Re: [exim] exim 4 - relay_from_hosts

Góra strony
Delete this message
Reply to this message
Autor: Timo Neuvonen
Data:  
Dla: exim-users
Temat: Re: [exim] exim 4 - relay_from_hosts
> the server up to allow relaying for my users from home/remote locations.
> I
> of course do not want to open exim up as an open relay, so I thought I'd
> ask
> you all for help first.
>
> With my setup as explained above, what do I need to change in the
> configuration (which file(s), etc.) to allow relaying for my roaming
> users?
> They need to authenticate as well I'm sure, but do I need to set something
> for that as well?
>


The default conf (as far as I remember correctly) has in ACL a line
accept authenticated = *
This is enough to accept mail from any properly authenticated client.

Then, if you want the machines in your "own" network to send mail without
authentication, just add that address range to relay_from_hosts. But do NOT
add addresses where authenticated users send mail from public network
(propably it would mean adding 0.0.0.0/0 which makes it an open relay) to
this list!

What's the most challenging part, you will need to set up the athenticators
section in conf. I guess Google will help you figure out how to do this.
This is what I have:
---
begin authenticators

auth_plain:
# Netscape
driver = plaintext
public_name = PLAIN
server_prompts = :
server_condition = ${if saslauthd{{$1}{$2}{exim}}{1}{0}}
server_set_id = $1

auth_login:
# Outlook Express
driver = plaintext
public_name = LOGIN
server_prompts = Username:: : Password::
server_condition = ${if saslauthd{{$1}{$2}{exim}}{1}{0}}
server_set_id = $1
----
These require the availability of saslauth service. My conf is in RH-based
system, I don't know Debian.

Additionally, you propably need to set exim to listen to some other port in 
addition to 25 (maybe 465), since many ISPs block access to "foreign" 25 
ports to limit sending spam by infected machines.
local_interfaces = 127.0.0.1.25 : \
                   192.168.xxx.x.25 : \
                   192.168.xxx.x.465


Maybe you also need this:
- tls_on_connect_ports = 465
- limit port 465 for authenticated (and secure?) connections only
- set up a certificate to allow secure connections

I recommend using secure connections when using authentication, so no one
could find out passwords by sniffing the network traffic (I think this is
often more important that securing the actual message body, which tsl/ssl
also takes care of)

--
TiN