ident in postfix

Discussion:

ident in postfix

(too old to reply)

Paweł Gołaszewski

2004-04-03 21:01:46 UTC

Is there any chance to enable ident queries in postfix? Only thing
http://archives.neohapsis.com/archives/postfix/2001-12/1110.html It's
quite old, but gives basic ident support (no config options, so it ha=

to be fixed). Good for start working on it.
=20
Why ident? Because I've got machine which is virus-filter. I can send
to many network admins wirus notifications, but when network is behin=

NAT - it's useless. Only ident can give any usefull info. exim,
zmailer, sendmail can ude ident out-of-the-box...

For ident to be useful the target must allow it. Nearly no one does
today so why bother with ident?

How otherwise you can identify user behind NAT? If someone does not allo=
w
to use ident - it's his problem. On my systems I want to have with
abuse-report ident string. This allows me to identify my user.

No, ident is usefull.

--=20
pozdr. Pawe=B3 Go=B3aszewski=20
---------------------------------
worth to see: http://www.againsttcpa.com/
CPU not found - software emulation...

WC -Sx- Jones

2004-04-03 21:44:07 UTC

Permalink

Post by PaweÅ GoÅaszewski
No, ident is usefull.
=20

I don't run ident services here -
how are you going to ident me?

-Sx-

Greg A. Woods

2004-04-04 18:02:23 UTC

Permalink

[ On Saturday, April 3, 2004 at 16:44:01 (-0500), WC -Sx- Jones wrote: ]

Subject: Re: ident in postfix
I don't run ident services here -
how are you going to ident me?

You misunderstand. Ident is useful, and perhaps even necessary, to
those who run it; and it is not _directly_ useful to those who query it.
Those who query ident do so on behalf of those who run it, and they do
so as a form of insurance.

I.e. as I said before, if you come to me with a complaint about some
SMTP connection which you say originated from some server I'm
responsible for, and if you can't provide me with the ident string that
goes along with it, then I can't given you anywhere near as much help as
I could if you did have that ident string for me.

However that ident string (which you can get from my server when a
connection is made from my server to your server) isn't (supposed to be)
useful to you or anyone else. In fact it's even encrypted (though
perhaps not as well as it could be -- there are many tradeoffs) in an
attempt to help protect the privacy of my users.

--
Greg A. Woods

+1 416 218-0098 VE3TCP RoboHack <***@robohack.ca>
Planix, Inc. <***@planix.com> Secrets of the Weird <***@weird.com>

WC -Sx- Jones

2004-04-04 22:05:29 UTC

Permalink

Post by Greg A. Woods
You misunderstand. Ident is useful, and perhaps even necessary, to
those who run it; and it is not _directly_ useful to those who query it.
Those who query ident do so on behalf of those who run it, and they do
so as a form of insurance.

Agreed. I am also prolly confusing your use of ident with the old
non-authenticated UserID for an Apache WWW session - where remote UserID
is empty because ident cannot be trusted to be running on the remote
system which made the HTTP conection.

But we are OT now.

Thanks for the better explainanation.

Bill

Greg A. Woods

2004-04-05 21:49:29 UTC

Permalink

[ On Sunday, April 4, 2004 at 18:05:17 (-0400), WC -Sx- Jones wrote: ]

Subject: Re: ident in postfix
Agreed. I am also prolly confusing your use of ident with the old
non-authenticated UserID for an Apache WWW session - where remote UserID
is empty because ident cannot be trusted to be running on the remote
system which made the HTTP conection.

No, you're not confused. It is and was the same thing but Apache and
its implementers were seriously confused. ;-)

Far too many people thought IDENT could be used for authentication, but
it was only ever an identification protocol (an one useful only for
audit trails), not an authentication mechanism. ;-)

--
Greg A. Woods

+1 416 218-0098 VE3TCP RoboHack <***@robohack.ca>
Planix, Inc. <***@planix.com> Secrets of the Weird <***@weird.com>