Re: [Exim] Want to generate 553 Auth required responses

Top Pagina
Delete this message
Reply to this message
Auteur: John Robinson
Datum:  
Aan: exim-users
Onderwerp: Re: [Exim] Want to generate 553 Auth required responses
At 21:07 05/08/2002 +0100, Philip Hazel wrote:
>On Mon, 5 Aug 2002, John Robinson wrote:
>
> > OK I know it's not what you're supposed to do under RFC-2554 SMTP
> > Authentication, but I'd like to contrive that if a user has attempted
> > authentication, and this has been failed with a 535 Auth failed, but the
> > user's MUA carries on regardless, I'd like to have exim generate a 553 Auth
> > required response where the user would normally (if they hadn't attempted
> > authentication) have received a 550 Relaying denied.
>
>In Exim 4 you can generate a custom message at RCPT time if the session
>is not authenticated, but there isn't any way to tell whether or not
>authentication was attempted.


Thanks for the info.

So... before I go seriously wading in and getting my hands mucky (though
actually the code looks pretty tidy, clean and polished!), may I ask those
people here who are experienced with the code, would it be very difficult
to have the authenticators set a variable along the lines of auth_attempted
which could be inspected in the ACLs? And similarly, how about getting an
ACL to send a different numeric response?

Currently, we use the same server to handle local mail, customers' mail via
a virtual domain configuration, secondary MX relaying, and outgoing
relaying for staff in and out of the office. Yes I can customise the
message at RCPT time depending on some conditions, and I do, but not this
particular condition.

While it may seem silly, or even paranoid, I'd prefer not necessarily be
sending "please authenticate" messages to anyone who connects to my server.
Already I can limit who sees AUTH in EHLO responses, and I'd rather not be
telling nasty hackers my mail server knows how to authenticate things. (As
it happens, it doesn't authenticate against shell accounts anyway, but
that's not the point.)

For this particular case though, I'd just rather give what (to me) would
seem to be the more appropriate response - OK they already ignored what
they've been told (or their MUA did) but there couldn't be any harm telling
them again. I guess if more sites start embracing SMTP AUTH, this might
become useful more widely (than just me). If it's just an alternate text
message with a 550 response, it's not even breaking RFC 2554 either.

Thanks again, this time in advance,

John.

--
John Robinson                                     Tel +44 7771 784058
  Though my soul may set in darkness / It will rise in perfect light;
   I have loved the stars too fondly / To be fearful of the night.