Re: [exim] exim3 vs exim4 configs

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] exim3 vs exim4 configs
jake_stone wrote:
>>>    As you can see this is a spammers dream, I must be missing something,

>
>> Why is this a spammers dream? It does not allow unauthenticated hosts
>> to send mail to arbitrary addresses, only to local ones.
>
>     I see this as a problem because anyone from anywhere can "pretend" to be
> me, as the from address
> and send to any user at any local domain without being required to
> authenticate with a password
> in thier mail client and the message gets delivered.

>
>     Am I missing something?

>
>     In reading
> http://www.exim.org/viewvc/exim/exim-doc/doc-txt/Exim4.upgrade?revision=1.1&view=markup

>
> **The auth_hosts option has been abolished; this functionality is now
> controlled by ACLs.
>
> **. The auth_always_advertise option has been abolished because it depended
> on
>   auth_hosts and and host_auth_accept_relay, both of which are no more. In
> its
>   place there is a new option called auth_advertise_hosts, whose default
> value
>   is *, meaning "advertise AUTH to all".
>     Hmm, any reason "host_auth_accept_relay" option would not do what is
> needed to plug the hole in SMTP ?
>     The next question is what ACL option does the same thing? ie; no smtp
> without password?

>
>


The line(s) you cite do not DO the authentication - only indicate to a
client when they connect that you offer a mechanism for it.

The authenticators section - mere placeholders in a default Exim
configure file - are located near the end of the file.

You need to alter or replace these with one or more of the *very many*
authentication schemes Exim supports, ELSE turn the job over to external
ones it is comfortable with. Some folks use the Dovecot authentication
to cover both Exim MTA and Dovecot POP/IMAP, for example.

It is also wise to make use of checks on the 'state' of being
authenticated (or not) to allow, for example, authenticated sessions of
your own clients arriving on port 587 to NOT be checked for dynamic IP
source, DNS records appropriate to a MX and such - as they should
ordinarily fail such tests were they to be applied.

Traffic originating 'on-box', as from a logged-in shell account holder,
is 'non-smtp' traffic, so is not subject to acl_smtp_<whatever> acl clauses.


HTH,

Bill