 kant milter-greylist: jAN9jfL3003686: addr 
213.41.173.141 from <joel.bertrand@...> to <bertrand@...> 
delayed for 00:10:00

	Why "(null)" ?

	Regards,

	JKB

BERTRAND Jo\ufffdl a \ufffdcrit :
> 	Hello,
> 
> manu@... a \ufffdcrit :
> 
>>BERTRAND Jo\ufffdl <joel.bertrand@...> wrote:
>>
>>
>>
>>>     I have in my sendmail.cf :
>>>
>>>O Milter.macros.envfrom=i, {auth_type}, {auth_authen}, {auth_ssf},
>>>{auth_author}, {mail_mailer}, {mail_host}, {mail_addr}
>>
>>
>>Seems you are going to do add a few printf inside milter-greylist to
>>discover what is going on.
>>
>>in milter-greylist.c, search for "Is the user authenticated?", and add
>>this before the test:
>>
>>printf("conf.c_noauth = %d, auth_authen = \"%s\"\n",
>>    conf.c_noauth, smfi_getsymval(ctx, "{auth_authen}"));
> 
> 
> 	I have added :
> 
> syslog(LOG_INFO, "conf.c_noauth = %d, auth_authen = \"%s\"\n", 
> conf.c_noauth, smfi_getsymval(ctx, "{auth_authen}"));
> 
> 	and milter-greylist returns :
> 
> Nov 23 10:45:44 kant milter-greylist: conf.c_noauth = 0, auth_authen = 
> "(null)"
> Nov 23 10:45:44 kant milter-greylist: jAN9jfL3003686: addr 
> 213.41.173.141 from <joel.bertrand@...> to <bertrand@...> 
> delayed for 00:10:00
> 
> 	Why "(null)" ?

	I have found... I have made a mistake in /etc/pam.d/smtp...

Nov 23 20:23:52 kant milter-greylist: conf.c_noauth = 0, auth_authen = 
"bertrand"
Nov 23 20:23:52 kant milter-greylist: User bertrand authenticated, 
bypassing greylisting

	Regards,

	JKB