Re: [exim] Require authentication from local users

Top Page
Delete this message
Reply to this message
Author: Yan Seiner
Date:  
To: exim-users
Subject: Re: [exim] Require authentication from local users
Phil Pennock wrote:
> On 2009-06-18 at 08:55 -0700, Yan Seiner wrote:
>
>> I'm hot in pursuit of my time-limited ACL. I've run into yet another
>> stumbling block; my exim config allows local users to send mail without
>> authentication.
>>
>> Can I get a couple of hints on how to configure exim to:
>>
>> 1. Allow unlimited receipt of emails for the local domains
>> 2. Require local users to authenticate at all times
>> 3. Prevent open relaying
>>
>> Obviously I'm concerned about inadvertently causing 3. 1 and 2 are
>> somewhat contradictory as I would like to authenticate all local users,
>> even if they're sending local email.
>>
>
> So your children haven't yet figured out how to create a Gmail account
> and send mail via Submission on that, back in? Or are you firewalling
> 25 and 587 outbound except from the mailbox? Note that firewalling off
> 587 is normally "unfriendly" by ISPs, but it's your house and your
> rules. I hope you don't have work-related household visitors who expect
> to be able to handle mail ...
>

It's a sort of "because I can" - it teaches me a lot about proxies,
acls, and so on, and when my kids get to the point of hacking around my
assorted firewalls and proxies we'll all learn together. Know a better
way to learn? ;-)

> As long as you have inbound unauthenticated, outbound authentication for
> the purposes of controlling sending at all is problematic;
> authentication for making sure that those who wish to send mail have
> credentials to do so is another matter, and useful for those trying to
> enforce accountability and reduce spam-sources within their
> organisations.
>

I definitely want to do the latter.

> You can create an ACL on the MAIL command (acl_smtp_mail sets the ACL
> name); because some clients allegedly get upset by 4xx/5xx failures on
> MAIL, rather than reject there you reject at RCPT stage.
>


Thanks. I'll play with it.
> Something like this (untested):
>
> ----------------------------8< cut here >8------------------------------
> # main section:
> hostlist home_net = 192.0.2.0/24
> acl_smtp_mail = acl_check_mail
> acl_smtp_rcpt = acl_check_rcpt
> #...
> begin acl
>
> acl_check_mail:
>
>   warn    set acl_c_denied_by_mail = no
>           set acl_c_dbm_message = Because my configs are broken

>
> accept hosts = !+home_net
>
>   accept  hosts     = +home_net
>           condition = ${!=={$received_port}{587}}
>       set acl_c_denied_by_mail = yes
>       set acl_c_dbm_message = You should use the submission port (587) to send email

>
>   deny    hosts     = +home_net
>           !authenticated = *
>       set acl_c_denied_by_mail = yes
>       set acl_c_dbm_message = Papers, please.

>
> accept
>
> # This one will already exist
> acl_check_rcpt:
>
>   deny    condition = $acl_c_denied_by_mail
>           message = $acl_c_dbm_message

>
> # ALL THE REST OF THE EXISTING ACL GOES HERE
> ----------------------------8< cut here >8------------------------------
>
> Note that you're just adding an extra rejection step at the start of
> acl_check_rcpt, so if you keep all the rest of that logic the same then
> you won't risk an open mail relay (unless you're already an OMR).
>
> Regards,
> -Phil
>
> !DSPAM:4a3ac0a8271031804284693!
>
>



--
Yan Seiner

Support my bid for the 4J School Board.
Visit http://www.seiner.com/schoolboard