Hi list
I am trying to setting up a mail server to allow users to send mail from any
IP as long as they can be authenticated. Been searching the archives and
have tried all sorts but I must be missing something. Below is my config
file. I'm trying to send an email through the server using outlook 2003
client.
primary_hostname = host.domain.com
domainlist local_domains = @ : localdoamin.com : localdomain2.com
domainlist relay_to_domains =
hostlist relay_from_hosts = 127.0.0.1
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
av_scanner = clamd:127.0.0.1 3310
spamd_address = 127.0.0.1 783
never_users = root
host_lookup = *
rfc1413_hosts = *
rfc1413_query_timeout = 30s
log_selector = +all
ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d
smtp_accept_queue_per_connection = 1000
smtp_accept_max_per_connection = 10000
extract_addresses_remove_arguments = false
auth_advertise_hosts = *
tls_advertise_hosts = *
tls_certificate = /usr/local/exim/cert
tls_privatekey = /usr/local/exim/key
begin acl
acl_check_rcpt:
# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
# testing for an empty sending host field.
accept hosts = :
#############################################################################
# The following section of the ACL is concerned with local parts that
contain
# @ or % or ! or / or | or dots in unusual places.
#
# The characters other than dots are rarely found in genuine local parts,
but
# are often tried by people looking to circumvent relaying restrictions.
# Therefore, although they are valid in local parts, these rules lock them
# out, as a precaution.
#
# Empty components (two dots in a row) are not valid in RFC 2822, but Exim
# allows them because they have been encountered. (Consider local parts
# constructed as "firstinitial.secondinitial.familyname" when applied to
# someone like me, who has no second initial.) However, a local part
starting
# with a dot or containing /../ can cause trouble if it is used as part of
a
# file name (e.g. for a mailing list). This is also true for local parts
that
# contain slashes. A pipe symbol can also be troublesome if the local part
is
# incorporated unthinkingly into a shell command line.
#
# Two different rules are used. The first one is stricter, and is applied
to
# messages that are addressed to one of the local domains handled by this
# host. It blocks local parts that begin with a dot or contain @ % ! / or
|.
# If you have local accounts that include these characters, you will have
to
# modify this rule.
deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
# The second rule applies to all other domains, and is less strict. This
# allows your own users to send outgoing messages to sites that use
slashes
# and vertical bars in their local parts. It blocks local parts that begin
# with a dot, slash, or vertical bar, but allows these characters within
the
# local part. However, the sequence /../ is barred. The use of @ % and !
is
# blocked, as before. The motivation here is to prevent your users (or
# your users' viruses) from mounting certain kinds of attack on remote
sites.
deny message = Restricted characters in address
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
#############################################################################
# Accept mail to postmaster in any local domain, regardless of the source,
# and without verifying the sender.
accept local_parts = postmaster
domains = +local_domains
# Deny unless the sender address can be verified.
require verify = sender
#############################################################################
# There are no checks on DNS "black" lists because the domains that
contain
# these lists are changing all the time. However, here are two examples of
# how you could get Exim to perform a DNS black list lookup at this point.
# The first one denies, while the second just warns.
#
# deny message = rejected because $sender_host_address is in a
black list at $dnslist_domain\n$dnslist_text
# dnslists = black.list.example
#
# warn message = X-Warning: $sender_host_address is in a black
list at $dnslist_domain
# log_message = found in $dnslist_domain
# dnslists = black.list.example
#############################################################################
# Accept if the address is in a local domain, but only if the recipient
can
# be verified. Otherwise deny. The "endpass" line is the border between
# passing on to the next ACL statement (if tests above it fail) or denying
# access (if tests below it fail).
accept domains = +local_domains
endpass
message = unknown user
verify = recipient
# Accept if the address is in a domain for which we are relaying, but
again,
# only if the recipient can be verified.
accept domains = +relay_to_domains
endpass
message = unrouteable address
verify = recipient
# If control reaches this point, the domain is neither in +local_domains
# nor in +relay_to_domains.
# Accept if the message comes from one of the hosts for which we are an
# outgoing relay. Recipient verification is omitted here, because in many
# cases the clients are dumb MUAs that don't cope well with SMTP error
# responses. If you are actually relaying out from MTAs, you should
probably
# add recipient verification here.
accept hosts = +relay_from_hosts
# Accept if the message arrived over an authenticated connection, from
# any host. Again, these messages are usually from MUAs, so recipient
# verification is omitted.
accept authenticated = *
# Reaching the end of the ACL causes a "deny", but we might as well give
# an explicit message.
deny message = relay not permitted
acl_check_mime:
# Decode MIME parts to disk. This will support virus scanners later.
warn decode = default
# File extension filtering.
deny message = Blacklisted file extension detected
condition = ${if match \
{${lc:$mime_filename}} \
{\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \
{1}{0}}
# Reject messages that carry chinese character sets.
# WARNING: This is an EXAMPLE.
deny message = Sorry, noone speaks chinese here
condition = ${if eq{$mime_charset}{gb2312}{1}{0}}
accept
acl_check_data:
# Reject virus infested messages.
deny message = This message contains malware ($malware_name)
demime = *
malware = *
# Always add X-Spam-Score and X-Spam-Report headers, using SA system-wide
settings
# (user "nobody"), no matter if over threshold or not.
warn message = X-Spam-Score: $spam_score ($spam_bar)
spam = nobody:true
warn message = X-Spam-Report: $spam_report
spam = nobody:true
# Add X-Spam-Flag if spam is over system-wide threshold
warn message = X-Spam-Flag: YES
spam = nobody
# Reject spam messages with score over 10, using an extra condition.
deny message = This message scored $spam_score points. Congratulations!
spam = nobody:true
condition = ${if >{$spam_score_int}{100}{1}{0}}
accept
begin routers
dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more
system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
file_transport = address_file
pipe_transport = address_pipe
userforward:
driver = redirect
check_local_user
file = $home/.forward
no_verify
no_expn
check_ancestor
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
localuser:
driver = accept
check_local_user
transport = local_delivery
cannot_route_message = Unknown user
begin transports
remote_smtp:
driver = smtp
hosts_require_auth=*
remote_tlssmtp:
driver = smtp
hosts_require_tls=*
hosts_require_auth=*
local_delivery:
driver = appendfile
file = /var/mail/$local_part
delivery_date_add
envelope_to_add
return_path_add
address_pipe:
driver = pipe
return_output
address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
address_reply:
driver = autoreply
begin retry
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
begin rewrite
begin authenticators
plain:
driver = plaintext
public_name = PLAIN
server_condition = ${if
eq{$3}{${lookup{$2}lsearch{/usr/local/exim/passwd}{$value}fail}}{yes}{no}}
server_set_id = $2
login:
driver = plaintext
public_name = LOGIN
server_prompts = Username:: : Password::
server_condition = ${if
eq{$2}{${lookup{$1}lsearch{/usr/local/exim/passwd}{$value}fail}}{yes}{no}}
server_set_id = $1
cram:
driver = cram_md5
public_name = CRAM-MD5
server_secret = ${if
eq{$2}{${lookup{$1}lsearch{/usr/local/exim/passwd}{$value}fail}}{yes}{no}}
server_set_id = $1
===========================
My password contains
username secret
This is the output from exim -bV
Exim version 4.43 #1 built 30-Oct-2004 17:21:25
Copyright (c) University of Cambridge 2004
Berkeley DB: Sleepycat Software: Berkeley DB 4.1.25: (October 24, 2003)
Support for: iconv() TCPwrappers OpenSSL
Lookups: lsearch wildlsearch nwildlsearch iplsearch dbm dbmnz
Authenticators: cram_md5 plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile autoreply pipe smtp
Fixed never_users: 0
Contains exiscan-acl patch revision 28 (c) Tom Kistner
[
http://duncanthrax.net/exiscan/]
Configuration file is /usr/local/exim/configure
Any clues why I keep getting "relay not permitted" in my server log. If I
modify to allow relay via IP it works just fine for my IP but not my
friend's IP, which is correct. I would also like to use TLS later, once the
basic authentication is working.
Thanks in advance
Mike
_________________________________________________________________
Want to block unwanted pop-ups? Download the free MSN Toolbar now!
http://toolbar.msn.co.uk/