Re: [exim] acl black art help wanted

Góra strony
Delete this message
Reply to this message
Autor: W B Hacker
Data:  
Dla: exim users
Temat: Re: [exim] acl black art help wanted
Hill Ruyter wrote:
> Ok so now I am even more frustrated
>
> I managed to get exim to run the ols helo check
> But it stopped me from sending mail from my own server
>
> Clearly my PC client cant have a verified HELO
> So how do I make the list ignore authenticated hosts ?
>
> Aaaaargh
>
> Hill


Without a broader understanding (earlier post) all this will do is get you to
the next obstacle - and they will seem to never end. RATRUMP [1]

But the short answer is to 'qualify' by arriving port:

- rules meant for the world-at-large, 'strangers bearing gifts':

     condition   = ${if eq{$interface_port}{25}}



- rules meant for your own 'family' who authenticate on port 587 with TLS:

either:

     condition   = ${if eq{$interface_port}{587}}


or

     !condition  = ${if eq{$interface_port}{25}}


NB: Exim will know the arrival port *before* they have yet done the
authentication, which is NOT the first thing that takes place.

TLS actually goes through a 'HELO and subsequent handshake first, legacy SSL
previously run on port 465, does also - but in a different manner entirely.

Try a '-vvv' tail on your next ssh session and see what a busy critter ssl/ssh
is under the blankets...

CAVEAT: You will *also* want to insure that authentication has succeeded - not
just take onboard all-comers. It helps to limit what you will offer as well as
require, and on which ports.

In the MAIN section, you will want to pay attention to (at least) these:

local_interfaces =

daemon_smtp_ports =

tls_on_connect_ports =    (maybe!)


That forces always-SSL, as was once used on port 465, but that port is now Cisco
proprietary AND NOT email related, so we should not be using it.

tls_certificate =

tls_privatekey =

tls_advertise_hosts =

tls_remember_esmtp =

auth_advertise_hosts =

And, of course, have working authenticators - usually at least two, as not all
MUA can do the one you might prefer.

HTH,

Bill


[1] RATRUMP = Read All The Relevant Usage Material Possible

;-)

>
>
> -----Original Message-----
> From: exim-users-bounces@??? [mailto:exim-users-bounces@exim.org] On
> Behalf Of Hill Ruyter
> Sent: 17 May 2009 00:48
> To: exim-users@???
> Subject: [exim] acl black art help wanted
>
> Hi
>
>
>
> I am really struggling with acl config in my exim
>
>
>
> I have tried to read the documentation but find it quite confusing
>
> I also downloaded the ols lists mentioned here, there was one for helo
> checking that looked interesting
>
>
>
>
>
> I got really confused when the ols acl comments said:
>
>
>
> #
>
> # (rcpt acl recommended). You could use it like this:
>
> #
>
> # drop !authenticated = *
>
> #       hosts          = !+relay_from_hosts 

>
> #       !acl           = acl_check_helo_fast

>
> #
>
>
>
> So where do I put these commands?
>
>
>
> I think I am just not quite getting it
>
> Is there an idiots guide or step by step how-to that I can read that will
> help me get to grips with it
>
>
>
> Sorry for such a lame question, I am sure you guys have better things to be
> doing.
>
>
>
>
>
> Hill
>
>
>