Re: [Exim] Using "authenticated = *"

Top Page
Delete this message
Reply to this message
Author: Tony Finch
Date:  
To: Konrad Michels
CC: Exim-Users (E-mail)
Subject: Re: [Exim] Using "authenticated = *"
On Tue, 15 Jun 2004, Konrad Michels wrote:
>
> Right now I'm doing the usual checks against one or two DNSBL's, which
> is, as expected, bouncing smtp connects appropriately. However, I'm
> also bouncing smtp connects from SMTP authenticated users, which was not
> my intention. From the manual, I gather I need to probably prefix my
> entire ACL section with something like:
>
> if !(authenticated = *)
>
> do I not?


Something like that. What I do on our servers is simlar to the following
(though with a few extra bells and whistles that I've omitted here):

check_sender:
  # We check authorization early in order to simplify later ACLs.
  accept   hosts         = +relay_hosts
           set acl_m0    = true
  accept   verify        = certificate
           set acl_m0    = true
  accept   authenticated = *
           set acl_m0    = true
  # Not authorized.
  accept   set acl_m0    = false


check_recipient:
  # Always accept local postmaster and non-network email.
  accept   recipients    = postmaster@+our_domains
  accept   hosts         = :


  # Accept non-bounce messages from authorized senders,
  # but ensure that the reverse path is valid.
  accept   condition     = $acl_m0
          !senders       = :
           endpass
           message       = Invalid sender address: ${acl_verify_message}
           verify        = sender/callout=postmaster


  # If an authorized sender is sending a bounce, require the
  # recipients to be valid. This is mainly to deal with the case
  # where we have just rejected a message with an invalid sender,
  # and the sending SMTP server is now trying to bounce it via us.
  accept   condition     = $acl_m0
           senders       = :
           endpass
           message       = Invalid bounce recipient address: ${acl_verify_message}
           verify        = recipient/callout=postmaster


# At this point we know the sending host is foreign.
# We do some anti-spam checking at this point.

  # Then do anti-relay checks.
  require  message       = Relaying is not permitted
           domains       = +our_domains


  # All addresses must be valid. We do the sender callout after other
  # checks to avoid unnecessarily irritating other email server admins.
  require  message       = ${acl_verify_message}\n\
                           See http://www.cam.ac.uk/cs/email/bounce.html
           verify        = recipient/callout=defer_ok,use_sender
           verify        = sender/callout=postmaster


# Every check has been passed.
accept

--
Tony Finch <dot@???> http://dotat.at/