Author: Christopher Curtis Date: To: Exim Users Mailing List Subject: [Exim] Forcing tls authentication
Hello,
I've been fighting this for a little while now, but am not making much
headway. The situation seems pretty simple:
I want to act as an open relay for anyone who has authenticated themselves
using a TLS connection. I've configured mozilla to use this machine as an
SMTP server and created an account for myself. However, running at debug
level 5, I see this [edited]:
Connection request from 100.100.100.100/21487
1 SMTP accept process running
listening on port 25...
host in rfc1413_hosts? yes (*)
host in host_lookup? yes (*)
looking up host name for 100.100.100.100
IP address lookup yielded m1.foo.com
set_process_info: 29689 handling incoming connection from m1.foo.com [100.100.100.100]
host in host_reject? no (option unset)
host in host_reject_recipients? no (option unset)
host in auth_hosts? no (end of list)
host in auth_over_tls_hosts? yes (*)
host in tls_hosts? no (end of list)
host in sender_unqualified_hosts? no (option unset)
host in receiver_unqualified_hosts? no (option unset)
host in helo_verify? no (option unset)
host in helo_accept_junk_hosts? no (option unset) SMTP>> 220 m1.bar.com ESMTP Exim 3.33 #1 Wed, 31 Oct 2001 12:57:37 -0500 set_process_info: 29689 handling incoming connection from m1.foo.com [100.100.100.100]
ready for new message
smtp_setup_msg entered
SMTP<< EHLO m1.bar.com
host in tls_advertise_hosts? yes (*) SMTP>> 250-m1.bar.com Hello m1.foo.com 250-SIZE
250-PIPELINING
250-STARTTLS
250 HELP
SMTP<< STARTTLS
host in tls_verify_hosts? yes (*)
TLS active
SMTP<< EHLO m1.bar.com SMTP>> 250-m1.bar.com Hello m1.foo.com 250-SIZE
250-PIPELINING
250-AUTH LOGIN
250 HELP
SMTP<< MAIL FROM:<ccurtis@???>
ccurtis@??? in sender_reject? no (option unset)
ccurtis@??? in sender_reject_recipients? no (option unset) SMTP>> 250 <ccurtis@???> is syntactically correct SSL_write(SSL, 80c6890, 61)
Calling SSL_read(80d66d8, 80e62e0, 4096)
SMTP<< RCPT TO:<ccurtis@???>
host in host_accept_relay? no (end of list)
host in tls_host_accept_relay? no (option unset) SMTP>> 550 relaying to <ccurtis@???> prohibited by administrator
... So everything is working, except the client did not authenticate, and
it doesn't seem exim even looked for an option to force it to. I'm
looking for something like 'tls_auth_hosts = *', like the
'auth_over_tls_hosts', but this is set and doesn't force the issue.
The manual states that this doesn't force it, but I want it to force it.
But it seem that I can. And I can't force the client to always
authenticate.