Re: [exim] exim3 vs exim4 configs

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: jake_stone
CC: exim-users
Subject: Re: [exim] exim3 vs exim4 configs
On 2008-03-21 at 00:23 -0500, jake_stone wrote:
> The original question was not about other servers sending to local users,
> the question
> is about how to implement smtp authentication as was common in exim3 with 1
> simple option
> (and it stopped any email client from sending without user-password)
> but has been abandoned in exim4, and replaced by several options that must
> be implemented
> by using the new ACL's.


Uhm, you do know that "authentication required for outbound email" is
part of the standard Exim4 configuration, right? (Well, actually it's
"from +relay_from_hosts, else authenticated".)

Take a look at "acl_check_rcpt" in the default Exim4 configuration.

The point:
  require message = relay not permitted
          domains = +local_domains : +relay_to_domains


is where any mail getting past this point has to be for local domains,
otherwise it's rejected. If you "accept" before this point, then it
will be accepted and sent out. This is handled with:

  accept  authenticated = *
          control       = submission


So it's a "one-line addition", in the right place, to have
authentication and a second line to tell Exim that it can go ahead and
apply submission server fixups to the headers, which is just a useful
extra.

Your original post suggests that you're accepting based on sender
address being local and verifiable. That's a bad ACL rule. I strongly
suggest looking at the supplied default configuration and using that as
a starting point.

It's true that Exim3 was more protective against misconfiguration by
having simpler knobs with sanity checks (the relay-for netblocks were
limited to a /16 in size, to keep people from relaying for the entire
Internet, for instance). In Exim4, it was declared (IIRC) that there
were too many special knobs needed for all the RBLs, spam scanners,
virus scanners, etc, and that the interaction of them was complex; by
moving to a simple restricted language (check this, then check that) it
is not only clear how and when checks are applied, but there's also much
more flexibility. But with that power comes more ability to shoot
yourself in the foot.

-Phil