On Wed, May 20, 2009 at 09:47:08AM -0400, B. Cook wrote:
> So unless I can figure out a way to "do the auth one way" when they use
> webmail and "do the auth another way" when they remote smtp.. I am stuck
> using relaying by IP (127.0.0.1).
>
> Does that make sense?
Errr... sort of. Let me just check I understand correctly so far:
Mail from your users arrives via two separate routes:
> accept authenticated = *
> control = submission/domain=
i.e. SMTP AUTH from any source. Ideally each user has a unique ID (no
sharing), and each user has /only/ one ID.
> accept hosts = +relay_from_hosts
> control = submission/domain=
i.e. unauthenticated SMTP from any host in +relay_from_hosts. You didn't show
us what's in that list, though, so this could be anything.
Plus also there's non-SMTP submission, but I think you're saying you don't use
that - at least not for your user mail.
So far so good?
The key to this kind of rate limiting is being able to tell (within the Exim
ACLs) which user sent each email. In the SMTP AUTH case, you can tell which
user sent the email by reading $authenticated_id. However in the
+relay_from_hosts case it's unclear how this might be done.
Is the +relay_from_hosts case /only/ used to deal with squirrelmail (on
127.0.0.1)? Does squirrelmail send SMTP AUTH? If the answers to those
questions are yes and no respectively, then - just a guess - can you read a
header set by squirrelmail which tells you which user submitted the mail?
It sounds like you might end up with two separate ratelimit clauses - one for
SMTP AUTH and another for squirrelmail. But how you proceed depends on the
questions above.
--
Dave Evans
http://djce.org.uk/
http://djce.org.uk/pgpkey