* on the Mon, Feb 26, 2007 at 02:00:08PM +0000, Mike Cardwell wrote:
>> Use something like the following
>>
>> rfc1413_query_timeout = 30s
>> rfc1413_hosts = ! 192.168.32.0/24 : *
>>
>> My local network is exempted from idents, but I still ident everyone
>> else out there just to introduce a nice delay at the start, and
>> sometimes even get useful information.
>> As for authenticated clients, you're out of luck. This query is done
>> before the initial 220 greeting.
> You can get around this issue if you are correctly doing mail submission
> on port 587, and mail relaying on port 25. Something like the below maybe
> (untested) :
>
> rfc1413_hosts = ${if eq{$interface_port}{25}{*}{! $sender_host_address}}
>
> $interface_port was deprecated recently for another variable although I
> can't remember what it is off the top of my head. See documentation.
Come to think of it, with readsocket's ability to perform TCP
connections now, you could perform an RFC1413 lookup easily during any ACL.
Something along the lines of:
${readsocket{inet:$sender_host_address:113}{$received_port, $sender_host_port}{5s}}
Should return something along the lines of:
6193, 23 : USERID : UNIX : stjohns
Or
6195, 23 : ERROR : NO-USER
Ie:
<port-on-server> , <port-on-client> : <resp-type> : <add-info>
See:
http://www.ietf.org/rfc/rfc1413.txt
I'd figure out the exact config for this, but I don't currently have a way
of testing. I'll come back to it later if no one else has figures it
out.
Hmmm. One gotcha I can think of. What if the outgoing ident uses a
different IP address than the one the connection came in on? I would
personally frob that with a SNAT rule in iptables, but it would be nicer
if you could specify the IP to use inside exim it's self. Like the new
remote_smtp functionality for specifying outgoing interface.
Mike