Re: [exim] Setup for authenticated submission

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Bill Hacker
Datum:  
To: exim-users
Betreff: Re: [exim] Setup for authenticated submission
Jakob Hirsch wrote:

> Bill Hacker wrote:
>
>
>>>>- selecting different acl routing rules for different user groups
>>>
>>>Depending on the incoming port? Sounds not very reliable.
>>
>>Why so? Incoming ports tend to stay where you put 'em.
>
>
> Sure, but client configurations tend to change all the time.


Not unless we choose to install new ones.

> And what
> stops people from using one the other many ports you provide?
>


The fact that the system will not authenticate them seems to work fine...

>
>>Helps with getting the correct outbound helo set up for a virtual-domain
>
>
> helo is not correlated to the sender domain (unless you want to disguise
> poorly).


NOT. Quite the reverse. We want it to *match* the sender's {domain}.

>It should resolve to the connecting IP address, and vice versa,
> which could be nasty if use many different helos.


Not under the sending MTA's control in a multi-domain environment.

Where the DNS carries multiple PTR records for one IP, as it may for
virtual hosting,
any one of the several valid domain.tld may be furnished in response to
a lookup of the IP.

Call that 'challenge ONE', traditionally solved by using up a separate
IP for each domain, OR using a 'none of the above' PTR record for the mx
hosting many virtual domains.

The first is wasteful of a scarce resource, (IP's) the second is not
optimal if the far-end is looking at the sender's {domain} against the
helo (as we ourselves do).

That we *can* control with 'helo_data' - to at least match the helo to
our sender's {domain}. 'Challenge TWO'.

Look at headers on my posts over time and note that the same server IP
may have been seen as any one of three domains.
We are still working on that. Meanwhile, at least the helo matches the
domain of the e-mail address.

Exim would score a 'mismatch' on the helo otherwise, but does NOT
(inherently) care so much about 'challenge ONE', the sender_host_address
matching the forward-lookup of the valid PTR found from it - only that
there IS one.

All that 'motion', basically so that we can satisfy the likes of AOL and
our own rather picky Exim servers - without using up more IP's than the
'traffic' would justify.

Trying to get as 'standard' as we can on the 'public' side.

A bit of 'weird' on the MUA side is part of how we can do that reliably.

belt and braces.....

> Well, I hope your mail system works better than your homepage...
>


What homepage??

Bill