[Exim] Fancy authentication methods + actually enforcing aut…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Matt Sealey
Date:  
À: Exim-Users
Sujet: [Exim] Fancy authentication methods + actually enforcing authentication
Hello all,

I'm having one hell of a time getting my Exim to only accept relays to
non-local domains when authenticated. Basically we're talking about
the ultimate open-relay stopper, if nobody can send unless they're
trying to mail users on the box or they're a known entity.

In Exim 3 there was a little configuration item like "relay_auth_hosts"
you could set.

It seems I can't find the Exim 4 equivalent but I'm fairly certain
it's going to be entirely simple one-line addition to my RCPT ACL :)

The "authenticated" option looks like it, but I don't see anything
except "how to check if there's ANY authentication", nor any
recommended ways to orchestrate it so that it will allow or disallow
based on the target domain (such that I don't break any standards
or annoy people.. there is always a correct way to configure a server,
and an incorrect way :)

In theory the last lines:


accept authenticated = *
deny message = relay not permitted

.. according to the comments, should accept mail that is sent by
authenticated clients (and none that is not..), but whenever I tried
this before, it either let every mail in (eep!) or didn't allow to
send even if you WERE authenticated.

Anyone care to enlighten me on where I didn't look in the FAQ? :D



I'm also scouting around for example authenticators for saslauthd: I
have "PLAIN" set up fine:

plain:
driver = plaintext
public_name = PLAIN
server_condition = ${if saslauthd{{$2}{$3}}{1}{0}}


but if I do LOGIN like this:

login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = ${if saslauthd{{$1}{$2}}{1}{0}}

.. saslauthd keeps whining about openpam_policy_file_read() syntax
errors (in /usr/local/etc/pam.d). There isn't one for exim, so it's
using the default, but how come PLAIN works and LOGIN doesn't? The
default authenticator for saslauthd is pam, so it makes sense..

Are there any easy-peasy ways to get the more exotic methods (CRAM-MD5,
blah blah) working *using saslauthd* for authentication so I don't need
to send all my stuff in text or handle a ton of extra password and secret
files? :)

Basically I just don't seem to be able to find any examples of either,
any mails on the list or FAQ entries.. please feel free to tell me
I'm stupid and I should have read the FAQ harder, but I just spent an
hour at it.. there are a few answers "implement SMTP authentication"
(but not a subsequent "How the hell do I do that?" entry :)

Thanks for any help :D


--
Matt Sealey <matt@???>