Re: [Exim] SMTP Auth doesn't prevent users from sending as o…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Bruce Richardson
Date:  
À: exim-users
Sujet: Re: [Exim] SMTP Auth doesn't prevent users from sending as other users
On Fri, Mar 19, 2004 at 05:14:18PM +0100, Giuliano Gavazzi wrote:
> a more general solution would actually check the possibility that
> $sender_address_local_part is an alias for $authenticated_id, or more
> precisely, for the local_part corresponding to $authenticated_id (in
> case of virtual domains).
> I haven't worked out the details on how to do that, but it is clearly
> possible.


Well, a really general solution would have something like

        condition = ${if match {${address:$h_from}} \
            {${expand:$lookup{$authenticated_id} \
        lsearch*{/etc/exim/auth_permissions}}} \
            {yes} {no}}


Though this would obviously need to be handled with great care. It's
probably wiser to come up with some rules for how authenticated ids will
be matched to rules and then create a matching sequence of simple
conditions. So you might say that individuals who will use auth to send
mail from their own address only should use that address as the
authenticated_id, whereas an authenticated_id that ended in @ indicated
that
the local_part must match the authenticator (excluding the @,
obviously), with the domains being looked up in the alias file and/or
virtual tables. Authenticated ids containing no @ would be assumed to
be relays for entire domains and would match ${domain:$h_from} against a
lookup.

Then you'd have something like this:

  accept  authenticated = *
          endpass
          message = You are not authorised to send mail on behalf of
${address:$h_from:}
          condition = ${if and { \
              {match {$authenticated_id} {\N.+@.+\N}} \
              {! eqi {${address:$h_from:}} {$authenticated_id}} \
              } {no} {yes} }
          condition = ${if and { \
              {match {$authenticated_id} {\N@$N}} \
                erm, not sketching out this part at this time on a
                Friday
              } {no} {yes} }
          etcetera



--
Bruce

I unfortunately do not know how to turn cheese into gold.