Re: [exim] Force all local senders to authenticate

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Oliver von Bueren
Dátum:  
Címzett: exim-users
Tárgy: Re: [exim] Force all local senders to authenticate

>> And also make sure that local deliveries are only allowed either from
>> authenticated senders OR non-local senders.
>> Put that the other way round, don't accept local senders outside of
>> authenticated sessions.
>>
>> I do this by separating the MUA submissions and inbound messages. MUA on
>> port 587 and normal inbound SMTP on port 25. Adding TLS/SSL as an
>> option, if you like to.
>> On 587 only authenticated sessions are ever allowed to send any messages
>> and on port 25 no messages are allowed to be sent with a sender address
>> out of a local domain.
>
> Hi Oliver,
>
> Do you care to provide some config snippets?
>

Sure, here we go.

Main part of the configuration

# Port 25 for inbound, 587 for submission
daemon_smtp_port = 25 : 587

# Port 25 or local is MTA
IS_MTA_PORT = or{ \
                   {eq{$interface_port}{25}} \
                   {eq{$interface_port}{-1}} \
                 }


# ACL Pointers for MTA and MUA
acl_smtp_rcpt = ${if IS_MTA_PORT {acl_check_rcpt}{acl_check_rcpt_mua}}


For the ACL part, try the easy bits first, MUA, this is pretty much a
complete example which should work.

As you will see, I don't have the submission-mode on, as I allow my
users to use different sender addresses, but I do check that they are
valid. For the empty sender, like automated replays, the null-sender is
accepted as well. No more checks like validity of recipient domain or
the like, as MUA, esp M$ ones, chock on 55x rejects and don't report
back much information about the reason. So send them a "normal" NDM.

acl_check_rcpt_mua:
  # MUA must authenticate
  deny    message        = Authentication is required to send messages
          log_message    = SMTP-SUBMISSION-NO-AUTHENTICATION
          !authenticated = *


  # If a null-sender is given, go on with it, can't do anything more
  accept  senders        = :


  # Accept the message, if the sender email address is from the local system
  accept  sender_domains = +local_domains
          verify         = sender


  deny    message        = Sender address not valid.
          log_message    = SMTP-SUBMISSION-SENDER-NOT-VALID



On the MTA side, I've only included a tiny fragment relevant to the case.

acl_check_rcpt:

[... some initial checks ...]
  # Deny if sender is local
  deny   sender_domains = +local_domains
         log_message    = SMTP-SENDER-ADDRESS-AUTH-ONLY
         message        = Sender Domain only allowed on authenticated 
submission port sessions


[... loads more checks ...]

Does this help?

Oliver