02-01-2021 01:51 AM
Hi all,
i've enable smtp auth but when sending emails in the tracking i always have:
SMTP Auth User ID: N/A
Is it possible to solve this?
Thanks
02-01-2021 03:05 AM
The mentioned issues appears to match the below defect:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv15727
I see that its currently being tracked to be fixed in the 14.0 release scheduled next month.
Regards,
Libin
02-01-2021 04:59 AM
Thanks for this quick reply,
and, if you know how, how can i make a check on the user sending message?
Try to explain better:
User "A": username: mydomain\jsmith; email jsmith@mydomain.com
This user MUST send ONLY email from jsmith@mydomain.com and not to be able to send as jsmith2@mydomain.com.
I am still not able to achieve this, even if ldap is working and i've set under mail policy flow the "smtp auth required"...
Thanks!
02-02-2021 04:18 AM
bump!
02-02-2021 04:39 AM
I've not see SMTP auth used in that manner to control who an authenticated user can and cannot send emails to.
You may want to explore creating filters to accomplish such a task.
Regards,
Libin
02-02-2021 10:42 PM
Well... how can i use a filter for this? I suppose smtp auth is the real deal because it should do a check against AD and see if user A has into his properties the email from which he's sending the email, or not?
BR
Salvatore
02-03-2021 12:18 AM
Hi Libin,
i've found this:
Msg_Authentication: if (smtp-auth-id-matches("*Any"))
{
# Always include the original authentication credentials in a
# special header.
insert-header("X-SMTPAUTH", "$SMTPAuthID");
if (smtp-auth-id-matches("*FromAddress", "+") and
smtp-auth-id-matches("*EnvelopeFrom", "+"))
{
# Username matches. Verify the domain
if (header('from') != "(?i)@(?:example\.com|example\.com)" or mail-from !=
"(?i)@(?:example\.com|\.com)"
{
# User has specified a domain which cannot be authenticated
quarantine("forged");
}
} else {
# User claims to be an completely different user
quarantine("forged");
}
}
but it gives me this error:
An error occurred during processing: \.
02-03-2021 11:51 PM
Hi Libin,
it works now but the custom header x-smtpauth is not sent to qradrar siem since it is a monoline management, how can this be solved?
Thanks
02-04-2021 06:05 AM
There are two ways to make this data visible in your mail logs.
Option a) System Administration / Log Subscriptions.
At the bottom of the screen add x-smptauth in the section global settings, logging options, headers , save and commit.
There is a limit of max 10 headers which can be added here.
Option b) Create a message filter on the UI to add as many fields as you need , example
CLILogSplunkFieldsv13: if recv-listener == "InboundInterface" {
log-entry("DEBUG ARC ARCResults=$Header['ARC-Authentication-Results'] ARCSeal=$Header['ARC-Seal'] ARCSignature=$Header['ARC-Message-Signature']");
}
I hope that helps
-Marc
02-04-2021 06:44 AM
Hi,
i already have the x-smtpauth into log subscriptions.
The problem with filters is that if you add a custom line on the email's header it will not be reported to any siem, so not useful to track at a glance, and, anyway, the problem still remains, any authenticated user can send any email pretending to be someone else, you only have to change the "from:" filed into your email client and it works, so it seems like there is no real check against ldap, but only a simple query to see if a user can send an email, not if he's legitimate to.
BR
Salvatore
02-09-2021 12:38 AM
Hi all,
apart from this smtp auth id that is not going to appear into logs, i try to explain better what i do for those tests:
i use a simple windows smpt tool.
then i put:
1. smtp mail server, so my ESA
2. username and password, in this case for authenticated SMTP
3. From: whatever i put here, it will send the email without further checks!
3. To: any email address
4. Subject and body
5. Send.
The problem here is at point 3!! And, in this case, i am not using exchange servers since it is all by ESA. But, i would like this point 3 to be checked in some way, filters or whatever...
Thanks
04-26-2023 02:47 AM
Hi Salvatore,
Did you ever manage to find a solution? I'm on the same identical spot.
Best,
G
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide