Hi Tony
Thanks for the feedback. I see I do have an "accept authenticated = *"
in my exim config, but somehow it seems to be rejecting the connections
prior to this being reached. I'm wondering whether it isn't something
to do with the exiscan patch doing checks of some sort before the ACL is
being consulted . . .
Later
Konrad
On Tue, 2004-06-15 at 10:26, Tony Finch wrote:
> On Tue, 15 Jun 2004, Konrad Michels wrote:
> >
> > Right now I'm doing the usual checks against one or two DNSBL's, which
> > is, as expected, bouncing smtp connects appropriately. However, I'm
> > also bouncing smtp connects from SMTP authenticated users, which was not
> > my intention. From the manual, I gather I need to probably prefix my
> > entire ACL section with something like:
> >
> > if !(authenticated = *)
> >
> > do I not?
>
> Something like that. What I do on our servers is simlar to the following
> (though with a few extra bells and whistles that I've omitted here):
>
> check_sender:
> # We check authorization early in order to simplify later ACLs.
> accept hosts = +relay_hosts
> set acl_m0 = true
> accept verify = certificate
> set acl_m0 = true
> accept authenticated = *
> set acl_m0 = true
> # Not authorized.
> accept set acl_m0 = false
>
> check_recipient:
> # Always accept local postmaster and non-network email.
> accept recipients = postmaster@+our_domains
> accept hosts = :
>
> # Accept non-bounce messages from authorized senders,
> # but ensure that the reverse path is valid.
> accept condition = $acl_m0
> !senders = :
> endpass
> message = Invalid sender address: ${acl_verify_message}
> verify = sender/callout=postmaster
>
> # If an authorized sender is sending a bounce, require the
> # recipients to be valid. This is mainly to deal with the case
> # where we have just rejected a message with an invalid sender,
> # and the sending SMTP server is now trying to bounce it via us.
> accept condition = $acl_m0
> senders = :
> endpass
> message = Invalid bounce recipient address: ${acl_verify_message}
> verify = recipient/callout=postmaster
>
> # At this point we know the sending host is foreign.
> # We do some anti-spam checking at this point.
>
> # Then do anti-relay checks.
> require message = Relaying is not permitted
> domains = +our_domains
>
> # All addresses must be valid. We do the sender callout after other
> # checks to avoid unnecessarily irritating other email server admins.
> require message = ${acl_verify_message}\n\
> See http://www.cam.ac.uk/cs/email/bounce.html
> verify = recipient/callout=defer_ok,use_sender
> verify = sender/callout=postmaster
>
> # Every check has been passed.
> accept
