Re: [exim] exim 4.4 authentication

Top Page
This message is part of the following thread:
M-++\the complete thread tree sorted by date
M.MMMIan Eiloart at <-
M\M.MMarc Haber at ->
Delete this message
Reply to this message
Author: Tony Finch
Date:  
To: Alan J. Flavell
CC: Exim users list
Subject: Re: [exim] exim 4.4 authentication
On Mon, 14 Mar 2005, Alan J. Flavell wrote:
>
> If you have no control over the network to which the client attaches
> (e.g home or SOHO ISP connections), then that is all very true, and
> it's what we're now offering our users at the departmental level. But
> for fixed machines which are managed by the dept and wired to the dept
> network, we stayed with the old non-auth submission on port 25.

At the moment we allow unauthenticated message submission for machines on
our network, but we're planning to remove this option over the course of
the next 18 months. (It'll take that long because we have several thousand
computers to reconfigure.) This is part of a general effort to require
secure authentication for access to our email services.

I'm hoping that this will help us to keep ahead of increasingly clever
spam zombies and email viruses.

It should also simplify support, since the recommended configuration won't
depend on where your computer is plugged in.

> There is still one problematic area with that, however. When users
> contrive to produce a mail which the server rejects (e.g they try to
> send a mail with its envelope-sender set to a defective address, or
> with broken header syntax etc.) then it seems some clients get very
> confused by the 5xx response from the server.

The answer to that is to accept and bounce instead of rejecting recipient
addresses at SMTP time. (You should of course thoroughly verify the return
path at SMTP time so that you are able to bounce the message.)

> Would there be any improvement in this area if we were to move to
> using the client submission port(s) instead of the SMTP port 25 ?

You need to make a clear distinction between message submission, MX, and
perhaps outgoing relay, so that your MTA behaves appropriately for each
kind of traffic. For example, accept-and-bounce is not appropriate for MX
and relay personalities. You can make the distinction by port number or by
server IP address. For an extended example, see
http://www.cus.cam.ac.uk/~fanf2/hermes/doc/talks/2005-02-eximconf/

Tony.
--
<fanf@???> <dot@???> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] exim 4.4 authenticationRe: [exim] exim 4.4 authentication->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)