Q5023

Nigel Metheringham edited this page Nov 29, 2012 · 2 revisions
Clone this wiki locally

Q5023

Question

Why does Exim do ident callbacks by default? Isn't this just a waste of resources? I've been told this is an ancient way of authentication. Is it obsolete?

Answer

This is a common misunderstanding, at least partially resulting from the incorrect naming of the protocol when it was first published. The service on port 113 is an identification service, which allows a target host to record information identifying the user responsible for making a connection to it. The information may not be intelligible to the recording host - it could, for example, be encrypted so that only someone on the calling host can make sense of it. It is useful for providing additional information in an audit trail. At least one site has found ident effective against two rather prevalent kinds of open proxy (whether already blacklisted at the RBLs or not). An ACL statement is used to reject mail from servers that return ident strings of squid and CacheFlow Server. Snippets such as this in the RCPT ACL do the trick:

deny  condition = ${if eq{$sender_ident}{CacheFlow Server}{1}{0}}
  message = Rejected - appears to be an unsecured proxy: $sender_ident

The likelihood that a genuine mail process would return those specific ident strings is vanishingly small. The ident data should not be used for authentication in any form except on a closed secure network between cooperating hosts (probably not even then). The information from the source host is only as reliable as the host itself. If it's not under your control then you have to treat the information as opaque data that can be used only by the sysadmin of the source system to trace back connection data. Some ident implementations send out opaque cookies or DES encrypted information. Ident is hugely useful at times - especially for checking back on connections from multiuser machines (as opposed to one-person desktop boxes). You can stop Exim making ident calls by adding

rfc1413_query_timeout = 0s

to its configuration, but it is better to leave it active (reducing the timeout to 10s or less if it is causing problems) - it costs very little, and in cases of mail forgery from a multiuser system can track the sinner concerned very quickly.