Re: [exim] Configuring smtp

トップ ページ
このメッセージを削除
このメッセージに返信
著者: Phil Pennock
日付:  
To: Jonathan Chong
CC: exim-users
題目: Re: [exim] Configuring smtp
On 2006-02-28 at 15:13 +0000, Jonathan Chong wrote:
> I've managed to configure my exim so that it is sending and receiving
> mails, but only from PHP's mail function.
>
> If I am using a mail client like Thunderbird and attempt to use my
> server as an smtp server, it tells me that relaying is not allowed.
>
> I suppose I am missing something in my exim.conf?


In the area after "begin acl" and before the next "begin" there should
be something checking recipient addresses; if it's not obvious, then the
exact name will be given in the first section, as the value of the
"acl_smtp_rcpt" option.

This needs to "accept" email from the list of hosts for which you're
willing to relay; that list needs to be as small as possible, to avoid
your mail-server becoming an open relay. Typically, there's a stanza
something like:

  accept  hosts         = +relay_from_hosts
      control    = submission


which says "accept this recipient if the connecting host matches the
hostlist 'relay_from_hosts'". If there's no such item in the recipient
ACL then add it just before "deny message = relay not permitted". (The
control bit says "do fixups for the mail-client, too")

Somewhere in the first section of the config will be a definition of the
hostlist; make sure that your local trusted network is in that list; eg,
if you're using NAT at home to use private RFC1918 address space, you'd
have something like:

# We will send mail to any destination if the connection comes from this:
hostlist relay_from_hosts = 127.0.0.1 : @[] : 192.168.1.0/24

> Also, if it's not too much of a bother, my emails go out as "nobody AT
> ashburrn.com on behalf of info AT arsenal-mania.com", replacing the AT
> with @.


Exim was originally designed to be safe for use on multi-user Unix
systems, so by default will require that the LHS ("nobody") is that of
the actual userid of the invoking process.

Unfortunately, PHP only lets you configure it to submit mail by SMTP to
localhost under Win32. :^( That would bypass the check. So instead,
you'll need to tell Exim which users are allowed to fake up the sender
address.

That's the trusted_users / trusted_groups settings. You could add
nobody into trusted_users.


As an aside: since you're building up the system now, it's probably the
time to sort out not abusing the "nobody" user; if every sub-system
wanting an unprivileged user always uses "nobody" then when you find
that "nobody" has done something wrong, you'll have no idea which one it
is. So it's generally good to use per-service unprivileged users, if
you can. Some OSes/distributions make this easier than others and don't
worry if it'd be too much work with yours, but otherwise consider using
a "wwwrun" or "www" user, which doesn't own any config files and just
has write permission to temp directories, for your Apache set-up.

That way, you can also just tell exim "trusted_users = wwwrun" and at
least limit the ability to set a LHS to web applications. Of course,
that door might be about the size of the wall it's in ...
--
I am keeping international relations on a peaceable footing.
You are biding your time before acting.
He is coddling tyrants.
-- Roger BW on topic of verb conjugation