Re: [Exim] How to require verification of sender conditional…

Top Page
Delete this message
Reply to this message
Author: Wakko Warner
Date:  
To: Eli
CC: exim-users
Subject: Re: [Exim] How to require verification of sender conditionally in ACL?
> Currently, I just unconditionally verify the sender (as per default config
> file) in my ACL (over my knee) like so:
>
>         require verify          = sender

>
> The problem is that for users who are authenticated (my users), I would like
> them to be able to specify email addresses that I don't want to verify (save
> some resources possibly?) - at least right now I'm thinking I don't (either
> way it doesn't matter - I track their $authenticated_id in the email) :)
>
> I thought that I could add a check for "!authenticated = *", but that failed
> and I realized why after re-reading what "require" does (all conditions must
> be true - so it failed when I authenticated). Now I'm not sure what to do,
> since I can't move my sender verification step after my "accept" policy for
> authenticated users, and I see no way to have a condition set on the require
> that will allow it to skip the require.


Just one reason I don't like the "require" verb.

> I thought then maybe I could do:
>
>         accept  !authenticated  = *
>                 endpass
>                 verify          = sender

>
> In replace of the "require" check, however that won't work since if you
> aren't authenticated, and the sender DOES verify, then it accepts rather
> than passing on to the next statement. I guess what I need is like that,
> except rather than accepting, I need it to pass on (as well as to pass on if
> the initial condition isn't true, i.e. I'm authenticated).


Doesn't seem like a good idea to me. You basically stop processing there if
the user is not authenticated. It will either fail verification or send
bounces to people when the recipient can't be reached. It ALSO MAKES YOU AN
OPEN RELAY (If you're checking in RCPT acl)!

> So far, my only solution is to do up a new ACL for acl_smtp_mail:
>
> acl_check_mail:
>         accept  !authenticated  = *
>                 endpass
>                 verify          = sender

>
> Works great, except I'm wondering if doing the sender verification at MAIL
> time will come back to bite me later? If it will, are there any ways of
> doing what I need at RCPT time?


I've always felt verifying senders in MAIL acl is a bad idea. Not sure why
though.

Use this:
    deny    !authenticated = *
        !verify = sender


--
Lab tests show that use of micro$oft causes cancer in lab animals