Re: [exim] rate limit on local accounts?

Pàgina inicial
Delete this message
Reply to this message
Autor: B. Cook
Data:  
A: Graeme Fowler
CC: exim users
Assumpte: Re: [exim] rate limit on local accounts?


Graeme Fowler wrote:
> Apologies in advance for the slightly obtuse answer, which will no doubt
> raise hackles, but you'll understand why in a moment...
>
> On Wed, 2009-05-20 at 09:12 -0400, B. Cook wrote:
>> Is it possible?
>
> Yes.
>
>> Does it work?
>
> Yes.
>
> How it works depends entirely on context - when you say "local account",
> do you mean:
>
> a. an account with shell access to the system sending mail via the
> "mail" binary, or equivalent?
>
> b. an account with which a user can send authenticated SMTP from a
> remote client?
>
> c. an account used for webmail, where the webmail application lives on
> the same machine and sends via SMTP to the local SMTP daemon?
>
> d. as (c) but using local input via (for example) PHP libraries or by
> calling the "mail" binary itself?
>
> This is an important distinction, because the way you would achieve rate
> limiting will differ (the position within your ACL flow will differ, for
> one) depending on how the mail is injected.
>
> Graeme
>
>


Hello (and thank you)

This was a squirrel mail account (webmail) where the imap server and
smtp server all live on the same machine.

below is info from the squirrelmail config..

SMTP Settings
-------------
4.   SMTP Server           : localhost
5.   SMTP Port             : 25
6.   POP before SMTP       : false
7.   SMTP Authentication   : none
8.   Secure SMTP (TLS)     : false
9.   Header encryption key :


A. Update IMAP Settings : localhost:143 (dovecot)
H. Hide SMTP Settings

And here is the (seemingly relevant portion) of the configure..

acl_check_rcpt:

require verify = sender/callout
require verify = recipient/callout

accept authenticated = *
control = submission/domain=

warn
ratelimit = 0 / 1d / strict
log_message = Sender rate $sender_rate > $sender_rate_limit /
$sender_rate_period / $authenticated_id

accept hosts    =    +relay_from_hosts
   control = submission/domain=


drop message    = sorry, relay by your ip is not permitted.\n \
         You should setup smtp authentication.\n \
         Please call PHONENUMBER if you need assistance.
  log_message    = relay not permitted


(and further down in the config.. )

begin authenticators

login:
driver = dovecot
public_name = LOGIN
server_socket = /var/run/dovecot/auth-client
server_set_id = $1

plain:
driver = dovecot
public_name = PLAIN
server_socket = /var/run/dovecot/auth-client
server_set_id = $1


(dovecot config..)

auth default {
mechanisms = plain login
user = vpopmail

passdb vpopmail {
}
userdb vpopmail {
}

socket listen {
client {
path = /var/run/dovecot/auth-client
mode = 0666
}

}

}


(some words about how it works.. )

we are running vpopmail as the main system where the mailboxes live.

(this gets the mail to them..)

begin routers

localhost:
  transport      = remote_smtp
  driver         = manualroute
  route_list     = +localqmail 127.0.0.1::8125
  self        = send


domainlist localqmail = lsearch;/var/qmail/control/rcpthosts


so what happens is this..

when people auth to squirrelmail they do not use their full email
address just username / password.

Smtp auth needs full email address / password.. so I've asked all 1k
teachers to use their email address to login (which didn't happen) so
that I could set the mailserver to do smtp auth when they relay.. (like
I said that didn't happen)

So unless I can figure out a way to "do the auth one way" when they use
webmail and "do the auth another way" when they remote smtp.. I am stuck
using relaying by IP (127.0.0.1).

Does that make sense?