Hi, I have been scouring the e-mails for about a week and half, and
have tried putting together things that I have found to create a working
combination of settings. I have not been successful in the one aspect of
the security settings I have been looking for. I REALLY need to deny
access to SMTP from users that are not authenticated. I don't care if
they want to use TLS or not, as it is right now, with or without TLS
works, but, without authentication works too, and that's the part I need
to lock out. Is there a setting that will do this for me? I have tried
everything I can see on these mailing lists, and it has helped me get
authentication working, but, not remove the option to send w/o
authenticating. Please let me know! I have attached the file that exim
is using... I am running exim4, and so commands that seemed to work in
exim3 don't. Anyway, please let me know! Thanks!
# this file is generated dynamically from the files in
# CONFDIR/conf.d/ or /etc/exim4/exim4.conf.template respectively and
# /etc/exim4/update-exim4.conf.conf
# Any changes you make here will be lost.
# See /usr/share/doc/exim4-base/README.Debian.gz and
# update-exim4.conf(8)
exim_path = /usr/sbin/exim4
CONFDIR = /etc/exim4
MESSAGE_SIZE_LIMIT = 4096M
domainlist local_domains = @:csernik.com:localhost
domainlist relay_to_domains = *
hostlist relay_from_hosts = 127.0.0.1 : ::::1 :
SUPPORT_MAILDIR = true
qualify_domain = csernik.com
DCreadhost =
DCsmarthost =
LOCAL_DELIVERY=maildir_home
gecos_pattern = ^([^,:]*)
gecos_name = $1
DCconfig_internet = 1
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
ifndef DC_minimaldns
host_lookup = *
endif
rfc1413_hosts = *
rfc1413_query_timeout = 30s
ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d
freeze_tell = postmaster
ifndef SPOOLDIR
SPOOLDIR = /var/spool/exim4
endif
spool_directory = SPOOLDIR
trusted_users = uucp
log_selector = +tls_cipher +tls_peerdn
tls_advertise_hosts = *
tls_certificate = /etc/exim4/exim.cert
tls_privatekey = /etc/exim4/exim.key
begin acl
acl_whitelist_local_deny:
accept hosts = ${if exists{CONFDIR/local_host_whitelist}\
{CONFDIR/local_host_whitelist}\
{}}
accept senders = ${if exists{CONFDIR/local_sender_whitelist}\
{CONFDIR/local_sender_whitelist}\
{}}
acl_check_rcpt:
accept hosts = :
deny domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
message = restricted characters in address
deny domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
message = restricted characters in address
accept local_parts = postmaster
domains = +local_domains
deny message = sender envelope address $sender_address is locally
exim3 don't. Anyway, please let me know! Thanks! blacklisted here. If
you think this is wrong, get in touch with postmaster
!acl = acl_whitelist_local_deny
senders = ${if exists{CONFDIR/local_sender_blacklist}\
{CONFDIR/local_sender_blacklist}\
{}}
deny message = sender IP address $sender_host_address is locally
you think this is wrong, get in touch with postmaster blacklisted here.
If you think this is wrong, get in touch with postmaster
!acl = acl_whitelist_local_deny
hosts = ${if exists{CONFDIR/local_host_blacklist}\
{CONFDIR/local_host_blacklist}\
{}}
accept domains = +local_domains
endpass
message = unknown user
verify = recipient
accept domains = +relay_to_domains
endpass
message = unrouteable address
verify = recipient
accept hosts = +relay_from_hosts
accept authenticated = *
deny message = relay not permitted
acl_check_data:
warn condition = ${if !def:h_Message-ID: {1}}
hosts = +relay_from_hosts
message = Message-ID: <E$message_id@$primary_hostname>
accept
begin routers
ifdef DCconfig_internet
dnslookup_relay_to_domains:
driver = dnslookup
domains = ! +local_domains : +relay_to_domains
transport = remote_smtp
same_domain_copy_routing = yes
no_more
dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
same_domain_copy_routing = yes
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16
no_more
endif
ifdef DCconfig_local
nonlocal:
driver = redirect
allow_fail
data = :fail: Mailing to remote domains not supported
no_more
domains = ! +local_domains
endif
ifdef DCconfig_smarthost DCconfig_satellite
smarthost_rewrite:
debug_print = "R: smarthost_rewrite for $local_part@$domain"
driver = manualroute
domains = ! +local_domains
transport = remote_smtp_rewrite
route_list = * DCsmarthost
host_find_failed = defer
same_domain_copy_routing = yes
senders = *@+local_domains
no_more
smarthost:
debug_print = "R: smarthost for $local_part@$domain"
driver = manualroute
domains = ! +local_domains
transport = remote_smtp
route_list = * DCsmarthost
host_find_failed = defer
same_domain_copy_routing = yes
no_more
endif
real_local:
debug_print = "R: real_local for $local_part@$domain"
driver = accept
domains = +local_domains
local_part_prefix = real-
check_local_user
transport = LOCAL_DELIVERY
system_aliases:
debug_print = "R: system_aliases for $local_part@$domain"
driver = redirect
domains = +local_domains
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
file_transport = address_file
ifdef DCconfig_satellite
hub_user:
debug_print = "R: hub_user for $local_part@$domain"
driver = redirect
domains = +local_domains
data = ${local_part}@DCreadhost
check_local_user
endif
userforward:
debug_print = "R: userforward for $local_part@$domain"
driver = redirect
domains = +local_domains
check_local_user
file = $home/.forward
no_verify
no_expn
check_ancestor
allow_filter
directory_transport = address_directory
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
skip_syntax_errors
syntax_errors_to = real-$local_part@$domain
syntax_errors_text = \
This is an automatically generated message. An error has\n\
been found in your .forward file. Details of the error are\n\
reported below. While this error persists, you will receive\n\
a copy of this message for every message that is addressed\n\
to you. If your .forward file is a filter file, or if it is\n\
a non-filter file containing no valid forwarding addresses,\n\
a copy of each incoming message will be put in your normal\n\
mailbox. If a non-filter file contains at least one valid\n\
forwarding address, forwarding to the valid addresses will\n\
happen, and those will be the only deliveries that occur.
procmail:
debug_print = "R: procmail for $local_part@$domain"
driver = accept
domains = +local_domains
check_local_user
transport = procmail_pipe
require_files = ${local_part}:${home}/.procmailrc:+/usr/bin/procmail
no_verify
no_expn
maildrop:
debug_print = "R: maildrop for $local_part@$domain"
driver = accept
domains = +local_domains
check_local_user
transport = maildrop_pipe
require_files = ${local_part}:${home}/.mailfilter:+/usr/bin/maildrop
no_verify
no_expn
local_user:
debug_print = "R: local_user for $local_part@$domain"
driver = accept
domains = +local_domains
check_local_user
local_parts = ! root
transport = LOCAL_DELIVERY
mail4root:
debug_print = "R: mail4root for $local_part@$domain"
driver = redirect
domains = +local_domains
data = /var/mail/mail
file_transport = address_file
local_parts = root
user = mail
group = mail
begin transports
address_file:
debug_print = "T: address_file for $local_part@$domain"
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
address_pipe:
debug_print = "T: address_pipe for $local_part@$domain"
driver = pipe
return_fail_output
address_reply:
debug_print = "T: autoreply for $local_part@$domain"
driver = autoreply
mail_spool:
debug_print = "T: appendfile for $local_part@$domain"
driver = appendfile
file = /var/mail/$local_part
delivery_date_add
envelope_to_add
return_path_add
group = mail
mode = 0660
mode_fail_narrower = false
maildir_home:
debug_print = "T: maildir_home for $local_part@$domain"
driver = appendfile
directory = $home/Maildir/
delivery_date_add = true
envelope_to_add = true
return_path_add = true
maildir_format = true
mode = 0600
mode_fail_narrower = false
maildrop_pipe:
debug_print = "T: maildrop_pipe for $local_part@$domain"
driver = pipe
path = "/bin:/usr/bin:/usr/local/bin"
command = "/usr/bin/maildrop"
return_path_add
delivery_date_add
envelope_to_add
procmail_pipe:
debug_print = "T: procmail_pipe for $local_part@$domain"
driver = pipe
path = "/bin:/usr/bin:/usr/local/bin"
command = "/usr/bin/procmail"
return_path_add
delivery_date_add
envelope_to_add
remote_smtp:
debug_print = "T: remote_smtp for $local_part@$domain"
driver = smtp
ifdef DCconfig_smarthost DCconfig_satellite
hosts_try_auth = ${if exists {CONFDIR/passwd.client}{DCsmarthost}{}}
endif
remote_smtp_rewrite:
debug_print = "T: remote_smtp_rewrite for $local_part@$domain"
driver = smtp
ifdef DCconfig_smarthost DCconfig_satellite
hosts_try_auth = ${if exists {CONFDIR/passwd.client}{DCsmarthost}{}}
endif
address_directory:
debug_print = "T: address_directory for $local_part@$domain"
driver = appendfile
envelope_to_add = true
return_path_add = true
check_string = ""
escape_string = ""
maildir_format = true
begin retry
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
begin rewrite
*@+local_domains ${lookup{${local_part}}lsearch{/etc/email-addresses}\
{$value}fail} Ffrs
*@+local_domains "${if exists {CONFDIR/email-addresses}\
{${lookup{${local_part}}lsearch{CONFDIR/email-addresses}\
{$value}fail}}fail}" Ffrs
begin authenticators
login:
driver = plaintext
public_name = LOGIN
server_prompts = Username:: : Password::
server_condition = \
${if eq {${readsocket{/var/run/courier/authdaemon/socket}\
{AUTH 76\n${length_76:exim\nlogin\n$1\n$2\
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n}}}}{FAIL\n} {no}{yes}}
server_set_id = $1
plain:
driver = plaintext
public_name = PLAIN
server_prompts = :
server_condition = \
${if eq {${readsocket{/var/run/courier/authdaemon/socket}\
{AUTH 76\n${length_76:exim\nlogin\n$2\n$3\
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n}}}}{FAIL\n} {no}{yes}}
server_set_id = $2
___________________________________
DPO,
http://www.csernik.com
