Re: [exim] Help with relaying

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Giuliano Gavazzi
Date:  
À: Patrik Jansson
CC: exim-users
Sujet: Re: [exim] Help with relaying
On 19 Sep 2006, at 13:37, Patrik Jansson wrote:

> Hi,
> I need some help configuring exim. I want the following rules:
>
> SenderHost    Sender Address    Recipient Address
> Local    *        *        no authentication
> *    local domain    *        authentication required
> *    not in local domain    local domain    deliver
> *    not in local domain    not in local domain    deny

>
> Please let me know if you think I have forgot something important.
>


I see no reply as yet, so I might as well nip in and reappear in this
list.
Since these rules have to be translated in some logical language
(exim configuration)
I think it is better to get rid of redundancy and put them in the
right order

1) is fine (some, like me, would require authentication even in this
case)

3) better put it here (or you would require authentication for local
users sending to local users)
and should be rewritten:

*    *    LOCAL DOMAIN    accept


2) moved after 3 and rewritten:

*    LOCAL DOMAIN    *    accept if authenticated


4) is actually not necessary as the default is to deny, but you can
add it (you might even want
to customise the message) in this form:

*    *    *    deny


as the is no point in checking source/sender/destination at this point.

But the reason I have replied is that you have an open relay, or you
declare to have one from what
you say below:

> Currently no authentication is required as long as the sender
> address is in
> local domain.
>


classical open relay. See below:


> I think the following rules are interesting ( I have removed some
> comments
> ):
>
> begin acl
> check_recipient:
>
> accept hosts = :
> accept sender_domains = +whitelist_domains


as the specs say:

"Warning: It is a bad idea to use this condition on its own as a
control on relaying, because sender
addresses are easily, and commonly, forged."


> accept hosts = +whitelist_hosts
> accept hosts = +whitelist_hosts_ip


I would not whitelist any hosts unless you have full control over
them. Since authentication has to be used in some cases, it is better
to use it in most cases...

> accept senders = +whitelist_senders


bad almost as much as the one above.

[... special local parts accept rule]
> # accept if address is in a domain for which we relay as long as  
> recipient
> # can be verified
>   accept  domains = +relay_domains
>           endpass
>           verify=recipient

>
>   accept  hosts = +relay_hosts
>   accept  hosts = +auth_relay_hosts
>           endpass
>           message = authentication required
>           authenticated = *
>   deny    message = relay not permitted

>


as you can see you are missing the local accept rule (in which you
must also check the recipient).

> # default at end of acl causes a "deny", but line below will give
> # an explicit error message:
>   deny    message = relay not permitted

[...]


Giuliano