Re: [exim] Accepting messages to certain transport by authen…

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Ville Mattila
CC: exim-users
Subject: Re: [exim] Accepting messages to certain transport by authentication
On 2006-02-23 at 15:26 +0200, Ville Mattila wrote:
> would like to create a configuration that accepts messages to this
> router/transport only if
> a) the SMTP user has authenticated (and if possible, only as a certain user)
> b) the SMTP connection comes from a certain domain or domains
>
> What would be the best way to carry out such a configuration?


"best" is subjective, but assuming you mean for _either_ of those rules
to apply (otherwise change "or" to "and"):

 condition = ${if or {\
     {def:$authenticated_id}\
    {match_ip{$sender_host_address}{+hosts_allowed_to_use_me}\
    } {yes}{no}}


Define the hostlist "hosts_allowed_to_use_me" in the main config
section. It needs to contain _IP_ lookups, not hostname lookups, since
that's generally a better way to go. You can use match_domain and a
domainlist, using $sender_host_name, if you really truly want that, but
I advise against it.

To match on just a certain user, define that user at the start in a
macro (good practice), say:

SPECIAL_ROUTER_AUTHUSER=fred

then use:

 condition = ${if or {\
     {eq{$authenticated_id}{SPECIAL_ROUTER_AUTHUSER}}\
    {match_ip{$sender_host_address}{+hosts_allowed_to_use_me}\
    } {yes}{no}}


You can also use $authenticated_sender instead of $authenticated_id, to
match the authenticated sender address instead of the authentication
userid. If you authenticate on multiple domains, you can even then use
things like ${domain:$authenticated_sender} as a lookup key in a file or
database or LDAP server or whatever.

Sections 10 and 11 of the specification (spec.txt or whichever other
format) will prove helpful for looking further into this.

If you're using a decent framework underneath the authentication stuff
(eg, LDAP) then you can move the authorisation "flag" out to there, to
keep the data in one place instead of scattered across configuration
files, then replace the equality check against SPECIAL_ROUTER_AUTHUSER
with a lookup.

Regards,
--
I am keeping international relations on a peaceable footing.
You are biding your time before acting.
He is coddling tyrants.
-- Roger BW on topic of verb conjugation