Re: [exim] acl black art help wanted

Top Page
Delete this message
Reply to this message
Author: Hill Ruyter
Date:  
To: 'exim users'
Subject: Re: [exim] acl black art help wanted
Bill

Thank you so much
As you say I have much reading to do and will continue to increase my
understanding
I hate no knowing how or why something works so even if some downloaded code
does what I want I still desire to know why it works.

I am afraid I am a little out of step because I am using port 465 (SSL)
because I had trouble with a particular MUA that would not do TLS. This was
some time ago so I may be able to bring myself up to date shortly (another
item on the list of updates to come)

I understand the syntax of the condition statements you suggested but where
do I put them?
At the beginning of the acl? Or within each check that the acl performs ?

Or have I missed the point completely and it goes somewhere in options?

The other authentication sections I think I have quite well covered as pki
and crypto are my thing, but as I say they are in need of updating.

Thanks again for your time (especially since it was a weekend)

Hill


-----Original Message-----
From: exim-users-bounces@??? [mailto:exim-users-bounces@exim.org] On
Behalf Of W B Hacker
Sent: 17 May 2009 06:41
To: exim users
Subject: Re: [exim] acl black art help wanted

Hill Ruyter wrote:
> Ok so now I am even more frustrated
>
> I managed to get exim to run the ols helo check
> But it stopped me from sending mail from my own server
>
> Clearly my PC client cant have a verified HELO
> So how do I make the list ignore authenticated hosts ?
>
> Aaaaargh
>
> Hill


Without a broader understanding (earlier post) all this will do is get you
to
the next obstacle - and they will seem to never end. RATRUMP [1]

But the short answer is to 'qualify' by arriving port:

- rules meant for the world-at-large, 'strangers bearing gifts':

     condition   = ${if eq{$interface_port}{25}}



- rules meant for your own 'family' who authenticate on port 587 with TLS:

either:

     condition   = ${if eq{$interface_port}{587}}


or

     !condition  = ${if eq{$interface_port}{25}}


NB: Exim will know the arrival port *before* they have yet done the
authentication, which is NOT the first thing that takes place.

TLS actually goes through a 'HELO and subsequent handshake first, legacy SSL

previously run on port 465, does also - but in a different manner entirely.

Try a '-vvv' tail on your next ssh session and see what a busy critter
ssl/ssh
is under the blankets...

CAVEAT: You will *also* want to insure that authentication has succeeded -
not
just take onboard all-comers. It helps to limit what you will offer as well
as
require, and on which ports.

In the MAIN section, you will want to pay attention to (at least) these:

local_interfaces =

daemon_smtp_ports =

tls_on_connect_ports =    (maybe!)


That forces always-SSL, as was once used on port 465, but that port is now
Cisco
proprietary AND NOT email related, so we should not be using it.

tls_certificate =

tls_privatekey =

tls_advertise_hosts =

tls_remember_esmtp =

auth_advertise_hosts =

And, of course, have working authenticators - usually at least two, as not
all
MUA can do the one you might prefer.

HTH,

Bill


[1] RATRUMP = Read All The Relevant Usage Material Possible

;-)

>
>
> -----Original Message-----
> From: exim-users-bounces@??? [mailto:exim-users-bounces@exim.org] On
> Behalf Of Hill Ruyter
> Sent: 17 May 2009 00:48
> To: exim-users@???
> Subject: [exim] acl black art help wanted
>
> Hi
>
>
>
> I am really struggling with acl config in my exim
>
>
>
> I have tried to read the documentation but find it quite confusing
>
> I also downloaded the ols lists mentioned here, there was one for helo
> checking that looked interesting
>
>
>
>
>
> I got really confused when the ols acl comments said:
>
>
>
> #
>
> # (rcpt acl recommended). You could use it like this:
>
> #
>
> # drop !authenticated = *
>
> #       hosts          = !+relay_from_hosts 

>
> #       !acl           = acl_check_helo_fast

>
> #
>
>
>
> So where do I put these commands?
>
>
>
> I think I am just not quite getting it
>
> Is there an idiots guide or step by step how-to that I can read that

will
> help me get to grips with it
>
>
>
> Sorry for such a lame question, I am sure you guys have better things to

be
> doing.
>
>
>
>
>
> Hill
>
>
>



--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/