Re: [bug-anubis] 'remote' usage of anubis

[Jim Cheetham]

On Tue, 2003-09-09 at 10:46, Wojciech Polak wrote:
> On Mon, 08 Sep 2003 23:14:49 +0200 Jim Cheetham wrote:
> 
> > Like Greg, I'm not entirely convinced of the value of using ident at
> Identd only sends a user name or UID (depends from its configuration).

It's not so much that ident sends only "harmless" data, as that this
simple and easily-faked token effectively provides access to my config
file. You go to a lot of trouble to make sure that the config file is
protected on the file system, yet if someone were observing the traffic
between my workstation and mailserver, they could potentially discover
the (effective) contents of my anubis config by making connections to
it, providing my username in response to ident challenges, and looking
at the outgoing traffic to the mailserver.

However, I don't really think I should argue too much about the value of
ident, it can be useful in controlled situations ...

> You may specify a firewall rule and force identd to communicate
> only with GNU Anubis (with a specific host/port number).

> > Can Anubis use PAM? I am using v3.9.93, and I see that --with-pam is an
> > option to ./configure ... I guess in this case, it would be fine to let
> > PAM work out how to authenticate the connection, whether by ident or
> > other challenge ...
> 
> Remotely??? We were talking about a situation where Anubis is installed
> on Machine-A, and a client is located on Machine-B. This client is
> using his MUA to connect to Anubis on Machine-A. So the auth service
> (identd) is the only way to recognize a remote user (his user name or UID).

Hmmm ... I wasn't thinking very clearly. Anubis is restricted to
operating with only the facilities available in a normal mail user
agent, of course. I am trying to come up with a very secure usage
scenario ...

I usually send authenticated email over TLS, so that no information is
available to anyone watching the network, and there is an authentication
secret involved. Having just figured out how to get openssl working with
anubis (if the ssl libraries are unavailable, the ./configure
--with-openssl command de-selects openssl support without informing the
user ...) I've had a more thorough test.

It strikes me that if the incoming data stream includes ESMTP
authentication, and the remote MTA accepts this identification, then so
_could_ Anubis. And I should be able to configure Anubis to trust either
ident, or ESMTP Auth, in order to identify the 'user', and therefore
access the $HOME/.anubisrc file.

So, we look for an EHLO, then an AUTH command, resulting in "235
Authentication succeeded." If we see that, then we know what the AUTH
username was, and we can map that via ---TRANSLATION--- to a real system
user.

If, instead, the MUA goes to "MAIL FROM:", we can either TRANSLATE that
data, or resort to ident.

When an MTA does address re-writing, it is basically trusting the MAIL
FROM envelope data, or the header data. I don't think any MTA selects
rewriting rulesets based on AUTH username (although arguably they
should). But Anubis could ... :-)

-- 
Jim Cheetham
Systems Administrator, eCOSM Limited.
Phone +64 3 365 4176 | Mobile +64 21 314 158
http://www.ecosm.com/