Loading ...
Sorry, an error occurred while loading the content.

SASL username forwarding to (before-queue) filter?

Expand Messages
  • Christian Rohmann
    Hello postfix-users, I d like to somehow get/forward the SASL username of an authenticated user to a before-queue SMTP content filter that is connected via
    Message 1 of 6 , Mar 13, 2013
    • 0 Attachment
      Hello postfix-users,

      I'd like to somehow get/forward the SASL username of an authenticated
      user to a before-queue SMTP content filter that is connected via
      smtpd_proxy_filter.
      I know I can use "smtpd_sasl_authenticated_header = yes", but that is
      not quite what I want or need as the scanner can only (easily) take a
      username in via SMTP-Auth or XCLIENT.


      I see two options:

      1) Use the XCLIENT attribute LOGIN and have postfix send that to the
      scanner. But I don't know if postfix even does send XCLIENT data to
      another SMTP server (content filter in this case). I quick test showed
      that postfix will not speak XCLIENT upstream but only XFORWARD.

      2) Another option would be to forward the username that was used on the
      primary connection and use that to "authenticate" towards the
      smtpd_proxy_filter. Is there a way to achieve that?


      If transmitting the SASL username was possible with after-queue
      filtering, I might consider that as well.




      Thanks for your feedback,


      Christian
    • DTNX Postmaster
      ... As far as I understand it, you may need to use either the milter or the policy server interface to connect the content filter, if you want to pass the SASL
      Message 2 of 6 , Mar 13, 2013
      • 0 Attachment
        On Mar 13, 2013, at 09:47, Christian Rohmann <crohmann@...> wrote:

        > Hello postfix-users,
        >
        > I'd like to somehow get/forward the SASL username of an authenticated
        > user to a before-queue SMTP content filter that is connected via
        > smtpd_proxy_filter.
        > I know I can use "smtpd_sasl_authenticated_header = yes", but that is
        > not quite what I want or need as the scanner can only (easily) take a
        > username in via SMTP-Auth or XCLIENT.
        >
        >
        > I see two options:
        >
        > 1) Use the XCLIENT attribute LOGIN and have postfix send that to the
        > scanner. But I don't know if postfix even does send XCLIENT data to
        > another SMTP server (content filter in this case). I quick test showed
        > that postfix will not speak XCLIENT upstream but only XFORWARD.
        >
        > 2) Another option would be to forward the username that was used on the
        > primary connection and use that to "authenticate" towards the
        > smtpd_proxy_filter. Is there a way to achieve that?
        >
        >
        > If transmitting the SASL username was possible with after-queue
        > filtering, I might consider that as well.

        As far as I understand it, you may need to use either the milter or the
        policy server interface to connect the content filter, if you want to
        pass the SASL data. For example, Postfix passes the following to a
        policy server;

        sasl_method=plain
        sasl_username=you
        sasl_sender=

        There does not seem to be a way to do this via SMTP, but it is possible
        that I have overlooked some part of the documentation.

        Cya,
        Jona
      • Christian Rohmann
        Hey again postfix-users, ... Are there any plans to implement XCLIENT forwarding into postfix. Currently postfix seems to only accept XCLIENT but not send it
        Message 3 of 6 , Mar 18, 2013
        • 0 Attachment
          Hey again postfix-users,

          On 13.03.2013 09:47, Christian Rohmann wrote:
          > 1) Use the XCLIENT attribute LOGIN and have postfix send that to the
          > scanner. But I don't know if postfix even does send XCLIENT data to
          > another SMTP server (content filter in this case). I quick test showed
          > that postfix will not speak XCLIENT upstream but only XFORWARD.


          Are there any plans to implement XCLIENT forwarding into postfix.
          Currently postfix seems to only accept XCLIENT but not send it to
          another SMTP server itself.


          Regards

          Christian
        • Wietse Venema
          ... Please read the XFORWARD document. Wietse
          Message 4 of 6 , Mar 18, 2013
          • 0 Attachment
            Christian Rohmann:
            > Hey again postfix-users,
            >
            > On 13.03.2013 09:47, Christian Rohmann wrote:
            > > 1) Use the XCLIENT attribute LOGIN and have postfix send that to the
            > > scanner. But I don't know if postfix even does send XCLIENT data to
            > > another SMTP server (content filter in this case). I quick test showed
            > > that postfix will not speak XCLIENT upstream but only XFORWARD.
            >
            >
            > Are there any plans to implement XCLIENT forwarding into postfix.

            Please read the XFORWARD document.

            Wietse

            > Currently postfix seems to only accept XCLIENT but not send it to
            > another SMTP server itself.
            >
            >
            > Regards
            >
            > Christian
            >
            >
            >
            >
            >
          • Christian Rohmann
            Hello Wietse, postfix-users, ... I read the XFORWARD_README and I believe XFORWARD is what I want and should use to get variables from postfix MTA to my
            Message 5 of 6 , Mar 18, 2013
            • 0 Attachment
              Hello Wietse, postfix-users,

              On 18.03.2013 12:01, Wietse Venema wrote:
              >> > Are there any plans to implement XCLIENT forwarding into postfix.

              > Please read the XFORWARD document.

              I read the XFORWARD_README and I believe XFORWARD is what I want and
              should use to get variables from postfix MTA to my content filter.

              But currently it cannot not send the LOGIN name as it does for XCLIENT.
              I while back you, Wietse, were asked (and said yes ;-) ) if you could
              implement sending SASL information via XFORWARD. Here is the
              mailing-list thread:
              https://groups.google.com/forum/?fromgroups=#!topicsearchin/list.postfix.users/XFORWARD/list.postfix.users/Xq2ST_pjR8A

              The ability of forwarding SASL info using the LOGIN attribute was what
              got me looking at XCLIENT in the first place.


              Any chance then of getting the LOGIN attribute for XFORWARD?


              Thanks for your time and patience,
              Regards


              Christian
            • Wietse Venema
              ... Then, XFORWARD would need to be extended. Not only for sending forwarded SASL attributes (authentication method, authentication ID, sender address in MAIL
              Message 6 of 6 , Mar 18, 2013
              • 0 Attachment
                Christian Rohmann:
                > Hello Wietse, postfix-users,
                >
                > On 18.03.2013 12:01, Wietse Venema wrote:
                > >> > Are there any plans to implement XCLIENT forwarding into postfix.
                >
                > > Please read the XFORWARD document.
                >
                > I read the XFORWARD_README and I believe XFORWARD is what I want and
                > should use to get variables from postfix MTA to my content filter.
                >
                > But currently it cannot not send the LOGIN name as it does for XCLIENT.

                Then, XFORWARD would need to be extended.

                Not only for sending forwarded SASL attributes (authentication
                method, authentication ID, sender address in MAIL FROM AUTH= option),
                but also for receiving forwarded SASL attributes, for storing
                forwarded attributes into queue files in addition to the SMTP
                client's SASL attributes, and for logging the forwarded attributes.

                Just like forwarded SMTP client name/address information, forwarded
                SASL attributes must not be confused with the SMTP client attributes
                (i.e. XFORWARD changes Postfix logging; to override Postfix security
                policy use XCLIENT).

                If no-one steps forward, then this will wait until I have time.

                Wietse
              Your message has been successfully submitted and would be delivered to recipients shortly.