[exim] Which one come first? ACLs or Authenticator

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: sam wun
Fecha:  
A: exim-users
Temas nuevos: [exim] Relay not permitted - from Outlook to cyrus-sasl2
Asunto: [exim] Which one come first? ACLs or Authenticator
Hi,

I encountered a strange problem when using Outlook 2000 to send email
from outside the company to another external mail server thru the Exim
mail server.
There is no problem with Mozilla may be because Mozilla is using Cram-md5.

The problem is when Outlook trying to send email, it start
authentication (as I configured Outlook to enter user namd and password
in the Outgoing Mail Server dialog box). But it doesn't seems to go thru
the Authenticator list, it failed at ACLs instead, then raised an error
"relay not permitted.".

I run out of many possibility, I even tried to add certificate support
to Outlook 2000, but it does not work with SSL smtp. May be need to
further configure Exim to accept SSL smtp auth, but I don't feel
interest in this solution because my client doesn't like this additional
certificate - not convinent. I have also tried to add extra
authenticator (fixed_login with saslauthd), but does not either. It
seems that smtp auth from Outlook 2000 does not know how to auth with
the cyrus-sasl2 authenticator, but again, I m not sure how to verify this.

To me, the smtp auth failed at ACLs is out of my expectation because if
it is successful in authenticator section, it won't go back to the ACLs
for the rest of the ACL checking.

Is the Authenticator failed in this case?

The Authenticator list has the following authentication:

sasl_cram_md5:
        driver = cyrus_sasl
        public_name = CRAM-MD5
        server_set_id = $1


sasl_plain:
        driver = cyrus_sasl
        public_name = PLAIN
        server_set_id = $1


Yes, it is using cyrus-sasl2. And Exim 4.43 is compiled with cyrus-sasl
enabled.
My imapd.conf config file is as follow:
admins: cyrus
allowanonymouslogin: no
allowplainwithouttls: yes
allowplaintext: yes
altnamespace: no
autocreatequota: 10000
configdirectory: /var/db/imap
drachost: localhost
dracinterval: 0
duplicatesuppression: yes
lmtp_overquota_perm_failure: no
#lmtpsocket: /var/spool/postfix/public/lmtp
lmtpsocket: /var/spool/imap/public/lmtp
normalizeuid: yes
partition-default: /var/spool/imap
poptimeout: 10
quotawarn: 90
reject8bit: no
sasl_mech_list: plain login cram-md5 digest-md5
#sasl_mech_list: NTLM
#sasl_ntlm_server: mail.mydom.com
#sasl_pwcheck_method: saslauthd
sasl_pwcheck_method: auxprop
sievedir: /var/imap/sieve
timeout: 30

saslauthd is started as follow:
]# ps -auxww | grep sasl
root       673  0.0  0.2  3788 2116  ??  Is   Sun11AM   0:00.01 
/usr/local/sbin/saslauthd -a sasldb


cyrus.conf file contains the following lines:
# standard standalone server implementation

START {
  # do not delete this entry!
  recover       cmd="ctl_cyrusdb -r"


  # this is only necessary if using idled for IMAP IDLE
#  idled                cmd="idled"
}


# UNIX sockets start with a slash and are put into /var/lib/imap/socket
SERVICES {
  # add or remove based on preferences
  imap          cmd="imapd" listen="imap" prefork=0
  imaps                cmd="imapd -s" listen="imaps" prefork=0
  pop3          cmd="pop3d" listen="pop3" prefork=0
  pop3s                cmd="pop3d -s" listen="pop3s" prefork=0
  sieve         cmd="timsieved" listen="sieve" prefork=0


  # at least one LMTP is required for delivery
  #lmtp         cmd="lmtpd" listen="lmtp" prefork=0
  lmtpunix      cmd="lmtpd" listen="/var/spool/imap/public/lmtp" prefork=0


  # this is only necessary if using notifications
#  notify       cmd="notifyd" listen="/var/lib/imap/socket/notify" 
proto="udp" prefork=1
}


EVENTS {
  # this is required
  checkpoint    cmd="ctl_cyrusdb -c" period=30


  # this is only necessary if using duplicate delivery suppression
  delprune      cmd="ctl_deliver -E 3" period=1440


  # this is only necessary if caching TLS sessions
  tlsprune      cmd="tls_prune" period=1440


Your help will be highly appreciated.

Thank you in advance
Sam