Re: [exim] Restricting SMTP access

Top Page
Delete this message
Reply to this message
Author: Tim Jackson
Date:  
To: exim-users
Subject: Re: [exim] Restricting SMTP access
Edward Kay wrote:

> I want to stop any hosts that I don't explicitly allow from accessing my
> SMTP server.


[...]
> 1. I considered adding deny hosts = !+relay_hosts


This is good.

> at the top of the
> check_recipient ACL (after accept hosts = : and require verify = sender).
> From what I can see however, this would prevent our authenticated users on
> unknown hosts from using the SMTP server because it would come before:

[pop-before-SMTP ACL rules]

Fair enough. Can't you put the "deny hosts = !+relay_hosts" after these
checks?

A more radical solution which may be overkill for your situation but is
good in the general case is to use something like Tony Finch's fantastic
"personalities" idea:

http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/doc/talks/2005-02-eximconf/paper.html#3.%20Multiple%20personalities

Here, you have different ACLs for different mailserver "personalities".
Personalities can be things like:

- inbound SMTP mailhub (MX)
- submission from end users (MUAs)
- smarthost services for other servers
- delivery personality (for actually delivering to end mailboxes)

in your case you would probably want the first two, the first for
deliveries from your scanning servers and the second for end users. You
differentiate between the personalities by running Exim on multiple IP
addresses, ports or both.

The extra bonus here is that it makes it easier and less messy to do
specific things (like turn on submission mode) for specific
personalities only. I've used an adapted version to great effect.
However it will mean pretty much rewriting your config from scratch.
Tony's examples are a great start.

Tim