RE: [exim] problem with authentication (and esmtpa)

Startseite
Diese Nachricht ist Teil des folgenden Threads:
MDer komplette Thread sortiert nach Datum
M\Robert Cates am <-
MMStephen Gran am ->
Nachricht löschen
Nachricht beantworten
Autor: Tony Finch
Datum:  
To: Robert Cates
CC: exim-users
Betreff: RE: [exim] problem with authentication (and esmtpa)
On Mon, 17 Oct 2005, Robert Cates wrote:

> OK, thanks Tony, but in my folow-up message I noticed in my log 'P=esmtpsa',
> when I send out per Courier IMAP(-SSL). I'm not sure what the differences
> are.

Hmm I see a slight documentation problem. $received_protocol refers to RFC
3848 which is the authoritative source. It should be cross-referenced
better. I'll suggest some changes to Philip.

> Next, I have 'relay_from_hosts = 127.0.0.1 : 192.168.1.0/24 : *.kormar.net :
> *.kormar.de' defined. Should I change that to 'hostlist relay_from_hosts =
> : @[] :'? Would that be better?

Yes.

> As far as my ACLs, I only have:
> acl_smtp_rcpt = acl_check_rcpt (the default, nothing changed)

You probably want to adjust the order. Exim 4.60 will have:

accept hosts = : 

  deny    message       = Restricted characters in address
          domains       = +local_domains
          local_parts   = ^[.] : ^.*[@%!/|]


  deny    message       = Restricted characters in address
          domains       = !+local_domains
          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./


  accept  local_parts   = postmaster
          domains       = +local_domains


  require verify        = sender


  accept  hosts         = +relay_from_hosts


accept authenticated = *

# DNS blacklist checks, commented out 

  accept  domains       = +local_domains
          endpass
          verify        = recipient


  accept  domains       = +relay_to_domains
          endpass
          verify        = recipient


  deny    message       = relay not permitted


> I would like to use:
> #acl_smtp_auth = acl_check_auth
> #acl_smtp_starttls = acl_check_auth
>
> #acl_check_auth:
>
> #  accept  hosts         = +auth_relay_hosts
> ##          endpass
> #  require verify        = sender
> #  accept  authenticated = *
> #  deny    domains       = !+local_domains
> #          message       = relay forbidden without authentication

>
> but I don't know how to set that up safely.

This won't work, because (1) you can't authenticate before TLS, so
requiring authentication in order to allow TLS doesn't make sense; (2)
the domains condition is only defined in the RCPT ACL - you don't know the
recipient address until then, so checking it beforehand is meaningless.

You don't need to use AUTH or STARTTLS ACLs unless you are doing something
very unusual.

Tony.
--
<fanf@???> <dot@???> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}


Diese Nachricht wurde auf der folgenden Mailing-List gepostet:
Exim-users
Mailing-List-Info | Nachrichten um die Zeit		<-Re: [exim] IconvRe: [exim] problem with authentication (and esmtpa)->
Tahini and Hummus and Cumin Development Archives administriert von cumin AdminsLurker (Version 2.3)