Re: [Exim] SMTP auth

Top Page
Delete this message
Reply to this message
Author: pelle
Date:  
To: Giuliano Gavazzi, exim-users
Subject: Re: [Exim] SMTP auth
ahh, thank you.
makes more sence now.
I tried it now and it seems to work properly with your config, slightly modified.
One thing though.
how do I block users that dont authenticate?
I thought accept authenticated = * did that for me....
And does authenticated users go before the relay list or do I have to relay from everywhere (that is what I want, but with authentication)

Thanks again.
Pelle


----- Original Message -----
From: "Giuliano Gavazzi" <eximlists@???>
To: "pelle" <pelle@???>; <exim-users@???>
Sent: Thursday, December 19, 2002 12:34 PM
Subject: Re: [Exim] SMTP auth


> At 11:54 +0100 2002/12/19, pelle wrote:
> >This is a multi-part message in MIME format.
> >--
> >[ Picked text/plain from multipart/alternative ]
>
> I can see you use overlook..
>
> >Hello.
> >I want to make all connections on our outgoing smtp server to
> >authenticate first with SMTP auth.
> >All our clients use outlook (express, 2000, xp...)
> >Is there someone out there who can tell me if this configuration
> >will work (or how to fix it)
> >configure file below, just some areas that I'm not sure on how they work.
> >We store usernames and passwords in mysql.
> >I've compiled exim with both mysql support and auth support.
> >Do I need to change the ACL section? do I need both acl_smtp_rcpt
> >and acl_smtp_auth when I only want to accept authenticated
> >connections?
>
> you do not need acl_smtp_auth. You might want to use it so that
> plain/login auth over non ssl connections are refused (just an after
> the fact safety measure, but at least you know when a client is
> wrongly configured).
>
> >I really have not done much with exim so please don't laugh:) I
> >probably got all very wrong.:)
>
> I will only laugh if you say something funny.
>
> >Note that i did not submit entire configuration file.....everything
> >else is pretty straightforward stuff..
> >
> >###main##
> >
> >domainlist local_domains = "foo.bar.net:\
> >mysql;select distinct domain from mail where domain='$domain'"
> >
> >
> >acl_smtp_rcpt = acl_check_rcpt
> >acl_smtp_auth = acl_check_auth
>
> why do you declare acl_smtp_auth and do not define it (below)?
>
> >###ACL section###
> >begin acl
> >
> >acl_check_rcpt:
> >accept authenticated = *
>
> this is good.
>
> >accept  hosts = :
> >deny    local_parts   = ^.*[@%!/|]
> >accept  local_parts   = postmaster
> >domains       = +local_domains
> >require verify        = sender
> >accept  domains       = +local_domains
> >           endpass
> >           message       = unknown user
> >           verify        = recipient
> >  accept  domains       = +relay_to_domains
> >           endpass
> >           message       = unrouteable address
> >           verify        = recipient
> >accept  hosts         = +relay_from_hosts
> >  deny    message       = relay not permitted

> >
>
> haven't checked the above.
>
> >#####AUTHENTICATION CONFIGURATION ##########
> >
> >begin authenticators
> >acl_check_auth:
> >
> >login:
> >         driver = plaintext
> >         public_name = LOGIN
> >         server_condition = ${lookup mysql{select password from users
> >where username = '${local_part:$1}'}}}{1}{0}}
> >         server_set_id=$1

> >
> >plain:
> >         driver = plaintext
> >         public_name = PLAIN
> >         server_condition = ${lookup mysql{select password from users
> >where username = '${local_part:$1}'}}}{1}{0}}
> >         server_set_id=$1

> >
> >
> ># End
>
>
> I now see where the acl_check_auth has gone (not that yours is an
> acl)... This is not an authentication configuration, so you will not
> authenticate anything!
> You haven't read the many messages on SMTP AUTH of the last few days,
> have you...
>
> I will not translate my lookup but you want something like:
>
> begin authenticators
>
> plain:
>    driver = plaintext
>    public_name = PLAIN
>    server_condition = "${if and {{!eq{$2}{}}{!eq{$3}{}}\
>                            {crypteq{$3}{${lookup netinfo {. /users/$2
> passwd 0} {$value}{*}}}}}{1}{0}}"

>
>
>
> login:
>    driver = plaintext
>    public_name = LOGIN
>    server_prompts = "Username:: : Password::"
>    server_condition = "${if and {{!eq{$1}{}}{!eq{$2}{}} \
>                            {crypteq{$2}{\
> ${lookup netinfo {-t localhost/local /users/$1 passwd 0} \
>         {$value}{*}}}}}}{1}{0}}"

>
>
> your have just to rewrite my '${lookup netinfo' with your '${lookup
> mysql' taking into account that the username in plain is $2 while it
> is $1 in login.
>
> If you still have trouble you might want to try to disable one of the
> two methods and see.
>
> Giuliano
> --
> H U M P H
>     || |||
>   software

>
> Java & C++ Server/Client/Human Interface applications on MacOS - MacOS X
> http://www.humph.com/
>