[2024-09-22 09:39] Christian Schulte <c...@schulte.it>
> On 21.09.24 11:50, Philipp wrote:
> > [2024-09-20 14:23] Christian Schulte <c...@schulte.it>
> >> On 20.09.24 11:38, Christian Schulte wrote:
> >>> On 20.09.24 10:41, Christian Schulte wrote:
> >>>> Hi,
> >>>>
> >>>> I am currently searching for way to enforce authentication for all mails
> >>>> sent from a domain the server is a mx for. For example:
> >>>>
> >>>> table domains { "domain.com", "domain.net", "domain.org" }
> >>>>
> >>>> action "local_mail" mbox
> >>>> action "outbound" relay
> >>>>
> >>>> match from domain <domains> !auth reject
> >>>> ^^^^^^^^^^^ not supported
> >>>>
> >
> > Yes, there is no "from domain" in match, but there is "from mail-from"
> > which should work for your problem. Maybe you need a regex.
> >
> >>> Replying to myself. Maybe OpenSMTPD could do this by default without any
> >>> configuration. It could just enforce by default that a mail sent from a
> >>> domain, for which it is a MX in DNS, needs to be transferred in a
> >>> session with some kind of authentication in effect - may that be by
> >>> certificate, user/password, whatever.
> >>>
> >>
> >> I am so glad I finally found a place I can talk to myself. It's really
> >> that easy. I'll send a patch implementing something like that sometime.
> >> On receiving a MAIL FROM command, just query DNS, after configured
> >> expansion/masquerading whatever, to see if the daemon is an MX for that
> >> domain and act in submission mode if so automatically without the need
> >> to change a single bit of the configuration grammar. Client connects,
> >> sends something from@domain, daemon checks whether it is setup as an MX
> >> for that domain in DNS and uses that information to switch to
> >> "submission" mode (require tls, authentication, add missing headers or
> >> validate, etc.).
> >
> > I don't think this is a good idea to write such thing build in. Also
> > it souldn't be enabled by default. A better approach would be to
> > implement such a mx check as a table.
>
> My thinking is to avoid updating SMTP daemon configuration in favour of
> using DNS directly. May be of interest for domain registrars having lots
> of domains and providing email services to customers. Just setup the MX
> resource records in DNS and let OpenSMTPD use that as a source of
> configuration. If OpenSMTPD would enforce authentication/tls etc. for
> everything submitted by domains, it is MX for, it would not do any harm,
There are several problems:
First of all it's not that simple to know for wich domains your server
is reponsible for. Yes you could check MX recourds and lookup the A
and AAAA records. But a negativ match isn't true, because you might
be a MX later in the chain or run behind some NAT.
Next when you have a server for outgoing mails and one for incomming
mails the mails within the domain might just be relayed like any other
mail. This way the mails for the "own" domain also flowin like other
mails from extern. There are other setups where your check wouldn't
work.
Also (local) table lookups are quite cheep. Even with a few hundred
domains the lookup in memory is mutch cheeper then doing DNS requests.
> if some third party starts adding MX records to DNS pointing to your
> daemons. This needs a bit more thinking, of course. So if someone evil
> would setup an MX pointing to OpenSMTPD, nothing could happen if
> OpenSMTPD would not allow anything to be sent from such domains without
> authentication/tls etc.
I would say it's impossible to differ between a MX set by you and a MX
set by someone else. I'm not sure if this would be a real problem, so
it might be ok.
> Making it behave that way by default clearly
> would be a bit to alien. Having such option would be cool, I think, as
> it would remove the need to change any SMTP configuration whenever
> someone registers a new domain or cancels a domain, because DNS could be
> used for this. You'll have to setup MX records in DNS anyways. No more
> need additionally having to change SMTP configuration in addition.
General your aproach sounds appealing at the first look. But it completly
missunderstand how OpenSMTPD works. There is no concept of local domains
and external domains. The concept is envelope based. So each envelope is
checked against all matching rules and handled acoording to the action
of the first match.
To make this clear: I don't think doing MX lookups on the sender domain
is a general bad idea. I just don't think it's a good feature to implement
directly in smtpd or enabled by default.
OpenSMTPD is flexible enough to add this feature by writing a table or
filter which implements this. There are manpages for the smtpd-tables(7)
and the smtpd-filter(7).
> > What I would like to have is a bit more flexibility about the address
> > matching for sender and recipient. First off all adding some domain
> > match for the sender domain. But also some local-part matching for
> > sender and recipient. But this is a bit triky to implement without
> > adding to mutch complexity.
>
> As a first step, I just sent a diff to @tech for adding a "from domain"
> match option. We'll see.
>
> <https://marc.info/?l=openbsd-tech&m=172698547122604&w=2>
ruleset_match_from() is the wrong place. It should be in
ruleset_match_smtp_mail_from() like the mail-from. When you look at the
"from mail-from" syntax you might notice that it's only a short hand for
"from any mail-from". This should also be true for a check of the
sending domain.
Philipp
