Guest

Cisco Email Security Appliance

ESA SMTP Authentication Condition to Prevent Spoofing

Document ID: 117800

Updated: Jun 11, 2014

Contributed by Dan Waller and Robert Sherwin, Cisco TAC Engineers.

   Print

Introduction

This document decribes how to create a filter based on the Simple Mail Transfer Protocol (SMTP) Authenticated user and log the username into an X-header.

Prerequisites

Cisco recommends that you have knowledge of AsyncOS version 6.5 and later.

Background Information

The SMTP authentication function allows customers to use SMTP authentication for their clients in order to connect to and send mail from Email Security Appliances (ESAs). Since the feature allows the authenticated user to relay, it is possible for users to forge the "From:" field in emails that they send through the Cisco ESA. In order to prevent users from forging, ESA AsyncOS Version 6.5 and later now contain a message filter condition that permits comparisons against the authenticated SMTP user username and the mail From email address.

Create a Filter

The message filter condition allows an administrator to write a filter similar to the example rule in the next section that compares emails that are relayed outbound via an SMTP authentication session. If the SMTP credentials are compromised, the machine that sends the emails usually generates several addresses to be used as the mail From: header. The message filter condition only allows emails to leave if the username and mail From: headers match. Otherwise, the email is considered a forged mail From:, and the message filter action activates. The message filter action can be any final action; the example rule shows a quarantine action. The filter condition has this syntax:

smtp-auth-id-matches("<target>" [, "<sieve-char>"])

The filter permits a comparison against one of these targets:

  • EnvelopeFrom: Compares the address specified in Mail From: in the SMTP conversation.
  • FromAddress: Compares addresses parsed out of the From: header. Since multiple addresses are permitted in the From: header, only one must match.
  • Sender: Compares the address specified in the Sender: header.
  • Any: Matches messages that were created during an authenticated SMTP session (regardless of the identity).
  • None: Matches messages that were not created during an authenticated SMTP session (for example, when SMTP authentication is preferred).
SMTP AUTH IDSIEVE CHARCOMPARISON ADDRESSMATCHES?
someuser otheruser@example.comNo
someuser someuser@example.comYes
someuser someuser@face.localhostYes
SomeUser someuser@example.comYes
someuser someuser+folder@example.comNo
someuser+someuser+folder@example.comYes
someUser@example.com someuser@forged.comNo
someUser@example.com someuser@example.comYes
someUser@example.com someuser@example.comYes

This variable substitution, $SMTPAuthID, was created in order to allow inclusion in headers of the original authentication credentials used to relay.

Example Rule

Msg_Authentication: if (smtp-auth-id-matches("*Any"))
{
    # Always include the original authentication credentials in a
    # special header.
    insert-header("X-SMTPAUTH", "$SMTPAuthID");

    if (smtp-auth-id-matches("*FromAddress", "+") and
        smtp-auth-id-matches("*EnvelopeFrom", "+"))
    {
        # Username matches.  Verify the domain
        if (header('from') != "(?i)@(?:example\.com|example\.com)" or mail-from !=
"(?i)@(?:example\.com|\.com)"
        {
            # User has specified a domain which cannot be authenticated
            quarantine("forged");
        }
    } else {
        # User claims to be an completely different user
        quarantine("forged");
    }
}

Note: This filter assumes you have a quarantine called forged.

Related Information

Updated: Jun 11, 2014
Document ID: 117800