Re: [exim] Authentication

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Yan Seiner
CC: exim-users
Subject: Re: [exim] Authentication
On 2007-10-31 at 15:26 -0700, Yan Seiner wrote:
> My policies are as follows:
>
> 1. Clients connecting on 25 unauthenticated can send email only to the
> local domains.
>
> 2. Clients requesting relaying must connect encrypted and authenticate.
>
> 3. Clients requesting relaying unencrypted are rejected.
>
> Sounds simple. But I can't for the life of me get 2 to work. exim
> always rejects relaying. (That's good, anyway.)


Basic double-check: the host can mail out? So you know that outbound
will work and it's just a policy decision?

This is handled in the ACLs, section "begin acl" to the next begin line.
Almost certainly (barring much weirder setups) in the RCPT check; if you
type the SMTP raw, you should be able to verify this. To handle the
encryption case, it's easiest if you have in the first section:

daemon_smtp_ports = smtp : smtps : submission
# tls_on_connect_ports demands a number! smtps == 465
tls_on_connect_ports = 465

"Officially", everything should be using port 587 (submission), but some
clients only understand SSL-on-connect and it's easier to debug;
assuming certs in /etc/ssl/certs, then either of:

$ openssl s_client -CApath /etc/ssl/certs -crlf -connect hostname:465
$ socat readline \
openssl:hostname:465,method=TLSv1,capath=/etc/ssl/certs,cipher=HIGH,crnl

Look to see when it's rejected. I'll continue assuming that it is after
the RCPT.

In the first section, you have an ACL named as the value of
"acl_smtp_rcpt". Whichever that ACL is, that's the one you need to look
at.

At the end of the ACL, you should have something like:

  accept  hosts         = +relay_from_hosts


  deny    message       = relay not permitted


Inbetween those, add the stanza:

  accept  authenticated = *
          encrypted = *


So, after dealing with those hosts allowed to relay anyway, the ACL will
accept if both the session is authenticated (no matter who as) and is
encrypted (no matter which cipher suite is used).

Regards,
-Phil