Message-ID:

You need tender loving care once a week - so that I can slap you into shape. -- Ellyn Mustard

computers / comp.mail.sendmail / Re: getting username from failed AUTH attempts from milter

getting username from failed AUTH attempts from milter

<48dfe970-c2e3-4a28-94ec-1eea9d0bfe5an@googlegroups.com>

https://www.novabbs.com/computers/article-flat.php?id=728&group=comp.mail.sendmail#728

copy link Newsgroups: comp.mail.sendmail

X-Received: by 2002:ad4:5581:0:b0:625:bf42:6bef with SMTP id f1-20020ad45581000000b00625bf426befmr18236qvx.3.1684978810505;
Wed, 24 May 2023 18:40:10 -0700 (PDT)
X-Received: by 2002:a05:622a:5:b0:3f6:c5c7:fc4a with SMTP id
x5-20020a05622a000500b003f6c5c7fc4amr1263132qtw.5.1684978810300; Wed, 24 May
2023 18:40:10 -0700 (PDT)
Path: i2pn2.org!i2pn.org!news.swapon.de!newsreader4.netcologne.de!news.netcologne.de!peer02.ams1!peer.ams1.xlned.com!news.xlned.com!peer01.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.mail.sendmail
Date: Wed, 24 May 2023 18:40:09 -0700 (PDT)
Injection-Info: google-groups.googlegroups.com; posting-host=202.126.212.50; posting-account=2tnxZgoAAAB50JSvNXVw0EeBPQyOAWe_
NNTP-Posting-Host: 202.126.212.50
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <48dfe970-c2e3-4a28-94ec-1eea9d0bfe5an@googlegroups.com>
Subject: getting username from failed AUTH attempts from milter
From: sme...@gmail.com (Ed Wong)
Injection-Date: Thu, 25 May 2023 01:40:10 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 2155

by: Ed Wong - Thu, 25 May 2023 01:40 UTC

Hi,

This question is somewhat similar to https://groups.google.com/g/comp.mail.sendmail/c/nwomWJzMwWA/m/salF0uH-2_4J in that instead of the IP, I'd like to get the username from within a milter. From the linked
message, the UN and PW is passed to saslauthd and the return is the pass/failed status.

This means sendmail does know the UN. Is there a way for a milter to extract this UN information?

I'm looking at the logs and the AUTH failure happens between the hello
callback and the envfrom callback (which never gets called) since by the time AUTH failure is encountered, the connection is dropped. And using smfi_getsymval() to get "{auth_author}", I get None for the value. (note, I used smfi_getsymval() in the hello cb (which isn't available as mentioned in https://github.com/aosm/sendmail/blob/0b43ef09c7fa82f822b17cb8a060f673280663cc/sendmail/libmilter/docs/smfi_getsymval.html) and the connection doesn't get to envfrom.

Any clarifications appreciated.

Re: getting username from failed AUTH attempts from milter

<u4mtdh$nje$1@news.misty.com>

copy mid

https://www.novabbs.com/computers/article-flat.php?id=729&group=comp.mail.sendmail#729

copy link Newsgroups: comp.mail.sendmail

Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!.POSTED.veps.esmtp.org!not-for-mail
From: INVALID_...@esmtp.org (Claus Aßmann)
Newsgroups: comp.mail.sendmail
Subject: Re: getting username from failed AUTH attempts from milter
Date: Thu, 25 May 2023 01:58:09 -0400 (EDT)
Organization: MGT Consulting
Sender: <ml+sendmail(-no-copies-please)@esmtp.org>
Message-ID: <u4mtdh$nje$1@news.misty.com>
References: <48dfe970-c2e3-4a28-94ec-1eea9d0bfe5an@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Injection-Date: Thu, 25 May 2023 05:58:09 -0000 (UTC)
Injection-Info: news.misty.com; posting-host="veps.esmtp.org:155.138.203.148";
logging-data="24174"; mail-complaints-to="abuse@misty.com"
Mail-Copies-To: never
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: ca@x2.esmtp.org (Claus Assmann)

by: Claus Aßmann - Thu, 25 May 2023 05:58 UTC

"What's the problem you are trying to solve?"
Why do you want to access that data?

${auth_authen}
The client's authentication credentials as deter-
mined by authentication (only set if successful).
^^^^^^^^^^^^^^^^^^^^^^

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.

Re: getting username from failed AUTH attempts from milter

<87cz0liq8h.fsf@tigger.extechop.net>

copy mid

https://www.novabbs.com/computers/article-flat.php?id=758&group=comp.mail.sendmail#758

copy link Newsgroups: comp.mail.sendmail

Path: i2pn2.org!i2pn.org!eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: om...@iki.fi (Otto J. Makela)
Newsgroups: comp.mail.sendmail
Subject: Re: getting username from failed AUTH attempts from milter
Date: Fri, 21 Jul 2023 12:11:10 +0300
Organization: Games and Theory
Lines: 30
Message-ID: <87cz0liq8h.fsf@tigger.extechop.net>
References: <48dfe970-c2e3-4a28-94ec-1eea9d0bfe5an@googlegroups.com>
<u4mtdh$nje$1@news.misty.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Injection-Info: dont-email.me; posting-host="60965946896ee17122f9d9ea3c4eaabd";
logging-data="3354742"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+iruk+4Xpkze2kHfEhjIQn"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
Cancel-Lock: sha1:Mcu79YfX3NbhcYzmdrp0VMt/WF0=
sha1:8K9t2C5yDnwpDcA1GZpLTz4v2EE=
Mail-Copies-To: never
X-URL: http://www.iki.fi/om/
X-Face: 'g'S,X"!c;\pfvl4ljdcm?cDdk<-Z;`x5;YJPI-cs~D%;_<\V3!3GCims?a*;~u$<FYl@"E
c?3?_J+Zwn~{$8<iEy}EqIn_08"`oWuqO$#(5y3hGq8}BG#sag{BL)u8(c^Lu;*{8+'Z-k\?k09ILS

by: Otto J. Makela - Fri, 21 Jul 2023 09:11 UTC

Claus Aßmann wrote:

> "What's the problem you are trying to solve?"
> Why do you want to access that data?
>
> ${auth_authen}
> The client's authentication credentials as deter-
> mined by authentication (only set if successful).
> ^^^^^^^^^^^^^^^^^^^^^^

I don't know about Ed's situation, but I would certainly like to be able
to discern these two situations (assuming no bandwith limitations) from
each other:

* user has an incorrect password in their (badly behaving) email client,
which keeps repeatedly hammering our server with the same username

* compromised host is doing a dictionary attack over all our users

If I understood correctly, if the attempted authentication credentials
are not stored in the logs, how do you tell these apart?

And then there's the kinda opposite case of a large botnet hammering the
server with an exhaustive search for a single account password.

--
/* * * Otto J. Makela <om@iki.fi> * * * * * * * * * */
/* Phone: +358 40 765 5772, ICBM: N 60 10' E 24 55' */
/* Mail: Mechelininkatu 26 B 27, FI-00100 Helsinki */
/* * * Computers Rule 01001111 01001011 * * * * * * */

Re: getting username from failed AUTH attempts from milter

<u9ebha$567$1@news.misty.com>

copy mid

https://www.novabbs.com/computers/article-flat.php?id=759&group=comp.mail.sendmail#759

copy link Newsgroups: comp.mail.sendmail

Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!.POSTED.veps.esmtp.org!not-for-mail
From: INVALID_...@esmtp.org (Claus Aßmann)
Newsgroups: comp.mail.sendmail
Subject: Re: getting username from failed AUTH attempts from milter
Date: Fri, 21 Jul 2023 12:25:14 -0400 (EDT)
Organization: MGT Consulting
Sender: <ml+sendmail(-no-copies-please)@esmtp.org>
Message-ID: <u9ebha$567$1@news.misty.com>
References: <48dfe970-c2e3-4a28-94ec-1eea9d0bfe5an@googlegroups.com> <u4mtdh$nje$1@news.misty.com> <87cz0liq8h.fsf@tigger.extechop.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 21 Jul 2023 16:25:14 -0000 (UTC)
Injection-Info: news.misty.com; posting-host="veps.esmtp.org:155.138.203.148";
logging-data="5319"; mail-complaints-to="abuse@misty.com"
Mail-Copies-To: never
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: ca@x2.esmtp.org (Claus Assmann)

by: Claus Aßmann - Fri, 21 Jul 2023 16:25 UTC

Otto J. Makela wrote:

> If I understood correctly, if the attempted authentication credentials
> are not stored in the logs, how do you tell these apart?

8.16.1/8.16.1 2020/07/05

Log user= for failed AUTH attempts if possible. Based on
patch from Packet Hack, Jim Hranicky, Kevin A. McGrail,
and Joe Quinn.

If that's not good enough: check what Cyrus-SASL does.

Subject	Author
getting username from failed AUTH attempts from milter	Ed Wong
Re: getting username from failed AUTH attempts from milter	Claus Aßmann
Re: getting username from failed AUTH attempts from milter	Otto J. Makela
Re: getting username from failed AUTH attempts from milter	Claus Aßmann