[Exim] Callout -vs- SMTP AUTH

Top Page
Delete this message
Reply to this message
Author: Pat Lashley
Date:  
To: exim-users
Subject: [Exim] Callout -vs- SMTP AUTH
Hi Folks,

I have a setup with Exim 4.24 and Cyrus 2.2.2. Exim is doing server
side SMTP AUTH with no problems. (And, of course, Cyrus is doing
IMAP AUTH.) I'm doing deliveries via the SMTP transport with protocol
set to LMTP so that I can do recipient/callout checks in the ACLs.
I have Cyrus set up to run the lmtp daemon in pre-authenticated mode
and listening only on the loopback port. This all works fine; and
the only people with shell access to the machine are admins; so there
isn't much worry about direct access to the LMTP port.

Now I need to set up a similar system; but at a site where the Cyrus
and Exim servers will be on separate machines. So I need further
protection of the LMTP port. I added the client-side parameters to
the cram-md5 authenticator in Exim, using a Cyrus admin user. My
initial tests worked fine; but the logs are showing external messages
being rejected with (sender host obscured and linebreaks added):

    H=example.com [10.0.0.1] Warning: ACL "warn" statement skipped:
    condition test deferred: response to "MAIL FROM:<>" from 127.0.0.1
    [127.0.0.1] was: 430 Authentication required


    2003-11-30 18:43:40 H=example.com [10.0.0.1]
    F=<owner-mumble@???> temporarily rejected RCPT
    <me+list@???>: response to "MAIL FROM:<>" from
    127.0.0.1 [127.0.0.1] was: 430 Authentication required



Before I dig any further into this, does the callout code do
authentication if the transport has hosts_{try,require}_auth
set? Or do I need to look for some other way to protect the
LMTP port?



Thanks,
-Pat