Re: [exim] problem with authentication (and esmtpa)

Página Principal
Apagar esta mensagem
Responder a esta mensagem
Autor: Stephen Gran
Data:  
Para: exim-users
Assunto: Re: [exim] problem with authentication (and esmtpa)
On Mon, Oct 17, 2005 at 12:37:45PM +0200, Robert Cates said:
> OK, thanks Tony, but in my folow-up message I noticed in my log 'P=esmtpsa',
> when I send out per Courier IMAP(-SSL). I'm not sure what the differences
> are.
>
> Next, I have 'relay_from_hosts = 127.0.0.1 : 192.168.1.0/24 : *.kormar.net :
> *.kormar.de' defined. Should I change that to 'hostlist relay_from_hosts =
> : @[] :'? Would that be better?
>
> As far as my ACLs, I only have:
> acl_smtp_rcpt = acl_check_rcpt (the default, nothing changed)
> acl_smtp_data = acl_check_data (setup for SpamAssassin)
> acl_not_smtp = acl_check_data (setup for SpamAssassin)
>
> I would like to use:
> #acl_smtp_auth = acl_check_auth
> #acl_smtp_starttls = acl_check_auth
>
> #acl_check_auth:
>
> #  accept  hosts         = +auth_relay_hosts
> ##          endpass
> #  require verify        = sender
> #  accept  authenticated = *
> #  deny    domains       = !+local_domains
> #          message       = relay forbidden without authentication

>
> but I don't know how to set that up safely.


esmtp = client says EHLO instead of HELO
esmtpa = client says EHLO and AUTH
esmtps = client says EHLO and STARTTLS
esmptsa = client says EHLO, AUTH and STARTTLS

so, you want to look for esmtpsa in your logs.

A simple

accept authenticated = *

at the top of your rcpt acl will do what you want, I think. Doing a
sender verify and domain checks and so forth on authenticated
connections will prevent some of them from being accepted, rather than
accepting and bouncing later, which is what you want for dumb MUA
submitted email.

HTH,
--
--------------------------------------------------------------------------
|  Stephen Gran                  | People think love is an emotion.  Love  |
|  steve@???             | is good sense.   -- Ken Kesey           |
|  http://www.lobefin.net/~steve |                                         |

--------------------------------------------------------------------------