Hill Ruyter wrote:
> Ok so now I am even more frustrated
>
> I managed to get exim to run the ols helo check
> But it stopped me from sending mail from my own server
>
> Clearly my PC client cant have a verified HELO
> So how do I make the list ignore authenticated hosts ?
>
> Aaaaargh
>
> Hill
Without a broader understanding (earlier post) all this will do is get you to
the next obstacle - and they will seem to never end. RATRUMP [1]
But the short answer is to 'qualify' by arriving port:
- rules meant for the world-at-large, 'strangers bearing gifts':
condition = ${if eq{$interface_port}{25}}
- rules meant for your own 'family' who authenticate on port 587 with TLS:
either:
condition = ${if eq{$interface_port}{587}}
or
!condition = ${if eq{$interface_port}{25}}
NB: Exim will know the arrival port *before* they have yet done the
authentication, which is NOT the first thing that takes place.
TLS actually goes through a 'HELO and subsequent handshake first, legacy SSL
previously run on port 465, does also - but in a different manner entirely.
Try a '-vvv' tail on your next ssh session and see what a busy critter ssl/ssh
is under the blankets...
CAVEAT: You will *also* want to insure that authentication has succeeded - not
just take onboard all-comers. It helps to limit what you will offer as well as
require, and on which ports.
In the MAIN section, you will want to pay attention to (at least) these:
local_interfaces =
daemon_smtp_ports =
tls_on_connect_ports = (maybe!)
That forces always-SSL, as was once used on port 465, but that port is now Cisco
proprietary AND NOT email related, so we should not be using it.
tls_certificate =
tls_privatekey =
tls_advertise_hosts =
tls_remember_esmtp =
auth_advertise_hosts =
And, of course, have working authenticators - usually at least two, as not all
MUA can do the one you might prefer.
HTH,
Bill
[1] RATRUMP = Read All The Relevant Usage Material Possible
;-)
>
>
> -----Original Message-----
> From: exim-users-bounces@??? [mailto:exim-users-bounces@exim.org] On
> Behalf Of Hill Ruyter
> Sent: 17 May 2009 00:48
> To: exim-users@???
> Subject: [exim] acl black art help wanted
>
> Hi
>
>
>
> I am really struggling with acl config in my exim
>
>
>
> I have tried to read the documentation but find it quite confusing
>
> I also downloaded the ols lists mentioned here, there was one for helo
> checking that looked interesting
>
>
>
>
>
> I got really confused when the ols acl comments said:
>
>
>
> #
>
> # (rcpt acl recommended). You could use it like this:
>
> #
>
> # drop !authenticated = *
>
> # hosts = !+relay_from_hosts
>
> # !acl = acl_check_helo_fast
>
> #
>
>
>
> So where do I put these commands?
>
>
>
> I think I am just not quite getting it
>
> Is there an idiots guide or step by step how-to that I can read that will
> help me get to grips with it
>
>
>
> Sorry for such a lame question, I am sure you guys have better things to be
> doing.
>
>
>
>
>
> Hill
>
>
>
