Re: [exim] auth_relay_hosts and 587

Top Page
Delete this message
Reply to this message
Author: Magnus Holmgren
Date:  
To: exim-users
Subject: Re: [exim] auth_relay_hosts and 587
On Wednesday 29 August 2007 16:56, Matt wrote:
> I am running Directadmin email/web server that uses Exim.
>
> In my exim.conf I have this.
>
> domainlist local_domains = lsearch;/etc/virtual/domains
> domainlist relay_domains = lsearch;/etc/virtual/domains : localhost
> hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts :
> /etc/virtual/relay_ips : 127.0.0.1
> hostlist auth_relay_hosts = *
>
> and this:
>
> # to restrict port 587 to authenticated users only
> # see also daemon_smtp_ports above
> #accept  hosts = +auth_relay_hosts
> #        condition = ${if eq {$interface_port}{587} {yes}{no}}
> #        endpass
> #        message = relay not permitted, authentication required
> #        authenticated = *


Where is that? It should be no earlier than the "MAIL FROM" ACL
(acl_smtp_mail).

> I want to restrict port 587 to authenticated users and trusted users.
> The pophosts file contains a dynamic list of IP's that have
> successfully pop3'd mail in the last 15 minutes. The relay_ips file
> contains a list of my subnets that belong to me. I want to allow all
> of these and users that utilize authenticated SMTP to use port 587 and
> no others on 587. Problem is that whenever I enable/uncomment this it
> only allows authenticated SMTP through. What do I need to change
> here?


Try this:

known_users:
accept hosts = +relay_hosts
accept authenticated = *
[...accepts for other kinds of users...]

check_sender:
  accept  condition = ${if eq {$interface_port}{587}}
          endpass
          message = Only authorised users may use the submission port.
          acl = known_users


Without "endpass", which is semi-deprecated (not "best practice"), the
check_sender ACL can be written as

check_sender:
  accept  condition = ${if eq {$interface_port}{587}}
          acl = known_users
  deny    message = Only authorised users may use the submission port.
          condition = ${if eq {$interface_port}{587}}


or if you want to allow submission on port 25, delete the first condition.

I find a sub-ACL very useful here.

By the way, have you considered dropping POP-before-SMTP support? Many ISPs
and web hotels have done that since it's less reliable than SMTP AUTH, which
nearly all mail clients support nowadays.

-- 
Magnus Holmgren        holmgren@???
                       (No Cc of list mail needed, thanks)


"Exim is better at being younger, whereas sendmail is better for
Scrabble (50 point bonus for clearing your rack)" -- Dave Evans