Re: [Exim] MSA support

Top Page
Delete this message
Reply to this message
Author: Andrew - Supernews
Date:  
To: exim-users
Subject: Re: [Exim] MSA support
>>>>> "Nigel" == Nigel Metheringham <Nigel.Metheringham@???> writes:

Nigel> Just been giving a little thought to MSA (Message Submission
Nigel> Agent) - see RFC2479 ( http://www.faqs.org/rfcs/rfc2476.html
Nigel> ).

Nigel> For those not well up on TLAs, MSA is basically SMTP for MUAs
Nigel> to use when talking to their MTAs. It runs on an alternative
Nigel> port - 587. In practice MSA submission should require
Nigel> authentication (or possibly allow non-authenticated
Nigel> connections from trusted IPs only).

Nigel> My thoughts are that to support MSA into exim you need to do
Nigel> the following (untested) changes:-

We prefer to do it this way:

1) run a second exim daemon as:
    exim -bd -oX 587 -oP /var/run/exim-submit.pid


(This is a matter of taste, really; I prefer it because
connection-count limits should be tracked separately between
submissions and incoming mail.)

2) check $interface_port on the SMTP ACL entries as follows:

acl_smtp_connect = ${if ={$interface_port}{25} {check_connect}{accept}}
acl_smtp_helo = ${if ={$interface_port}{25} {check_helo}{accept}}
acl_smtp_mail = ${if ={$interface_port}{25} {check_mail}{accept}}
acl_smtp_rcpt = ${if ={$interface_port}{25}{check_recipient}{check_submission}}
acl_smtp_data = check_message

Note that this gives us completely separate ACLs for submissions than
for incoming mail. This gives significantly more flexibility, and is
both simpler and less dangerous, than trying to check in each ACL
whether the mail is a submission or not. The check_submission ACL
could be as simple as:

check_submission:
  require verify = sender
  accept  authenticated = *
  deny    message = authenticated access only


You can also get a lot cleverer with the verification given that you
know that this is a "local" submission (for whatever value of "local"
makes sense for you). Likewise, you can then get creative with the
connect/helo/mail ACLs without worrying about coping with braindead
MUAs.

Only downside: when testing ACLs using -bh you have to use -oMi to set
the local interface address/port, otherwise $interface_port is unset.

--
Andrew, Supernews
http://www.supernews.com