Introduction
This document decribes how to create a filter based on the Simple Mail Transfer Protocol (SMTP) Authenticated user and log the username into an X-header.
Prerequisites
Cisco recommends that you have knowledge of AsyncOS version 6.5 and later.
Background Information
The SMTP authentication function allows customers to use SMTP authentication for their clients in order to connect to and send mail from Email Security Appliances (ESAs). Since the feature allows the authenticated user to relay, it is possible for users to forge the "From:" field in emails that they send through the Cisco ESA. In order to prevent users from forging, ESA AsyncOS Version 6.5 and later now contain a message filter condition that permits comparisons against the authenticated SMTP user username and the mail From email address.
Create a Filter
The message filter condition allows an administrator to write a filter similar to the example rule in the next section that compares emails that are relayed outbound via an SMTP authentication session. If the SMTP credentials are compromised, the machine that sends the emails usually generates several addresses to be used as the mail From: header. The message filter condition only allows emails to leave if the username and mail From: headers match. Otherwise, the email is considered a forged mail From:, and the message filter action activates. The message filter action can be any final action; the example rule shows a quarantine action. The filter condition has this syntax:
smtp-auth-id-matches("<target>" [, "<sieve-char>"])
The filter permits a comparison against one of these targets:
- EnvelopeFrom: Compares the address specified in Mail From: in the SMTP conversation.
- FromAddress: Compares addresses parsed out of the From: header. Since multiple addresses are permitted in the From: header, only one must match.
- Sender: Compares the address specified in the Sender: header.
- Any: Matches messages that were created during an authenticated SMTP session (regardless of the identity).
- None: Matches messages that were not created during an authenticated SMTP session (for example, when SMTP authentication is preferred).
| SMTP AUTH ID |
SIEVE CHAR |
COMPARISON ADDRESS |
MATCHES? |
| someuser |
|
otheruser@example.com |
No |
| someuser |
|
someuser@example.com |
Yes |
| someuser |
|
someuser@face.localhost |
Yes |
| SomeUser |
|
someuser@example.com |
Yes |
| someuser |
|
someuser+folder@example.com |
No |
| someuser |
+ |
someuser+folder@example.com |
Yes |
| someUser@example.com |
|
someuser@forged.com |
No |
| someUser@example.com |
|
someuser@example.com |
Yes |
| someUser@example.com |
|
someuser@example.com |
Yes |
This variable substitution, $SMTPAuthID, was created in order to allow inclusion in headers of the original authentication credentials used to relay.
Example Rule
Msg_Authentication: if (smtp-auth-id-matches("*Any"))
{
# Always include the original authentication credentials in a
# special header.
insert-header("X-SMTPAUTH", "$SMTPAuthID");
if (smtp-auth-id-matches("*FromAddress", "+") and
smtp-auth-id-matches("*EnvelopeFrom", "+"))
{
# Username matches. Verify the domain
if (header('from') != "(?i)@(?:example\.com|example\.com)" or mail-from !=
"(?i)@(?:example\.com|\.com)"
{
# User has specified a domain which cannot be authenticated
quarantine("forged");
}
} else {
# User claims to be an completely different user
quarantine("forged");
}
}
Note: This filter assumes you have a quarantine called forged.
Related Information
Feedback