Leo, > I'm using amavisd-new as a postfix smtpd_proxy_filter. > I've noticed that some mailers (some sendmail configurations) include an > AUTH parameter to the MAIL FROM command, which apparently postfix passes > to amavisd. However, amavisd rejects those mails because I have not > defined @auth_mech_avail. > > Jun 12 14:25:37 strike postfix/smtpd[611]: warning: proxy > 127.0.0.1:10024 rejected "MAIL From:<[EMAIL PROTECTED]> SIZE=1841 AUTH=<>": > "503 > 5.7.4 Error: authentication disabled". > > I've read Marks post on this topic some years ago: > http://thread.gmane.org/gmane.mail.virus.amavis.user/15970/focus=16013 > ... in which he argued that amavisd should not accept the AUTH parameter > if it isn't configured for authentication.
I know, a postfix proxy smtp server is supposed to cut a few corners, deviating from RFC2821 in some details. Try the patch below (for 2.5.1), it will turn a fatal 503 5.7.4 Error: authentication disabled into an informative log entry and ignore the AUTH parameter. > However, will simply enabling authentication by adding > @auth_mech_avail = qw(PLAIN LOGIN); > fix the problem for me? This will cause amavis accept the AUTH parameter > in "MAIL TO" commands. But amavisd will then also handle the AUTH > command. It used to achieve the effect I think, although since the use of Net::SMTP (= libnet) was dropped in 2.5.0, the authentication in amavisd is even more crippled than it used to be. Luckily noone depends on it I believe. > Will postfix still block SMTP sessions using authentication > with wrong credentials before the mail is passed to amavis? (I believe, > amavis will reply with a positive "235 2.7.1 Authentication successful" > to every (supported and syntactically correct) authentication attempt > without checking the credentials if @auth_mech_avail is not empty.) Yes, it would reply with Authentication successful, it has no way to check credentials. > As the SMTPD_PROXY_README says "Postfix sends no other SMTP commands.", > postfix most likely won't pass an AUTH command to amavis anyway. So I'm > just looking for a confirmation in order to be able to put my mind at rest. I believe it is so. --- amavisd.orig Thu May 31 14:10:01 2007 +++ amavisd Mon Jun 18 18:04:06 2007 @@ -13629,11 +13629,17 @@ if (!defined($dsn_envid)) { $dsn_envid = $val } else { $msg = "501 5.5.4 Syntax error in MAIL parameter: $name" } - } elsif ($name eq 'AUTH' && @{ca('auth_mech_avail')} && - !defined($submitter) ) { # rfc2554 - $submitter = xtext_decode($val); # encoded as xtext: rfc3461 - do_log(5, "MAIL command, %s, submitter: %s", - $authenticated,$submitter); - } elsif ($name eq 'AUTH' && [EMAIL PROTECTED]('auth_mech_avail')}) { - $msg = "503 5.7.4 Error: authentication disabled"; + } elsif ($name eq 'AUTH') { # rfc2554 + my($s) = xtext_decode($val); # encoded as xtext: rfc3461 + do_log(5, "MAIL command, %s, submitter: %s", $authenticated,$s); + if (defined $submitter) { + $msg = "504 5.5.4 MAIL command duplicate param.: $name=$val"; + } elsif ([EMAIL PROTECTED]('auth_mech_avail')}) { + # $msg = "503 5.7.4 Error: authentication disabled"; + do_log(3, "MAIL command parameter AUTH supplied, ". + "but authentication is disabled, ignored"); + $submitter = '<>'; + } else { + $submitter = $s; + } } else { $msg = "504 5.5.4 MAIL command parameter error: $name=$val"; Mark ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/