[exim] SMTP authentication not working

Top Page
Delete this message
Reply to this message
Author: Mike Green
Date:  
To: exim-users
Subject: [exim] SMTP authentication not working
Hi list

I am trying to setting up a mail server to allow users to send mail from any
IP as long as they can be authenticated. Been searching the archives and
have tried all sorts but I must be missing something. Below is my config
file. I'm trying to send an email through the server using outlook 2003
client.

primary_hostname = host.domain.com

domainlist local_domains = @ : localdoamin.com : localdomain2.com
domainlist relay_to_domains =
hostlist relay_from_hosts = 127.0.0.1

acl_smtp_rcpt = acl_check_rcpt

acl_smtp_data = acl_check_data

av_scanner = clamd:127.0.0.1 3310

spamd_address = 127.0.0.1 783

never_users = root

host_lookup = *

rfc1413_hosts = *
rfc1413_query_timeout = 30s

log_selector = +all

ignore_bounce_errors_after = 2d

timeout_frozen_after = 7d

smtp_accept_queue_per_connection = 1000
smtp_accept_max_per_connection = 10000
extract_addresses_remove_arguments = false

auth_advertise_hosts = *
tls_advertise_hosts = *
tls_certificate = /usr/local/exim/cert
tls_privatekey = /usr/local/exim/key

begin acl

acl_check_rcpt:

# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
# testing for an empty sending host field.

accept hosts = :


#############################################################################
# The following section of the ACL is concerned with local parts that
contain
# @ or % or ! or / or | or dots in unusual places.
#
# The characters other than dots are rarely found in genuine local parts,
but
# are often tried by people looking to circumvent relaying restrictions.
# Therefore, although they are valid in local parts, these rules lock them
# out, as a precaution.
#
# Empty components (two dots in a row) are not valid in RFC 2822, but Exim
# allows them because they have been encountered. (Consider local parts
# constructed as "firstinitial.secondinitial.familyname" when applied to
# someone like me, who has no second initial.) However, a local part
starting
# with a dot or containing /../ can cause trouble if it is used as part of
a
# file name (e.g. for a mailing list). This is also true for local parts
that
# contain slashes. A pipe symbol can also be troublesome if the local part
is
# incorporated unthinkingly into a shell command line.
#
# Two different rules are used. The first one is stricter, and is applied
to
# messages that are addressed to one of the local domains handled by this
# host. It blocks local parts that begin with a dot or contain @ % ! / or
|.
# If you have local accounts that include these characters, you will have
to
# modify this rule.

  deny    message       = Restricted characters in address
          domains       = +local_domains
          local_parts   = ^[.] : ^.*[@%!/|]


# The second rule applies to all other domains, and is less strict. This
# allows your own users to send outgoing messages to sites that use
slashes
# and vertical bars in their local parts. It blocks local parts that begin
# with a dot, slash, or vertical bar, but allows these characters within
the
# local part. However, the sequence /../ is barred. The use of @ % and !
is
# blocked, as before. The motivation here is to prevent your users (or
# your users' viruses) from mounting certain kinds of attack on remote
sites.

  deny    message       = Restricted characters in address
          domains       = !+local_domains
          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./


#############################################################################

# Accept mail to postmaster in any local domain, regardless of the source,
# and without verifying the sender.

  accept  local_parts   = postmaster
          domains       = +local_domains


# Deny unless the sender address can be verified.

  require verify        = sender



#############################################################################
  # There are no checks on DNS "black" lists because the domains that 
contain
  # these lists are changing all the time. However, here are two examples of
  # how you could get Exim to perform a DNS black list lookup at this point.
  # The first one denies, while the second just warns.
  #
  # deny    message       = rejected because $sender_host_address is in a 
black list at $dnslist_domain\n$dnslist_text
  #         dnslists      = black.list.example
  #
  # warn    message       = X-Warning: $sender_host_address is in a black 
list at $dnslist_domain
  #         log_message   = found in $dnslist_domain
  #         dnslists      = black.list.example


#############################################################################

# Accept if the address is in a local domain, but only if the recipient
can
# be verified. Otherwise deny. The "endpass" line is the border between
# passing on to the next ACL statement (if tests above it fail) or denying
# access (if tests below it fail).

  accept  domains       = +local_domains
          endpass
          message       = unknown user
          verify        = recipient


# Accept if the address is in a domain for which we are relaying, but
again,
# only if the recipient can be verified.

  accept  domains       = +relay_to_domains
          endpass
          message       = unrouteable address
          verify        = recipient


# If control reaches this point, the domain is neither in +local_domains
# nor in +relay_to_domains.

# Accept if the message comes from one of the hosts for which we are an
# outgoing relay. Recipient verification is omitted here, because in many
# cases the clients are dumb MUAs that don't cope well with SMTP error
# responses. If you are actually relaying out from MTAs, you should
probably
# add recipient verification here.

  accept  hosts         = +relay_from_hosts


# Accept if the message arrived over an authenticated connection, from
# any host. Again, these messages are usually from MUAs, so recipient
# verification is omitted.

accept authenticated = *

# Reaching the end of the ACL causes a "deny", but we might as well give
# an explicit message.

  deny    message       = relay not permitted


acl_check_mime:

# Decode MIME parts to disk. This will support virus scanners later.
warn decode = default

  # File extension filtering.
  deny message = Blacklisted file extension detected
       condition = ${if match \
                        {${lc:$mime_filename}} \
                        {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \
                     {1}{0}}


  # Reject messages that carry chinese character sets.
  # WARNING: This is an EXAMPLE.
  deny message = Sorry, noone speaks chinese here
       condition = ${if eq{$mime_charset}{gb2312}{1}{0}}


accept

acl_check_data:

  # Reject virus infested messages.
  deny  message = This message contains malware ($malware_name)
        demime = *
        malware = *


  # Always add X-Spam-Score and X-Spam-Report headers, using SA system-wide 
settings
  # (user "nobody"), no matter if over threshold or not.
  warn  message = X-Spam-Score: $spam_score ($spam_bar)
        spam = nobody:true
  warn  message = X-Spam-Report: $spam_report
        spam = nobody:true


  # Add X-Spam-Flag if spam is over system-wide threshold
  warn message = X-Spam-Flag: YES
       spam = nobody


  # Reject spam messages with score over 10, using an extra condition.
  deny  message = This message scored $spam_score points. Congratulations!
        spam = nobody:true
        condition = ${if >{$spam_score_int}{100}{1}{0}}


accept

begin routers

dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
file_transport = address_file
pipe_transport = address_pipe

userforward:
driver = redirect
check_local_user
file = $home/.forward
no_verify
no_expn
check_ancestor
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply

localuser:
driver = accept
check_local_user
transport = local_delivery
cannot_route_message = Unknown user

begin transports

remote_smtp:
driver = smtp
hosts_require_auth=*

remote_tlssmtp:
driver = smtp
hosts_require_tls=*
hosts_require_auth=*

local_delivery:
driver = appendfile
file = /var/mail/$local_part
delivery_date_add
envelope_to_add
return_path_add

address_pipe:
driver = pipe
return_output

address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add

address_reply:
driver = autoreply

begin retry



*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h


begin rewrite

begin authenticators

plain:
driver = plaintext
public_name = PLAIN
server_condition = ${if
eq{$3}{${lookup{$2}lsearch{/usr/local/exim/passwd}{$value}fail}}{yes}{no}}
server_set_id = $2

login:
driver = plaintext
public_name = LOGIN
server_prompts = Username:: : Password::
server_condition = ${if
eq{$2}{${lookup{$1}lsearch{/usr/local/exim/passwd}{$value}fail}}{yes}{no}}
server_set_id = $1

cram:
driver = cram_md5
public_name = CRAM-MD5
server_secret = ${if
eq{$2}{${lookup{$1}lsearch{/usr/local/exim/passwd}{$value}fail}}{yes}{no}}
server_set_id = $1

===========================

My password contains

username secret


This is the output from exim -bV

Exim version 4.43 #1 built 30-Oct-2004 17:21:25
Copyright (c) University of Cambridge 2004
Berkeley DB: Sleepycat Software: Berkeley DB 4.1.25: (October 24, 2003)
Support for: iconv() TCPwrappers OpenSSL
Lookups: lsearch wildlsearch nwildlsearch iplsearch dbm dbmnz
Authenticators: cram_md5 plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile autoreply pipe smtp
Fixed never_users: 0
Contains exiscan-acl patch revision 28 (c) Tom Kistner
[http://duncanthrax.net/exiscan/]
Configuration file is /usr/local/exim/configure

Any clues why I keep getting "relay not permitted" in my server log. If I
modify to allow relay via IP it works just fine for my IP but not my
friend's IP, which is correct. I would also like to use TLS later, once the
basic authentication is working.

Thanks in advance

Mike

_________________________________________________________________
Want to block unwanted pop-ups? Download the free MSN Toolbar now!
http://toolbar.msn.co.uk/