Re: [exim] Require authentication from local users

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Yan Seiner
CC: Exim-users
Subject: Re: [exim] Require authentication from local users
On 2009-06-18 at 08:55 -0700, Yan Seiner wrote:
> I'm hot in pursuit of my time-limited ACL. I've run into yet another
> stumbling block; my exim config allows local users to send mail without
> authentication.
>
> Can I get a couple of hints on how to configure exim to:
>
> 1. Allow unlimited receipt of emails for the local domains
> 2. Require local users to authenticate at all times
> 3. Prevent open relaying
>
> Obviously I'm concerned about inadvertently causing 3. 1 and 2 are
> somewhat contradictory as I would like to authenticate all local users,
> even if they're sending local email.


So your children haven't yet figured out how to create a Gmail account
and send mail via Submission on that, back in? Or are you firewalling
25 and 587 outbound except from the mailbox? Note that firewalling off
587 is normally "unfriendly" by ISPs, but it's your house and your
rules. I hope you don't have work-related household visitors who expect
to be able to handle mail ...

As long as you have inbound unauthenticated, outbound authentication for
the purposes of controlling sending at all is problematic;
authentication for making sure that those who wish to send mail have
credentials to do so is another matter, and useful for those trying to
enforce accountability and reduce spam-sources within their
organisations.

You can create an ACL on the MAIL command (acl_smtp_mail sets the ACL
name); because some clients allegedly get upset by 4xx/5xx failures on
MAIL, rather than reject there you reject at RCPT stage.

Something like this (untested):

----------------------------8< cut here >8------------------------------
# main section:
hostlist home_net = 192.0.2.0/24
acl_smtp_mail = acl_check_mail
acl_smtp_rcpt = acl_check_rcpt
#...
begin acl

acl_check_mail:

  warn    set acl_c_denied_by_mail = no
          set acl_c_dbm_message = Because my configs are broken


accept hosts = !+home_net

  accept  hosts     = +home_net
          condition = ${!=={$received_port}{587}}
      set acl_c_denied_by_mail = yes
      set acl_c_dbm_message = You should use the submission port (587) to send email


  deny    hosts     = +home_net
          !authenticated = *
      set acl_c_denied_by_mail = yes
      set acl_c_dbm_message = Papers, please.


accept

# This one will already exist
acl_check_rcpt:

  deny    condition = $acl_c_denied_by_mail
          message = $acl_c_dbm_message


# ALL THE REST OF THE EXISTING ACL GOES HERE
----------------------------8< cut here >8------------------------------

Note that you're just adding an extra rejection step at the start of
acl_check_rcpt, so if you keep all the rest of that logic the same then
you won't risk an open mail relay (unless you're already an OMR).

Regards,
-Phil