[exim] Exim strict SMTP Authentication

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: EDP Operations
Dátum:  
Címzett: exim-users
Tárgy: [exim] Exim strict SMTP Authentication
Hi

We are using exim 4.51 on Redhat Linux 3 ES. We enabled the authentication using Cyrus pwcheck module. Our mail server is in the internet, we are able to access the mail server(using Outlook Express) only after putting our IP address on the host_auth_accept_relay. Few of our client PCs connecting thru dial-up or some other mode where in we are not able to determine the IP address of the hosts.

Kindly go thru our below exim.conf and tell us what is to be done to implement strict authentication without relaying. We want only authenticated users to be relayed. We do not want to use host_auth_accept_relay by putting our IP address.

Our configuratio has :

domainlist local_domains = @
domainlist relay_to_domains =
hostlist relay_from_hosts = 127.0.0.1
hostlist auth_relay_hosts = *
hostlist host_auth_accept_relay = 127.0.0.1 : xxx.xxx.xxx.xxx : xxx.xxx.xxx.xxx :
(xxx.xxx.xxx.xxx - our known network IPs)

Our ACL :

######################################################################
#                       ACL CONFIGURATION                            #
#         Specifies access control lists for incoming SMTP mail      #
######################################################################


begin acl

# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.

acl_check_rcpt:

# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
# testing for an empty sending host field.

accept hosts = :

# accept authenticated = *

#############################################################################
# The following section of the ACL is concerned with local parts that contain
# @ or % or ! or / or | or dots in unusual places.
#
# The characters other than dots are rarely found in genuine local parts, but
# are often tried by people looking to circumvent relaying restrictions.
# Therefore, although they are valid in local parts, these rules lock them
# out, as a precaution.
#
# Empty components (two dots in a row) are not valid in RFC 2822, but Exim
# allows them because they have been encountered. (Consider local parts
# constructed as "firstinitial.secondinitial.familyname" when applied to
# someone like me, who has no second initial.) However, a local part starting
# with a dot or containing /../ can cause trouble if it is used as part of a
# file name (e.g. for a mailing list). This is also true for local parts that
# contain slashes. A pipe symbol can also be troublesome if the local part is
# incorporated unthinkingly into a shell command line.
#
# Two different rules are used. The first one is stricter, and is applied to
# messages that are addressed to one of the local domains handled by this
# host. It blocks local parts that begin with a dot or contain @ % ! / or |.
# If you have local accounts that include these characters, you will have to
# modify this rule.

  deny    message       = Restricted characters in address
          domains       = +local_domains
          local_parts   = ^[.] : ^.*[@%!/|]


# The second rule applies to all other domains, and is less strict. This
# allows your own users to send outgoing messages to sites that use slashes
# and vertical bars in their local parts. It blocks local parts that begin
# with a dot, slash, or vertical bar, but allows these characters within the
# local part. However, the sequence /../ is barred. The use of @ % and ! is
# blocked, as before. The motivation here is to prevent your users (or
# your users' viruses) from mounting certain kinds of attack on remote sites.

  deny    message       = Restricted characters in address
          domains       = !+local_domains
          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
  #############################################################################


# Accept mail to postmaster in any local domain, regardless of the source,
# and without verifying the sender.

  accept  local_parts   = postmaster
          domains       = +local_domains


# Deny unless the sender address can be verified.

  require verify        = sender


  #############################################################################
  # There are no checks on DNS "black" lists because the domains that contain
  # these lists are changing all the time. However, here are two examples of
  # how you could get Exim to perform a DNS black list lookup at this point.
  # The first one denies, while the second just warns.
  #
  # deny    message       = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
  #         dnslists      = black.list.example
  #
  # warn    message       = X-Warning: $sender_host_address is in a black list at $dnslist_domain
  #         log_message   = found in $dnslist_domain
  #         dnslists      = black.list.example
  #############################################################################


# Accept if the address is in a local domain, but only if the recipient can
# be verified. Otherwise deny. The "endpass" line is the border between
# passing on to the next ACL statement (if tests above it fail) or denying
# access (if tests below it fail).

  accept  domains       = +local_domains
          endpass
          verify        = recipient


# Accept if the address is in a domain for which we are relaying, but again,
# only if the recipient can be verified.

  accept  domains       = +relay_to_domains
          endpass
          verify        = recipient


# If control reaches this point, the domain is neither in +local_domains
# nor in +relay_to_domains.

# Accept if the message comes from one of the hosts for which we are an
# outgoing relay. Recipient verification is omitted here, because in many
# cases the clients are dumb MUAs that don't cope well with SMTP error
# responses. If you are actually relaying out from MTAs, you should probably
# add recipient verification here.

accept hosts = +relay_from_hosts

# accept hosts = +host_accept_relay

   accept  hosts = +host_auth_accept_relay
#           endpass
#           message = authentication requiredd
#           authenticated = *


#   accept  hosts = +auth_relay_hosts
#           endpass
#           message = authentication required
#           authenticated = *


# Accept if the message arrived over an authenticated connection, from
# any host. Again, these messages are usually from MUAs, so recipient
# verification is omitted.

accept authenticated = *

# Reaching the end of the ACL causes a "deny", but we might as well give
# an explicit message.

  deny    message       = Authentication required to send mail
          !authenticated = *


Authentication has :

######################################################################
#                   AUTHENTICATION CONFIGURATION                     #
######################################################################


# There are no authenticator specifications in this default configuration file.

begin authenticators

login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if pwcheck{$1:$2}{1}{0}}"
server_set_id = $1

plain:
driver = plaintext
public_name = PLAIN
server_prompts = :
server_condition = "${if pwcheck{$2:$3}{1}{0}}"
server_set_id = $2


Thanks


VIS