Authentication warning on sender ... yuck

Authentication warning on sender ... yuck

[Harry Putnam]

Once more raising the question of what gnus does concerning a "Sender"
line and where gnus stops and sendmail (mta)  starts.

I've been noticing this line in my messages:
Authentication-Warning: reader.ptw.com: reader set sender to blah blah 


Far as I know I have not done that.  I am masquerading ptw's mail
machine though.

It seems to be coming directly from gnus... Here is why I say that:

Tailing my maillog as I send test messages from gnus, I see that
warning messages on out-going messages.  

Using berkely mail,  I see the outgoing message, it contains no warning
Using mutt, I see the outgoing message, it contains no warning.

All those mail clients use sendmail as mta, but only messages sent
with gnus contain that warning.  I do have this in .gnus.

(setq message-syntax-checks '((sender . disabled)))

Re: Authentication warning on sender ... yuck

[Doug Bagley]

Harry Putnam <reader@newsguy.com> writes:
> Once more raising the question of what gnus does concerning a "Sender"
> line and where gnus stops and sendmail (mta)  starts.
> 
> I've been noticing this line in my messages:
> Authentication-Warning: reader.ptw.com: reader set sender to blah blah 

Sendmail will produce these headers.

> All those mail clients use sendmail as mta, but only messages sent
> with gnus contain that warning.  I do have this in .gnus.
> 
> (setq message-syntax-checks '((sender . disabled)))

The problem isn't the sender or gnus really, it's how sendmail is
invoked, with command line arguments to set the SMTP MAIL FROM, or
approximately that, my brain is fading.

I solved it on my end by adding myself as a trusted user to my
sendmail.cf, check out this section if you have it in your sendmail.cf:

#####################
#   Trusted users   #
#####################

# this is equivalent to setting class "t"
#Ft/etc/sendmail.ct
Troot
Tdaemon
Tuucp

Cheers,
Doug

Re: Authentication warning on sender ... yuck

[Kai Großjohann]

Harry Putnam <reader@newsguy.com> writes:

> I've been noticing this line in my messages:
> Authentication-Warning: reader.ptw.com: reader set sender to blah blah 

Gnus is invoking sendmail with the -f switch.  The variable
message-sendmail-f-is-evil can be set to avoid this.

kai
-- 
~/.signature: No such file or directory

Re: Authentication warning on sender ... yuck

[Hrvoje Niksic]

Kai.Grossjohann@CS.Uni-Dortmund.DE (Kai Großjohann) writes:

> Harry Putnam <reader@newsguy.com> writes:
> 
> > I've been noticing this line in my messages:
> > Authentication-Warning: reader.ptw.com: reader set sender to blah blah 
> 
> Gnus is invoking sendmail with the -f switch.  The variable
> message-sendmail-f-is-evil can be set to avoid this.

Argh, but *why* is it using the `-f' switch?  I don't really want to
turn it off before I understand why it's there in the first place.


Doug Bagley <doug@deja.com> writes:

> I solved it on my end by adding myself as a trusted user to my
> sendmail.cf, check out this section if you have it in your
> sendmail.cf:

Same here -- I'm not sure whether I really want to be a "trusted user"
and why.  What if someone else wants to use Gnus on my machine?  Need
he be a trusted user too?

Can someone who understand these matters explain what's going on?

Re: Authentication warning on sender ... yuck

[Kai Großjohann]

Hrvoje Niksic <hniksic@iskon.hr> writes:

> Argh, but *why* is it using the `-f' switch?  I don't really want to
> turn it off before I understand why it's there in the first place.

Hm.  Why would Gnus want to set the envelope from?  Maybe it is
because some (broken) programs use the envelope from for replies, and
if you set the mail address explicitly, the envelope from is likely to
be wrong.  But only Lars can know for sure...

kai
-- 
~/.signature: No such file or directory

Re: Authentication warning on sender ... yuck

[Doug Bagley]

Kai.Grossjohann@CS.Uni-Dortmund.DE (Kai Großjohann) writes:
> Hrvoje Niksic <hniksic@iskon.hr> writes:
> 
> > Argh, but *why* is it using the `-f' switch?  I don't really want to
> > turn it off before I understand why it's there in the first place.
> 
> Hm.  Why would Gnus want to set the envelope from?  Maybe it is
> because some (broken) programs use the envelope from for replies, and
> if you set the mail address explicitly, the envelope from is likely to
> be wrong.  But only Lars can know for sure...

Personally, I like the fact that Gnus can set the envelope from.  I
guess since message-sendmail-f-is-evil exists, you can have it either
way.

Cheers,
Doug

Re: Authentication warning on sender ... yuck

[Karl Kleinpaste]

One is stuck with either
[a] sendmail sets MAIL FROM:<> to yourname@your.actual.host.name, when
    f-is-evil is t, which can be seriously suboptimal, or
[b] MAIL FROM:<> gets set to what you like, but the foolish auth
    warning gets included in the headers, when f-is-evil is nil.

The right solution would be to get both positive effects, setting the
envelope without creating the warning.  As a "favor" to enhance
"security," the warning is a bad joke.

Since I'm the only user of my machines, tweaking the T lines of
sendmail.cf is an acceptable workaround.  But it's still Wrong to do
so, philosophically.

Re: Authentication warning on sender ... yuck

[David S. Goldberg]

As I recall it, the -f-is-evil thing came about because some things
(MMDF?  it's been too long) ceased to work if sendmail was run with
-f.  This sort of thing was an issue with MH at one point too.

> Since I'm the only user of my machines, tweaking the T lines of
> sendmail.cf is an acceptable workaround.  But it's still Wrong to do
> so, philosophically.

Why not just turn the warnings off entirely then?  IIRC you just have
to take authwarnings out of the PrivacyOptions (or disable
PrivacyOptions entirely).
-- 
Dave Goldberg
Post: The Mitre Corporation\MS B325\202 Burlington Rd.\Bedford, MA 01730
Phone: 781-271-3887
Email: dsg@mitre.org

Re: Authentication warning on sender ... yuck

[Stainless Steel Rat]

* dsg@mitre.org (David S. Goldberg)  on Thu, 10 Feb 2000
| Why not just turn the warnings off entirely then?  IIRC you just have
| to take authwarnings out of the PrivacyOptions (or disable
| PrivacyOptions entirely).

Because it is that much harder to track down someone who is abusing your
MTA.
-- 
Rat <ratinox@peorth.gweep.net>    \ Ingredients of Happy Fun Ball include an
Minion of Nathan - Nathan says Hi! \ unknown glowing substance which fell to
PGP Key: at a key server near you!  \ Earth, presumably from outer space.

Re: Authentication warning on sender ... yuck

[Russ Allbery]

Kai Großjohann <Kai.Grossjohann@CS.Uni-Dortmund.DE> writes:
> Hrvoje Niksic <hniksic@iskon.hr> writes:

>> Argh, but *why* is it using the `-f' switch?  I don't really want to
>> turn it off before I understand why it's there in the first place.

> Hm.  Why would Gnus want to set the envelope from?  Maybe it is because
> some (broken) programs use the envelope from for replies, and if you set
> the mail address explicitly, the envelope from is likely to be wrong.
> But only Lars can know for sure...

So that your envelope sender matches your From header in the presence of
posting profiles, allowing bounces to go to the right address if you sort
your mail on that basis.  Or at least that's what I use it for; it's quite
nice.

-- 
Russ Allbery (rra@stanford.edu)         <URL:http://www.eyrie.org/~eagle/>

Re: Authentication warning on sender ... yuck

[Amos Gouaux]

>>>>> On 10 Feb 2000 10:27:29 -0500,
>>>>> Karl Kleinpaste <karl@justresearch.com> (kk) writes:

kk> The right solution would be to get both positive effects, setting the
kk> envelope without creating the warning.  As a "favor" to enhance
kk> "security," the warning is a bad joke.

Then use Postfix--it doesn't rant when -f is used.

Or, use smtpmail, which is what I use for this and other reasons.
I did have to fiddle with smtpmail.el a bit, though, to get it to
not discard user-mail-address if set by gnus-posting-styles
(address).

Amos

Re: Authentication warning on sender ... yuck

[Michael Sperber [Mr. Preprocessor]]

>>>>> "Doug" == Doug Bagley <doug@deja.com> writes:

Doug> Kai.Grossjohann@CS.Uni-Dortmund.DE (Kai Großjohann) writes:
>> Hrvoje Niksic <hniksic@iskon.hr> writes:
>> 
>> > Argh, but *why* is it using the `-f' switch?  I don't really want to
>> > turn it off before I understand why it's there in the first place.
>> 
>> Hm.  Why would Gnus want to set the envelope from?  Maybe it is
>> because some (broken) programs use the envelope from for replies, and
>> if you set the mail address explicitly, the envelope from is likely to
>> be wrong.  But only Lars can know for sure...

Doug> Personally, I like the fact that Gnus can set the envelope from.  I
Doug> guess since message-sendmail-f-is-evil exists, you can have it either
Doug> way.

But the default for that variable is wrong.  It should be t, since -f
is a fix for *broken* systems.

-- 
Cheers =8-} Mike
Friede, Völkerverständigung und überhaupt blabla

Re: Authentication warning on sender ... yuck

[Amos Gouaux]

>>>>> On 11 Feb 2000 14:06:56 +0100,
>>>>> Michael Sperber <sperber@informatik.uni-tuebingen.de> (ms) writes:

ms> But the default for that variable is wrong.  It should be t, since -f
ms> is a fix for *broken* systems.

Maybe, but you'll likely be creating more problems than solving.
Even the widely used PINE sets -f.

Personally, I don't know what the big deal is.  If you don't like
the warning sendwhale issues, use postfix.  

Another alternative for either MTA is to invoke it as
/usr/lib/sendmail -bs, then talk SMTP to it.  This takes advantage
of a local queue that at times might be desirable, yet dispenses
with the -f issue altogether.  I believe PINE can do this as well.

Amos