My Oracle Support Banner

Is It Possible to Report to Syslog from the AUTH_REWRITE Mapping Table ? (Doc ID 2481807.1)

Last updated on FEBRUARY 21, 2019

Applies to:

Oracle Communications Messaging Server - Version 8.0.2 and later
Information in this document applies to any platform.

Goal

Define a way to report to syslog from the AUTH_REWRITE mapping table.

To implement "AUTH_REWRITE mapping that prevents authenticated users from sending messages from addresses other than the ones listed in their mail, mailAltnerateAddress, or mailEquivalentAddress"
as in https://msg.wikidoc.info/index.php?title=AUTH_REWRITE_mapping_table

NOTE: This is only on "MMP" systems, which run the MMP and MTA components, where users (and some applications) submit mail. SMTP/SUBMIT are already configured to require authentication.


To do this in a staged fashion, first report who/what would be blocked.

Reporting this in splunk is possible, but challenging.  The problem is that the authentication information is in the record while the From: header info is in the record.  Doing a splunk query to tie those together (by the 'pi= ' field) should be possible, but would be challenging.

One option would be to implement the config to do the mail blocking.  Alternately, report it to syslog with the '$<' mapping template flag.

However, '$<' is only available in Recipient Access mapping tables and not AUTH_REWRITE.

How can we configure this to block spoofing, but report instead of block ?
 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.