Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. exim>
  3. users
Obfuscating $authresults
exim-users at exim
Sep 25, 2019, 6:56 PM
Post #1 of 12 (1529 views)
Permalink
Hi all,

I'm looking at the resulting Authentication-Results: header from an
$authresults expansion when using smtp auth and it's giving auth=pass (METHOD)
smtp.auth=user, or in the case of local submission local=pass (non-smtp,
$primaryhostnam) u=user. I was wondering if it would be possible to obfuscate
the user component (e.g. encrypted with HMAC or something like that) so that
you weren't disclosing them to the recipients of your emails. It's using the
$authenticated_id expansion from what I understand. Is there a way to alter
this? Would it be in the server_set_id on the authenticator?

e.g. server_set_id = ${hmac{sha1}{ninjas}{$auth2}}

An hmac doesn't seem like the best tool for this job as you'd have to reverse
it by comparing with your whole user database, surely some kind of encrypted
value would be better with either a symmetric or public key cipher. Would the
only way to achieve this be perl or readsocket?



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Obfuscating $authresults [ In reply to ]
exim-users at exim
Sep 26, 2019, 1:04 AM
Post #2 of 12 (1528 views)
Permalink
On 26/09/2019 02:56, Richard James Salts via Exim-users wrote:
> It's using the
> $authenticated_id expansion from what I understand. Is there a way to alter
> this? Would it be in the server_set_id on the authenticator?

Since it's just a string, you can edit it how you like.
Probably at just before you create the A-R header with it.

--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Obfuscating $authresults [ In reply to ]
exim-users at exim
Sep 26, 2019, 4:17 AM
Post #3 of 12 (1527 views)
Permalink
Jeremy Harris via Exim-users <exim-users@exim.org> (Do 26 Sep 2019 04:04:22 EDT):
> On 26/09/2019 02:56, Richard James Salts via Exim-users wrote:
> > It's using the
> > $authenticated_id expansion from what I understand. Is there a way to alter
> > this? Would it be in the server_set_id on the authenticator?
>
> Since it's just a string, you can edit it how you like.
> Probably at just before you create the A-R header with it.

You're talking about the $authenticated_id?
I do not see a documented way to do it (except using server_set_id
in the authenticators section)

Or you are talking about changing the outcome of the ${authresults }?
This feels ugly. Some modifier, to alter the information that
${authresults } generates, woud be good. (And additionally, defaulting
the (currently) one and only parameter to $primary_hostname}

$authresults
defaulting to
${authresults{$primary_hostname}{iprev:dkim:spf:…}}

${authresults{example.com}{-auth}}
${authresults{example.com}{-auth}}
${authresults{example.com}{iprev:dkim}

--
Heiko

Attached Files:

Re: Obfuscating $authresults [ In reply to ]
exim-users at exim
Jun 5, 2021, 3:35 AM
Post #4 of 12 (1350 views)
Permalink
On 26/09/2019 9:17 pm, Heiko Schlittermann via Exim-users wrote:

>
> Or you are talking about changing the outcome of the ${authresults }?
> This feels ugly. Some modifier, to alter the information that
> ${authresults } generates, woud be good. (And additionally, defaulting
> the (currently) one and only parameter to $primary_hostname}
>
> $authresults
> defaulting to
> ${authresults{$primary_hostname}{iprev:dkim:spf:?}}
>
> ${authresults{example.com}{-auth}}
> ${authresults{example.com}{-auth}}
> ${authresults{example.com}{iprev:dkim}
>
> --
> Heiko
>
Sorry to necro something this old, but did anything come of this idea?

I'm looking to obfuscate the smtp.auth=username and
smtp.remote-ip=x.x.x.x in messages which are authenticated.

I was planning on doing something with ${sg ...} is that a silly idea?


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Obfuscating $authresults [ In reply to ]
exim-users at exim
Jun 6, 2021, 3:28 AM
Post #5 of 12 (1350 views)
Permalink
On 05/06/2021 11:35, Richard Salts via Exim-users wrote:
> Sorry to necro something this old, but did anything come of this idea?

No. In my view there is no need to add builtin support, since
you can do anything you want using existing facilities.

> I'm looking to obfuscate the smtp.auth=username and smtp.remote-ip=x.x.x.x in messages which are authenticated.
>
> I was planning on doing something with ${sg ...} is that a silly idea?

Seems rather complicated; why not just not add the AR header
for an authenticated sender? What info *do* you want to present
for them?
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Obfuscating $authresults [ In reply to ]
exim-users at exim
Jun 6, 2021, 3:33 AM
Post #6 of 12 (1350 views)
Permalink
Hi,

D?a Sat, 5 Jun 2021 20:35:56 +1000 Richard Salts via Exim-users
<exim-users@exim.org> napísal:

> I'm looking to obfuscate the smtp.auth=username and
> smtp.remote-ip=x.x.x.x in messages which are authenticated.

AFAIK, the authresults header is intended to record authentication
results of incoming (remote) message. Thus do not add it for
authenticated users will solve your problem.

regards

--
Slavko
http://slavino.sk
Re: Obfuscating $authresults [ In reply to ]
exim-users at exim
Jun 6, 2021, 5:31 AM
Post #7 of 12 (1350 views)
Permalink
On 6/06/2021 8:33 pm, Slavko via Exim-users wrote:
> Hi,
>
> D?a Sat, 5 Jun 2021 20:35:56 +1000 Richard Salts via Exim-users
> <exim-users@exim.org> napísal:
>
>> I'm looking to obfuscate the smtp.auth=username and
>> smtp.remote-ip=x.x.x.x in messages which are authenticated.
> AFAIK, the authresults header is intended to record authentication
> results of incoming (remote) message. Thus do not add it for
> authenticated users will solve your problem.
ARC won't sign relayed messages without an Authentication-Results
header, so I need to add it even with authenticated senders.
>
> regards
>
>
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Obfuscating $authresults [ In reply to ]
exim-users at exim
Jun 6, 2021, 5:32 AM
Post #8 of 12 (1350 views)
Permalink
On 6/06/2021 8:28 pm, Jeremy Harris via Exim-users wrote:
> On 05/06/2021 11:35, Richard Salts via Exim-users wrote:
>> Sorry to necro something this old, but did anything come of this idea?
>
> No.  In my view there is no need to add builtin support, since
> you can do anything you want using existing facilities.
>
>> I'm looking to obfuscate the smtp.auth=username and
>> smtp.remote-ip=x.x.x.x in messages which are authenticated.
>>
>> I was planning on doing something with ${sg ...} is that a silly idea?
>
> Seems rather complicated; why not just not add the AR header
> for an authenticated sender?  What info *do* you want to present
> for them?
I was wanting to encrypt them, so if abuse report came in I could
reverse the change and find out the actual sender without having to
consult the logs if the reporter had left the trace headers intact.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Obfuscating $authresults [ In reply to ]
exim-users at exim
Jun 6, 2021, 5:52 AM
Post #9 of 12 (1350 views)
Permalink
On 06/06/2021 13:32, Richard Salts via Exim-users wrote:
>> Seems rather complicated; why not just not add the AR header
>> for an authenticated sender?  What info *do* you want to present
>> for them?
> I was wanting to encrypt them, so if abuse report came in I could reverse the change and find out the actual sender without having to consult the logs if the reporter had left the trace headers intact.

I'd suggest you use a different header, or at least a
comment field within a AR (constructed manually).
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Obfuscating $authresults [ In reply to ]
exim-users at exim
Jun 6, 2021, 5:52 AM
Post #10 of 12 (1350 views)
Permalink
On 06/06/2021 13:31, Richard Salts via Exim-users wrote:
> ARC won't sign relayed messages without an Authentication-Results header, so I need to add it even with authenticated senders.

Not so.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Obfuscating $authresults [ In reply to ]
exim-users at exim
Jun 6, 2021, 5:55 AM
Post #11 of 12 (1350 views)
Permalink
On 06/06/2021 13:31, Richard Salts via Exim-users wrote:
> ARC won't sign relayed messages without an Authentication-Results header, so I need to add it even with authenticated senders.

Thinking on it, perhaps you mean your ARC, in your MSA role (being
the first MTA in the chain, your user having authenticated to you.
There is no particular reason to be ARC-signing in that case; it
doesn't really count as a relay.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Obfuscating $authresults [ In reply to ]
exim-users at exim
Jun 6, 2021, 6:22 AM
Post #12 of 12 (1350 views)
Permalink
On 6/06/2021 10:55 pm, Jeremy Harris via Exim-users wrote:
> On 06/06/2021 13:31, Richard Salts via Exim-users wrote:
>> ARC won't sign relayed messages without an Authentication-Results
>> header, so I need to add it even with authenticated senders.
>
> Thinking on it, perhaps you mean your ARC, in your MSA role (being
> the first MTA in the chain, your user having authenticated to you.
> There is no particular reason to be ARC-signing in that case; it
> doesn't really count as a relay.

Yes, exactly. That is what I mean.


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal