Re: [exim] Exim domain and login checks for relay

Page principale
Supprimer ce message
Répondre à ce message
Auteur: W B Hacker
Date:  
À: exim users
Sujet: Re: [exim] Exim domain and login checks for relay
MrTheo wrote:
> Hi,
>
> I'm currently setting up a mail system on a linux server that currently
> hosts 3 domains. Every domain has its specific mail addresses, and all mail
> users have a local user account with mail directories in their home dirs.
>
> Everything is working fine as it is and people can send and receive mail
> using squirrelmail. But now I'm trying to get pop3 and smtp from outside
> working. Pop3 is working now, but I'm having some problems getting the smtp
> to work the way I want. Right now relaying is off and no one is able to use
> it from the outside. Turning relaying on for all domains allows people to
> use my server for sending mails from any address they want, so that's not
> the intention either.
>
> What I want is that someone who wants to send a mail using the server's smtp
> services has to login with server's user account, and that the address he
> wants to send from 'belongs' to him so to say. Right now exim is setup to
> use virtual host files to for example direct mail for someone@???
> to local user theo. So if theo wants to send a mail, he should login with
> his login information and only be allowed to send if he's trying to send
> from someone@???.
>
> Is it possible to setup exim like this? And if so, how would I do that?
>
> Thanks,
> Theo
> --
> View this message in context: http://www.nabble.com/Exim-domain-and-login-checks-for-relay-t1455563.html#a3933829
> Sent from the Exim Users forum at Nabble.com.
>
>


Suggest:

- activating the 'submission' port: 587

daemon_smtp_ports = 25 : 587

- making TLS both possible.....:

(You will need a cert, self-signed is OK, and may have a
suitable one already if running your webmail on SSL/TLS.)

tls_certificate = /usr/local/etc/exim/certs/{cert name/number}
(or wherever Linux puts the equivalnet...)

- ...available...:

tls_advertise_hosts = *

Optionally:

tls_remember_esmtp = yes

- ... and required for authentication:

auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}


- Then requiring your users to set their MUA to use port 587,
not port 25 to send.

(25 is often intercepted by the connectivity ISP)

IF their upstream ISP is also 'capturing' 587, simply find a
useable one thye are not blocking, add it to 'daemon_smtp_ports,
and configure for that.

- Suggest setting the MUA outbound server to 'TLS' (always), not
'TLS if available', and 'Require username and password'.

As a TLS 'tunnel' will be set up before PWD is transmitted, use
of CRAM-MD5, etc. instead of PLAIN or LOGIN is optional.

- selecting and testing authenticators to insure they work
correctly with your UID:PWD tools, AND do not fallback to 'en
clair' if you do not wish to permit that.

Several examples around - difference is usually where they get
the UID:PWD and how/if they handle the usual OE/Outlook defects.

(mine are SQL, so no relevant examples handy...)

HTH,

Bill