Re: [exim] RFC

Top Page
Delete this message
Reply to this message
Author: Nigel Metheringham
Date:  
To: exim-users
Subject: Re: [exim] RFC
On Wed, 2005-09-14 at 16:42 +0200, Pieter Ennes wrote:
> Is there a way to limit rfc 1413 callouts to non-authenticated connections?


I think not, because (from memory) the RFC1413 query occurs very early
on in the transaction, before the client will have had a chance to
authenticate.

If you could, then the mechanism you want is described in the expansion
variables section of the spec:-
        $sender_host_authenticated: This variable contains the name (not
        the public name) of the authenticator driver which successfully
        authenticated the client from which the message was received. It
        is empty if there was no successful authentication.



> This way, MUA's won't be bothered with a timeout when the callout is stuck
> in someones firewall.


The answer to this is to use the standard MSA port (port 587) for MUA to
MTA submission and to do something like this:-
        rfc1413_hosts = *
        rfc1413_query_timeout = ${if eq{$interface_port}{587}{0}{5}}


which will give (an untested) 5 second timeout for folks connecting to
ports other than 587 and no query for those on 587. You should also
have the (standard) ACL conditions so 587 *enforces* authentication (and
probably TLS).

There are other advantages such avoiding port 25 blocks.

    Nigel.
-- 
[ Nigel Metheringham           Nigel.Metheringham@??? ]
[ - Comments in this message are my own and not ITO opinion/policy - ]