[Pymilter] Bypass of authenticated users

Stuart D. Gathman stuart at bmsi.com
Mon Oct 24 21:08:00 EDT 2011 

On Tue, 25 Oct 2011, Pieter De Wit wrote:

> How do I get pyspfmilter to bypass authenticated users?

Try this:

Index: spfmilter.py
===================================================================
RCS file: /cvsroot/pymilter/milter/spfmilter.py,v
retrieving revision 1.11
diff -u -r1.11 spfmilter.py
--- spfmilter.py	14 Sep 2009 14:24:11 -0000	1.11
+++ spfmilter.py	25 Oct 2011 01:06:28 -0000
@@ -126,6 +126,42 @@
      t = parse_addr(f)
      if len(t) == 2: t[1] = t[1].lower()
      self.canon_from = '@'.join(t)
+
+    # Check SMTP AUTH, also available:
+    #   auth_authen  authenticated user
+    #   auth_author  (ESMTP AUTH= param)
+    #   auth_ssf     (connection security, 0 = unencrypted)
+    #   auth_type    (authentication method, CRAM-MD5, DIGEST-MD5, PLAIN, etc)
+    # cipher_bits  SSL encryption strength
+    # cert_subject SSL cert subject
+    # verify       SSL cert verified
+
+    self.user = self.getsymval('{auth_authen}')
+    if self.user:
+      # Very simple SMTP AUTH policy by default:
+      #   any successful authentication is considered INTERNAL
+      # Detailed authorization policy is configured in the access file below.
+      self.internal_connection = True
+      self.log(
+        "SMTP AUTH:",self.user, self.getsymval('{auth_type}'),
+        "sslbits =",self.getsymval('{cipher_bits}'),
+        "ssf =",self.getsymval('{auth_ssf}'), "INTERNAL"
+      )
+      # Restrict SMTP AUTH users to authorized domains
+      if self.internal_connection:
+        p = SPFPolicy('%s@%s'%(self.user,domain))
+        policy = p.getPolicy('smtp-auth:')
+        p.close()
+        if policy:
+          if policy != 'OK':
+            self.log("REJECT: unauthorized user",self.user,
+                "at",self.connectip,"sending MAIL FROM",self.canon_from)
+            self.setreply('550','5.7.1',
+              'SMTP user %s is not authorized to use MAIL FROM %s.' %
+              (self.user,self.canon_from)
+            )
+            return Milter.REJECT
+
      if not (self.internal_connection or self.trusted_relay) and self.connectip:
        rc = self.check_spf()
        if rc != Milter.CONTINUE: return rc


--
 	      Stuart D. Gathman <stuart at bmsi.com>
     Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

More information about the Pymilter mailing list