RE: [Exim] Fancy authentication methods + actually enforcing…

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Edgar Lovecraft
Fecha:  
A: exim-users
Asunto: RE: [Exim] Fancy authentication methods + actually enforcing authentication
>"Matt Sealey" wrote on Mon Dec 8, 2003 1:15 pm
>
>Hello all,
>
>I'm having one hell of a time getting my Exim to only accept

relays to
>non-local domains when authenticated. Basically we're talking about
>the ultimate open-relay stopper, if nobody can send unless they're
>trying to mail users on the box or they're a known entity.
>

**SNIP SNIP**

Here is what I do for what it's worth:

This is all done with LDAP lookups and virtual domains...
    #The '_R' and '_S' lookups are the same, it just depends on
    #   what part of the smtp side we want to check,
    #   a 'LOCAL' sender ('_S')?? or a 'LOCAL' recipient ('_R')??
    #Define the Store and Forward only domains.
domainlist forward_domains_R     = \
    ldapm;ldap::///ou=Forward-only-Domains,o=top?dc?one? \
    (&(objectClass=*)(dc=$domain))
    #Define the Local delivery domains.
domainlist local_domains_R       = \
    ldapm;ldap::///o=top?dc?one?(&(objectClass=*)(dc=$domain))
    #Define Domains that we will rewrite for
domainlist rewrite_domains_R     = \
    ldapm;ldap::///ou=ReWriteDomains,ou=MailConfiguration, \
    o=top?dc?one?(&(objectClass=*)(dc=$domain))
    #Define the Store and Forward only domains.
domainlist forward_domains_S     = \
    ldapm;ldap::///ou=Forward-only-Domains,o=top?dc?one? \
    (&(objectClass=*)(dc=$sender_address_domain))
    #Define the Local delivery domains.
domainlist local_domains_S       = \
    ldapm;ldap::///o=top?dc?one?(&(objectClass=*) \
    (dc=$sender_address_domain))
    #Define Domains that we will rewrite for
domainlist rewrite_domains_S     = \
    ldapm;ldap::///ou=ReWriteDomains,ou=MailConfiguration, \
    o=top?dc?one?(&(objectClass=*)(dc=$sender_address_domain))
    #Define the hosts that we blindly relay for.
hostlist relay_hosts             = (this data is stored in LDAP but
                                    returned from a perl lookup that
                                    formats the information as
                                    needed)
    #Define the hosts that we reject connections from.
hostlist connection_reject       = (this data is stored in LDAP but
                                    returned from a perl lookup that
                                    formats the information as
                                    needed)


acl_mail_command:
    #DENY any mail command given before a Helo command
    #   This will force the helo like we want :)
  deny    message                = \
    HELO/ELHO command must be given
          condition              = ${if def:sender_helo_name{no}yes}}
    #ACCEPT mail from any host that we blindly relay for as
    #   defined in LDAP
  accept  hosts                  = +relay_hosts
    #ACCEPT mail from Domains that are local only if the connection
    #  is authenticated.  Relay hosts are not subject to this
    #  check as they have already been accepted.
  accept  sender_domains         = \
        +local_domains_S : +forward_domains_S : +rewrite_domains_S
          endpass
          message                = \
    Authentication Required: \n\
        The connection must be authenticated to send from \
        this address.
          authenticated          = *
    #ACCEPT all other connections here unless we do not want
    #   any mail at all :)
  accept


acl_rcpt_command:
    #REQUIRE that all senders are verified.  If there is a
    #   timeout or other 'error' then we pass this test anyway.
    #   We skip this check if a user is ??LOCAL?? to us.
    #   We can also skip this check for any 'user@', '@domain',
    #   or 'user@domain' as defined in the ou=SenderVerify.
  deny    !senders               = \
    ldapm;ldap::///ou=MailSenderVerify,ou=MailConfiguration, \
    o=top?RHost?one?(&(objectClass=HostList)(RHost=accept) \
   (|(mailRHost=$sender_address_local_part@$sender_address_domain)\
    (mailRHost=@$sender_address_domain) \
    (mailRHost=$sender_address_local_part@))) : \
   ldapm;ldap::///dc=$sender_address_domain,ou=Forward-only-Domains,\
    o=top?mailLocalAddress?sub? \
    (&(objectClass=inetLocalMailRecipient) \
    (mailLocalAddress=@$sender_address_domain)) : \
    ldapm;ldap::///dc=$sender_address_domain,ou=ReWriteDomains, \
    ou=MailConfiguration,o=top?mailLocalAddress?sub? \
    (&(objectClass=inetLocalMailRecipient) \
    (mailLocalAddress=@$sender_address_domain)) : \
    ldapm;ldap::///dc=$sender_address_domain, \
    o=top?mailLocalAddress?sub? \
    (&(objectClass=inetLocalMailRecipient) \
    (uid=$sender_address_local_part) \
(mailLocalAddress=$sender_address_local_part@$sender_address_domain)\
    (!(mailUserInactive=yes)))
          !verify                = sender/callout=10s,defer_ok,random
    #ACCEPT if the SMTP connection is from Local Host not TCP/IP
  accept  hosts                  = :
    #ACCEPT mail for any any user as defined in LDAP
    #   Stop the acl with ACCEPT if the $domain of the message
    #   is for one of our domains and the reciepient can be verified
    #   If the reciepient verification fails Stop the acl with DENY
    #   and send error text of '$message'
  accept  domains                = +local_domains_R :
+forward_domains_R : \
    +rewrite_domains_R
          endpass
          message                = \
    Invalid Address: \n\
    Confirmation of the recipient address failed, \n\
    > or the user account is currently inactive.
    #The condition checks to see if the rcpt is a valid user
          condition              = \
    ${if or{ \
    {eqi {@$domain}{${lookup ldap \
    {ldap:///dc=$domain,ou=Forward-only-Domains, \
    o=top?mailLocalAddress?sub? \
    (&(objectClass=inetLocalMailRecipient)\
        (mailLocalAddress=@$domain))}}} \
    }{eqi {$local_part@$domain}{${lookup ldap \
    {ldap:///dc=$domain,o=top?mailLocalAddress?sub? \
    (&(objectClass=inetLocalMailRecipient)(uid=$local_part) \
    (mailLocalAddress=$local_part@$domain)\
        (!(mailUserInactive=yes)))}}}}}{true}fail}
          endpass
          message                = \
    #The relay_hosts and authenticated hosts can send to
    #   ANY rcpt address
    #ACCEPT mail from any host that we blindly relay for as
    #   defined in LDAP
  accept  hosts                  = +relay_hosts
    #ACCEPT mail from any host that makes a successfull SMTP Auth
  accept  authenticated          = *
    #DENY with error text of '$message' because all other
    #   checks have failed so we do not want to relay for
    #   people not sending to us or because they are unknown to us.
  deny    message                = \
    Undeliverable Message: \n\
    SMTP relaying is not permitted without proper
authentication. \n\
    > Further abuse may result in any or all of the following:\n\
    >\tDenying future connections. \n\
    >\tNotifying the proper authorities. \n\
    >\tNotifying your internet provider.


begin authenticators
SMTP_AUTH_PLAIN:
    #PLAINTEXT just defines what authentication method should be used
    #   others could include MD5/SHA etc.
  driver                         = plaintext
    #PLAIN is what is advertised, again the RFC Standard for basic
    #   authentication and the standard 'prompt' that goes with it
  public_name                    = PLAIN
  server_prompts                 = :
    #This is a pass/fail (yes/no) test.  We take the
    #   information given to use by the user and then attempt
    #   to bind to the LDAP server as that user.
  server_condition               = ${if ldapauth \
    {user="uid=${extract{1}{@|%}{$2}},dc=${extract{2}{@|%}{$2}},\
    o=top" pass="$3" ldap:///}{yes}{no}}
  server_set_id                  = \
    "uid=${extract{1}{@|%}{$2}},dc=${extract{2}{@|%}{$2}},\o=top"


SMTP_AUTH_LOGIN:
    #PLAINTEXT just defines what authentication method should be used
    #   others could include MD5/SHA etc.
  driver                         = plaintext
    #LOGIN is what is advertised, just another plaintext
authenticator
    #   that is used and supported by many clients including Outlook,
    #   Outlook Express, and Netscape, we pass the standard 'prompt'
    #   that goes with it.
  public_name                    = LOGIN
  server_prompts                 = Username:: : Password::
    #This is a pass/fail (yes/no) test.  We take the
    #   information given to use by the user and then attempt
    #   to bind to the LDAP server as that user.
  server_condition               = ${if ldapauth \
    {user="uid=${extract{1}{@|%}{$1}},dc=${extract{2}{@|%}{$1}},\
    o=top" pass="$2" ldap:///}{yes}{no}}
  server_set_id                  = \
    "uid=${extract{1}{@|%}{$1}},dc=${extract{2}{@|%}{$1}},o=top"



--EAL--

_________________________________________________________________
Don’t worry if your Inbox will max out while you are enjoying the holidays.
Get MSN Extra Storage! http://join.msn.com/?PAGE=features/es