RE: [exim] problem with authentication (and esmtpa)

Top Page
Delete this message
Reply to this message
Author: Tony Finch
Date:  
To: Robert Cates
CC: exim-users
Subject: RE: [exim] problem with authentication (and esmtpa)
On Mon, 17 Oct 2005, Robert Cates wrote:

> OK, thanks Tony, but in my folow-up message I noticed in my log 'P=esmtpsa',
> when I send out per Courier IMAP(-SSL). I'm not sure what the differences
> are.


Hmm I see a slight documentation problem. $received_protocol refers to RFC
3848 which is the authoritative source. It should be cross-referenced
better. I'll suggest some changes to Philip.

> Next, I have 'relay_from_hosts = 127.0.0.1 : 192.168.1.0/24 : *.kormar.net :
> *.kormar.de' defined. Should I change that to 'hostlist relay_from_hosts =
> : @[] :'? Would that be better?


Yes.

> As far as my ACLs, I only have:
> acl_smtp_rcpt = acl_check_rcpt (the default, nothing changed)


You probably want to adjust the order. Exim 4.60 will have:

accept hosts = :

  deny    message       = Restricted characters in address
          domains       = +local_domains
          local_parts   = ^[.] : ^.*[@%!/|]


  deny    message       = Restricted characters in address
          domains       = !+local_domains
          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./


  accept  local_parts   = postmaster
          domains       = +local_domains


  require verify        = sender


  accept  hosts         = +relay_from_hosts


accept authenticated = *

# DNS blacklist checks, commented out

  accept  domains       = +local_domains
          endpass
          verify        = recipient


  accept  domains       = +relay_to_domains
          endpass
          verify        = recipient


  deny    message       = relay not permitted


> I would like to use:
> #acl_smtp_auth = acl_check_auth
> #acl_smtp_starttls = acl_check_auth
>
> #acl_check_auth:
>
> #  accept  hosts         = +auth_relay_hosts
> ##          endpass
> #  require verify        = sender
> #  accept  authenticated = *
> #  deny    domains       = !+local_domains
> #          message       = relay forbidden without authentication

>
> but I don't know how to set that up safely.


This won't work, because (1) you can't authenticate before TLS, so
requiring authentication in order to allow TLS doesn't make sense; (2)
the domains condition is only defined in the RCPT ACL - you don't know the
recipient address until then, so checking it beforehand is meaningless.

You don't need to use AUTH or STARTTLS ACLs unless you are doing something
very unusual.

Tony.
--
<fanf@???> <dot@???> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}