						Vladimir Dubrovin
						vlad@sandy.ru

SANDY RADIUS Attributes for Mail Authorization and Authentication.

Status of this document:
This document is a draft for corporate standard for SANDY
http://www.sandy.ru

Permissions to use:
You can use this document as is. Any attributes are subject to change.
If you have any comments or suggestions feel free to contact
vlad@sandy.ru

Vendor Code (PEN): 11406 (SANDY)

Attributes            Sandy-Mail-Service,           Sandy-Mail-Authtype,
Sandy-Mail-Challenge,  Sandy-Mail-Response MAY present in Access-Request
RADIUS packet. The rest of packets MAY present in SUCCESS response.

Note: Microsoft implemented NTLM authentication for many mail protocols.
SANDY   doesn't   any   special   attributes   for   NTLM  because  NTLM
authentication  can  be  done by implementing MS-CHAP authentication via
RADIUS.  MS-CHAP authentication in RADIUS is covered by RFC 2433 and RFC
2458.

1. Attribute: Sandy-Mail-Service
Vendor-Type: 100
Vendor-Length: 4
Type: integer.

This  attributes  enumerates possible mail services. This attribute MUST
present  in  all  requests to RADIUS server from RADIUS client regarding
mail authentication. Possible values:

   Transfer        1
   Delivery        2
   POP             3
   IMAP            4
   WEBMAIL         5
   Control         6
   Usercheck       7

Transfer   -   for   mail  transfer  (SMTP  for  example).  MAY  require
authentication (either clear text/PAP or CRAM-MD5 or NTLM).

Delivery - for mail delivery, for example mail.local. SHOULD NOT require
authentication, only authorization required for user.

POP  -  POP2/POP3  access.  MUST  require authentication (cleartext/PAP,
APOP, CRAM-MD5 or NTLM).

IMAP  -  IMAP2/IMAP4 access. MUST require authentication (cleartext/PAP,
CRAM-MD5 or NTLM).

WEBMAIL  - access via webmail. MUST require authentication (cleartext or
NTLM).

Control - account control access (for example Eudora-compatible password
change or setting of user-defined filters).

2. Attribute: Sandy-Mail-Authtype
Vendor-Type: 101
Vendor-Length: 4
Type: Integer

This  attribute  shows  a  type  of  authentication requested by client.
It SHOULD be used in all Authentication Request packets from NAS.

Possible values:

   NONE            0
   PLAIN           1
   CRAM-MD5        2
   APOP            3
   KRB4            4
   KRB5            5
   NTLM            6
   NTLM2           7
   CRAM-MD4        8
   CRAM-SHA1       9

NONE  -  client  doesn't do authentication. This is valid in conjunction
with Transfer and Delivery Sandy-Mail-Service attributes.

PLAIN - authentication via cleartext (PAP).

CRAM-MD5 - RFC2104/RFC2195/RFC2554 CRAM-MD5 authentication

APOP - RFC 1939 APOP authentication

KRB4 - (reserved) Kerberos V4 authentication

KRB5 - (reserved) Kerberos V5 authentication

NTLM  -  Microsoft  NTLM  v1  authentication.  SHOULD  be implemented as
         MS-CHAP v1 (RFC2433/RFC2458)

NTLM2   -   (reserved)  Microsoft  NTLM  v2  authentication.  SHOULD  be
        implemented as MS-CHAP v2 (RFC2759/RFC2458)

CRAM-MD4 - MD4 digest authentication

CRAM-SHA1 - SHA1 digest authentication


3. Attribute: Sandy-Mail-Challenge
Vendor-Type: 102
Vendor-Length: >2
Type: String

Challenge for challenge-response (APOP, CRAM-MD5) authentication

4. Attribute: Sandy-Mail-Response
Vendor-Type: 103
Vendor-Length: >2
Type: Octets

Response to challenge-response (APOP, CRAM-MD5) authentication

5. Sandy-Mail-Address
Vendor-Type: 104
Vendor-Length: >2
Type: Octets

E-mail  address.  It  MAY  be used to show destination e-mail address on
Transfer  and  source e-mail address on Delivery request and in reply to
WEBMAIL request.

6. Sandy-Mail-Spamcontrol
Vendor-Type: 105
Vendor-Length: 4
Type: Integer

bit-masked value to show which spam-control mechanism SHOULD be used for
user account. It MAY be used in reply to Transfer or Delivery request.

Special values:
 NONE          0
 ALL           0xFFFFFFFF

All other values are are obtained by XORing this values:
 Relaying         1
 IPResolve        2
 Helo             4
 BlackList        6
 WhiteList        16
 RBL              32
 MailFrom         64
 SrcDomain        128
 DstDomain        256
 Content          512

First  16  bits  (values  > 0x0000FFFF) can be used for implementation -
specific mechanisms.

 NONE - no check. Any kind of relaying allowed
 Ralaying - (for Transfer) - check unauthorized relaying attempts
 IPResolv - (for Transfer) - check source IP address to resolve in DNS
 Helo - (for Transfer) check resolution of name in SMTP HELO command
 BlackList - check in the BlackList
 WhiteList - check in WhiteList
 RBL - (for Transfer) turn on RBL-like checks
 MailFrom - (for Transfer) check existence of Mail From: address
 SrcDomain - check existence of source domain
 DstDinain - check existence of destination domain
 Content - turn on content filtering
 ALL - do all possible checks

7. Attribute: Sandy-Mail-Notification
Vendor-Type: 106
Vendor-Length: >2
Type: Octets

This  attribute  can  be  used  to notify user on new mail received (for
example   via   SMS).   It   MAY   be   used  in  response  to  Delivery
Sandy-Mail-Service.  Value  of  this  attribute  is fully implementation
specific and may be divided into subfields.

8. Attribute: Sandy-Mail-Box
Vendor-Type: 107
Vendor-Length: >2
Type: String

This attribute shows location of user's mailbox. It can also be used for
redirection  of  all messages to another address, program, etc. Value of
this  attribute  is  implementation  specific,  but  sendmail  syntax is
recommended though (that is first symbol defines a type of destination -
'|'  -  program, '>' - file, etc). This attribute MAY be used in replies
First  16  bits  (values  > 0x0000FFFF) can be used for implementation -
specific mechanisms. to Delivery request.

9. Attribute: Sandy-Mail-Quota
Vendor-Type: 108
Vendor-Length: 4
Type: Integer

Contains  a  quota  for user's mailbox size in octets. It MAY be used in
reply to Delivery request.

10. Attribute: Sandy-Mail-Filter
Vendor-Type: 109
Vendor-Length: >5
Type: Octets

This complex attribute contains of 3 parts - Filter-Name, Parameter-Name
and  Parameter-Value. Each part consists of 1 octet which shows a length
of  the  part  followed  by  content of the part. It's used to configure
user-defined    filters    (for   automatic   forwarding,   replies   or
user-controlled  content  filtering). A single RADIUS packet MAY contain
multiple Sandy-Mail-Filter attributes.

Example:

This Sandy-Mail-Filter sets DESTINATION parameter for 'forward' filter.

106* 33* 7* forward 11* DESTINATION 13* vlad@sandy.ru

106* - Vendor-Type
 33* - Vendor-Length ( 1 + 7 + 1 + 11 + 1 + 13)
  7* - strlen("forward")
 11* - strlen("DESTINATION")
 13* - strlen("vlad@sandy.ru")

11. Attribute: Sandy-Mail-Box-Control
Vendor-Type: 110
Vendor-Length: 4
Type: Integer

bit-masked value to show which control mechanism SHOULD be used for user
account.  It  MAY  be  used  in  reply  to POP, IMAP, WEBMAIL or Control
request.   First   16  bits  (values  >  0x0000FFFF)  can  be  used  for
implementation - specific mechanisms.

 Values:

 Delete-Messages   1
 Keep-Sent         2
 Read-Only         4

Delete-Messages  -  delete messages immediately after user retrieval (do
not allow user to store his mail on server).

Keep-Sent - save all sent messages in Sent folder (for Webmail)

Read-Only  -  allow  read  only access to user's account (for example to
chare account among multiple users).

11. Attribute: Sandy-Mail-Box-Status
Vendor-Type: 111
Vendor-Length: 4
Type: Integer

Integer bitmasked value . Value of 0x00000000 - valid mailbox. 0xFFFFFFFF
-non-existant mailbox.

 Values:

 Delivery-Blocked	1
 Transfer-Blocked	2
 Reception-Blocked	4
 

Values > 65535 are implementation specific.