On Sun, 26 Jun 2005, Ralf Hauser wrote:
>
> 1) I guess as long as I have only one domain, I can do with something in my
> acl like
> deny
> message = Sender address does not match domain certificate domain
> senders = ! ^.*@$primary_domain
>
> without having authentication
Perhaps you mean $primary_hostname or $qualify_domain here.
> 2) if there are multiple domains using the domain certificate
> authentication, would there be an easy way to extract the domain out of the
> from-header and compare it with the domain found in the $tls_peerdn?
It's probably easier to use $sender_address_domain, which uses the return
path rather than the From: header, but these are usually the same.
Alternatively ${domain:$header_from:} might do the right thing (I haven't
checked).
> Or is it possible to only get the username from an AUTH without asking for
> the password instead?
There's a SASL mechanism called EXTERNAL which only passes the username,
and which relies on some non-SASL means to authenticate (e.g. SSL, trust,
etc.) However you're unlikely to be able to use this if your client can't
use password authentication.
> Or shall I use a verify = sender ... as per
> http://exim.org/exim-html-4.50/doc/html/spec_39.html#IX2566 in acl_smtp_data
> or acl_not_smtp - do you have any examples?
verify = sender just checks that email can be delivered to the sender's
address; it cannot verify that the message was sent by who it appeared to
be sent by.
Tony.
--
<fanf@???> <dot@???>
http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}
