Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3640
Views
0
Helpful
11
Replies

SMTP Auth User ID: N/A

slicciardola
Level 1
Level 1

‎02-01-2021 01:51 AM

Hi all,

i've enable smtp auth but when sending emails in the tracking  i always have:

SMTP Auth User ID: N/A

 

Is it possible to solve this?

Thanks

Labels:
0 Helpful
11 Replies 11

Libin Varghese
Cisco Employee
Cisco Employee

‎02-01-2021 03:05 AM

The mentioned issues appears to match the below defect:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv15727

 

I see that its currently being tracked to be fixed in the 14.0 release scheduled next month.

 

Regards,

Libin

0 Helpful

slicciardola
Level 1
Level 1

‎02-01-2021 04:59 AM

Thanks for this quick reply,

and, if you know how, how can i make a check on the user sending message?

Try to explain better:

 

User "A": username: mydomain\jsmith; email jsmith@mydomain.com

This user MUST send ONLY email from jsmith@mydomain.com and not to be able to send as jsmith2@mydomain.com.

I am still not able to achieve this, even if ldap is working and i've set under mail policy flow the "smtp auth required"...

Thanks!

 

0 Helpful

slicciardola
Level 1
Level 1

‎02-02-2021 04:18 AM

bump!

0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee

‎02-02-2021 04:39 AM

I've not see SMTP auth used in that manner to control who an authenticated user can and cannot send emails to.

You may want to explore creating filters to accomplish such a task.

 

Regards,

Libin

0 Helpful

slicciardola
Level 1
Level 1
In response to Libin Varghese

‎02-02-2021 10:42 PM

Well... how can i use a filter for this? I suppose smtp auth is the real deal because it should do a check against AD and see if user A has into his properties the email from which he's sending the email, or not?

 


BR

 

Salvatore

0 Helpful

slicciardola
Level 1
Level 1
In response to slicciardola

‎02-03-2021 12:18 AM


Hi Libin,

i've found this:

 

Msg_Authentication: if (smtp-auth-id-matches("*Any"))
{
    # Always include the original authentication credentials in a
    # special header.
    insert-header("X-SMTPAUTH", "$SMTPAuthID");

    if (smtp-auth-id-matches("*FromAddress", "+") and
        smtp-auth-id-matches("*EnvelopeFrom", "+"))
    {
        # Username matches.  Verify the domain
        if (header('from') != "(?i)@(?:example\.com|example\.com)" or mail-from !=
        "(?i)@(?:example\.com|\.com)"
        {
            # User has specified a domain which cannot be authenticated
            quarantine("forged");
        }
    } else {
        # User claims to be an completely different user
        quarantine("forged");
    }
}



but it gives me this error:

An error occurred during processing: \.



0 Helpful

slicciardola
Level 1
Level 1

‎02-03-2021 11:51 PM

Hi Libin,

it works now but the custom header x-smtpauth is not sent to qradrar siem since it is a monoline management, how can this be solved?

Thanks

0 Helpful

marc.luescherFRE
Spotlight
Spotlight
In response to slicciardola

‎02-04-2021 06:05 AM

There are two ways to make this data visible in your mail logs.

 

Option a) System Administration / Log Subscriptions.

At the bottom of the screen add x-smptauth in the section global settings, logging options, headers , save and commit.

There is a limit of max 10 headers which can be added here.

 

Option b) Create a message filter on the UI to add as many fields as you need , example

CLILogSplunkFieldsv13: if recv-listener == "InboundInterface" {
log-entry("DEBUG ARC ARCResults=$Header['ARC-Authentication-Results'] ARCSeal=$Header['ARC-Seal'] ARCSignature=$Header['ARC-Message-Signature']");
}

 

I hope that helps

 

-Marc

0 Helpful

slicciardola
Level 1
Level 1
In response to marc.luescherFRE

‎02-04-2021 06:44 AM

Hi,

i already have the x-smtpauth into log subscriptions.

The problem with filters is that if you add a custom line on the email's header it will not be reported to any siem, so not useful to track at a glance, and, anyway, the problem still remains, any authenticated user can send any email pretending to be someone else, you only have to change the "from:" filed into your email client and it works, so it seems like there is no real check against ldap, but only a simple query to see if a user can send an email, not if he's legitimate to.

BR

 

Salvatore

0 Helpful

slicciardola
Level 1
Level 1
In response to marc.luescherFRE

‎02-09-2021 12:38 AM

Hi all,

apart from this smtp auth id that is not going to appear into logs, i try to explain better what i do for those tests:

i use a simple windows smpt tool.

then i put:

1. smtp mail server, so my ESA

2. username and password, in this case for authenticated SMTP

3. From: whatever i put here, it will send the email without further checks!

3. To: any email address

4. Subject and body

5. Send.

 

The problem here is at point 3!! And, in this case, i am not using exchange servers since it is all by ESA. But, i would like this point 3 to be checked in some way, filters or whatever...

Thanks

0 Helpful

AydinEhtibarov6421
Level 1
Level 1
In response to slicciardola

‎04-26-2023 02:47 AM

Hi Salvatore,

Did you ever manage to find a solution? I'm on the same identical spot.

Best,

G

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents