Recipe 7.9 Selectively Requiring Authentication

Problem

You have a mail host that cannot be configured to require strong authentication from every connecting host, yet you have been asked to configure that system to always require strong authentication from certain connecting hosts .

Solution

Make sure that the basic AUTH configuration requirements described in Recipe 7.1 are met.

Create Srv_Features : access database entries for all hosts that are required to authenticate using AUTH. The key field of each entry begins with the tag Srv_Features :, which is followed by the domain name , hostname, or IP address that identifies the system that is required to authenticate itself. The return value of each entry is the letter l .

Add the access_db feature to the sendmail configuration. Here is the required FEATURE macro:

 dnl Enable the access database FEATURE(`access_db') 

Following the instructions in Recipe 1.8, rebuild the sendmail.cf file, copy the new sendmail.cf file to /etc/mail , and restart sendmail.

Discussion

Srv_Features : access database entries allow you to control the extended features offered to the connecting host based on the domain name or IP address of the connecting host. The syntax of the Srv_Features : entry is:

 Srv_Features:   name     flags   

Srv_Features : is the required tag. name is the name of the connecting host, which can be defined by a full or partial domain name or a full or partial IP address. A full domain name or IP address matches a single host. A partial domain name matches all hosts in that domain, and a partial IP address matches all hosts on the specified network. When the name field is blank, the entry applies to all inbound mail connections that do not have a more specific Srv_Features : match. The precedence of matches is from the longest (the most specific) to the shortest (the least specific).

The flags field is a list of one or more single-letter flags that indicate whether an extended service should be enabled or disabled for the specified connecting host. When the flags field contains more than one flag, the individual flags are separated by whitespace. A lowercase letter in the flags field enables an SMTP extension, and an uppercase letter disables the extension. All of the flags, except t , come in upper/lower case pairings. Table 7-2 lists the letters that enable and disable SMTP extensions.

Table 7-2. Srv_Features: flags

Yes

No

Description

a

A

Advertise AUTH.

b

B

Advertise the VERB command.

d

D

Advertise the DSN extension.

e

E

Advertise the ETRN command.

l

L

Require AUTH authentication from the connecting host.

p

P

Advertise PIPELINING.

s

S

Advertise STARTTLS.

t

 

Defer the connection with a temporary error.

v

V

Request a client certificate from the connecting host.

x

X

Advertise the EXPN command.

The a / A flag and the l / L flag are the flags that relate directly to the AUTH protocol extension. In particular, this recipe uses the l flag to selectively require authentication. For example, assume that you want to require AUTH authentication from any host connecting from the dialin.wrotethebook.com domain. You could do that by adding the following entry to the access database:

 Srv_Features:dialin.wrotethebook.com      l 

Now, a connection attempt from any host in the dialin.wrotethebook.com domain is refused if the host does not authenticate. All other hosts, however, are still allowed to connect without authenticating because there are no other Srv_Features : entries in the access database that relate to AUTH authentication. AUTH is still advertised to all hosts, and any host that chooses to is allowed to authenticate because that is the default sendmail behavior. In the absence of an applicable Srv_Features : entry, the default sendmail behavior applies. This is exactly what we want for this recipe, but it can be more clearly documented in the access database by using two entries instead of the one shown above:

 Srv_Features:dialin.wrotethebook.com      l Srv_Features:                             L 

In this case, authentication is still required from the hosts in the dialin.wrotethebook.com domain. But this time, we explicitly show that we do not require authentication from anyone else by using a Srv_Features : entry with a blank name field and an L flag.

This configuration could be taken a step further. Using the A flag in the second Srv_Features : entry would prevent sendmail from advertising AUTH to any hosts except those in the dialin.wrotethebook.com domain. Here is that variation:

 Srv_Features:dialin.wrotethebook.com      l Srv_Features:                             L A 

In this case, hosts outside of the dialin.wrotethebook.com domain are not required to authenticate and are not even given a chance to do so.

See Also

Recipe 7.1 describes the basic configuration that needs to be done before this recipe is implemented. The sendmail book covers the Srv_Features : entry in Section 19.9.4.



Sendmail Cookbook
sendmail Cookbook
ISBN: 0596004710
EAN: 2147483647
Year: 2005
Pages: 178
Authors: Craig Hunt

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net