Authrewrite Channel Option
From MsgServerDocWiki
Authenticated originator information processing (authrewrite)
The authrewrite option may be used on a source channel to have the MTA propagate authenticated originator information, if available, into the headers. Normally the SMTP AUTH information is used (specifically, the user's canonical e-mail address, that is, the value of the mail attribute, found when looking up the user for authentication), though this may be overriden via the FROM_ACCESS mapping. authrewrite takes a required bit-encoded integer value as an argument, according to the following table:
| Bit | Value | Usage |
|---|---|---|
| 0-3 | 1 | Add a Sender: header line, or a Resent-sender: header line if a Resent-from: or Resent-sender: was already present, containing the AUTH originator |
| 0-3 | 2 | Add a Sender: header line containing the AUTH originator |
| 0-3 | 3 | Use the AUTH_REWRITE mapping table, probing with any Resent-Sender: and Resent-From: info if present, and otherwise probing with Sender: and From: info |
| 0-3 | 4 | Use the AUTH_REWRITE mapping table, probing with Sender: and From: info |
| 0-3 | 5 | Add a From: header line, or a Resent-From: header line if a Resent-From: or Resent-Sender: was already present, containing the AUTH originator. This is NOT RECOMMENDED and CONTRARY TO INTERNET STANDARDS, and likely to HARM the security of your users. This option should almost NEVER be used: THIS MEANS YOU!. |
| 0-3 | 6 | Add a From: header line containing the AUTH originator. This is NOT RECOMMENDED and CONTRARY TO INTERNET STANDARDS, and likely to HARM the security of your users. This option should almost NEVER be used: THIS MEANS YOU!. |
| 4 | 16 | (New in JES MS 6.2) If set, apply the AUTH_REWRITE mapping table even if SMTP AUTH has not been used |
| 5 | 32 | (New in JES MS 6.2) If set, probes include the source-channel as a prefix field, separated by a vertical bar character from the rest of the probe string; that is, when this bit is set then probes take the form: source-channel|env-from|[resent-]sender|[resent-]from|auth-originator |
| 6 | 64 | (New in Ancho.) If set, use the rewritten version of the envelope from address in constucting the probe. |
| 7 | 128 | (New in Ancho.) If set, use the canonical version of the envelope from address in constucting the probe. Bit 6 (value 64) is a no-op if this bit is set. |
| 8 | 256 | (New in Pasilla.) If set, add the value of the AUTH parameter from the SMTP MAIL FROM command to the probe, appearing just after the authorized originator address. |
AUTH_REWRITE mapping table probes normally have the following format:
source-channel|env-from|[resent-]sender|[resent-]from|auth-originator|auth-parameter
Note that the source-channel field and its vertival bar suffix is only present if (new in JES MS 6.2) bit 5 (value 16) is set in the authrewrite argument, and auth-parameter and its vertical bar prefix are only present if (new in Pasilla) bit 8 (value 256) is set in the authrewrite argument.
With authrewrite 3, the probes preferentially use any Resent-Sender: or Resent-From: header line values present, whereas with authrewrite 4 the probes always use Sender: and From:. (Note that normally the AUTH_REWRITE mapping table is only consulted when a submission has included SMTP AUTH info; that is, in order for the AUTH_REWRITE mapping table to be consulted not only must the relevant incoming channel be marked with an authrewrite value of 3 or 4, but also the submission included use of the SMTP AUTH command. However, if bit 4 (value 16) is set in the authrewrite channel option's argument, then AUTH_REWRITE will be consulted even for non-authenticated submissions.)
New in ancho, bit 6 (value 64) of authrewrite will, if set, causes a rewritten version of the envelope from address to be used for the env-from address in the probe as opposed to the original form given in the SMTP MAIL FROM command. The specific rewritten form used is controlled by bit 7 (valuue 128): If set the canonical form return address will be used, if clear the normally rewritten form will be used instead. These rewritten forms are useful when accessing checking is done using the AUTH_REWRITE mapping in order to prevent envelope from forgery by authenticated users.
If the mapping table output contains a $J, $j, $K, or $k, then the envelope From: address is replaced with the specified string. If the mapping table output contains a $Y, $y, $T, or $t, then a Sender: header line is added (if authrewrite 3 was specified and if a Resent-Sender: or Resent-From: was already present, then a Resent-Sender: header line is added instead of a Sender: header line) containing the specified string.
If the mapping table output contains a $Z or $z, then a From: header line is added (a Resent-From: in the case of authrewrite 3 and a Resent-From: or Resent-Sender: header line already being present) containing the specified string. (Such replacing of the From: header address is NOT RECOMMENDED and CONTRARY TO INTERNET STANDARDS and quite likely to HARM the overall security of your users. It should almost NEVER be done: THIS MEANS YOU! Despite the wishes and mistaken notions of many sites and users, the From: header line, in Internet e-mail, is NOT INTENDED to represent the "real" originator of a message; it is intentionally defined permitting alternate usages.)
New in Pasilla, if a $O is specified, then another vertical-bar-separated string will be read from the mapping result string and used to set or override the value of the SMTP AUTH parameter for the current transaction. The saslpassauth channel option may then the applied to the destination channel to cause this value to be propogated as an AUTH parameter on the SMTP MAIL FROM command.
New in JES MS 6.2, if a $N is specified, then the message will be rejected. Optional rejection text may be specified after another vertical bar character, |. And as of Poblano, $X may also be used to specify the extended error code (specified before the $N text, separated by a |) in the form x.y.z. In the absence of such optional text and optional extended error code, the default text "invalid originator address used" and default extended error code 5.7.0 will be used.
When using multiple such flags, separate the string arguments with the vertical bar character, |, and specify the string arguments in the order listed in the paragraph above; that is,
$J$Y$Zenv-from|sender|from-header
or
$X$N|error-code|rejection-text-string
Technically, one could use all five flags in the same entry, though it does not seem likely to be useful:
$J$Y$Z$X$Nenv-from|sender|from-header|error-code|rejection-text-string
Categories: MTA | Channels | Reference
