Re: [exim] smarthost + authentication configuration problem …

Góra strony
Delete this message
Reply to this message
Autor: Tony Finch
Data:  
Dla: ji
CC: exim-users
Temat: Re: [exim] smarthost + authentication configuration problem ..
On Wed, 31 Aug 2005, ji wrote:
>
> but how decide exim which authentication entry should be used? where is
> the connection between transport entry and the authentication entry? if
> i have more than 1 smarthost?


Unfortunately this is one of the weak points of Exim's authentication
system. There are three ways you can alter client authentication
dependent on the server:

(1) Have one authenticator for each SASL mechanism, and use string
expansions in the authenticators' client settings to control which
credentials are selected for each server.

(2) Have multiple authenticators for each SASL mechanism, and use forced
expansion failures to prevent the undesired authenticators from being used
with a given server.

(3) Have multiple authenticators for each SASL mechanism, and rely on the
fact that Exim will try other plausible authenticators if authentication
fails. This will lead to spurious authentication failures which will
probably be logged by the server and may lead to upset sysadmins.

The first two possibilities are a result of this paragraph in the docs:

 .   When it finds one that matches, it runs the authenticator's client code.
     The variables $host and $host_address are available for any string
     expansions that the client might do. They are set to the server's name
     and IP address. If any expansion is forced to fail, the authentication
     attempt is abandoned, and Exim moves on to the next authenticator.
     Otherwise an expansion failure causes delivery to be deferred.


The third arises from this paragraph:

 .   If the response to authentication is a permanent error (5xx code), Exim
     carries on searching the list of authenticators and tries another one if
     possible. If all authentication attempts give permanent errors, or if
     there are no attempts because no mechanisms match (or option expansions
     force failure), what happens depends on whether the host matches
     "hosts_require_auth" or "hosts_try_auth". In the first case, a temporary
     error is generated, and delivery is deferred. The error can be detected
     in the retry rules, and thereby turned into a permanent error if you
     wish. In the second case, Exim tries to deliver the message
     unauthenticated.


Tony.
--
<fanf@???> <dot@???> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}