Phil Pennock wrote:
> On 2009-06-18 at 08:55 -0700, Yan Seiner wrote:
>
>> I'm hot in pursuit of my time-limited ACL. I've run into yet another
>> stumbling block; my exim config allows local users to send mail without
>> authentication.
>>
>> Can I get a couple of hints on how to configure exim to:
>>
>> 1. Allow unlimited receipt of emails for the local domains
>> 2. Require local users to authenticate at all times
>> 3. Prevent open relaying
>>
>> Obviously I'm concerned about inadvertently causing 3. 1 and 2 are
>> somewhat contradictory as I would like to authenticate all local users,
>> even if they're sending local email.
>>
>
> So your children haven't yet figured out how to create a Gmail account
> and send mail via Submission on that, back in? Or are you firewalling
> 25 and 587 outbound except from the mailbox? Note that firewalling off
> 587 is normally "unfriendly" by ISPs, but it's your house and your
> rules. I hope you don't have work-related household visitors who expect
> to be able to handle mail ...
>
It's a sort of "because I can" - it teaches me a lot about proxies,
acls, and so on, and when my kids get to the point of hacking around my
assorted firewalls and proxies we'll all learn together. Know a better
way to learn? ;-)
> As long as you have inbound unauthenticated, outbound authentication for
> the purposes of controlling sending at all is problematic;
> authentication for making sure that those who wish to send mail have
> credentials to do so is another matter, and useful for those trying to
> enforce accountability and reduce spam-sources within their
> organisations.
>
I definitely want to do the latter.
> You can create an ACL on the MAIL command (acl_smtp_mail sets the ACL
> name); because some clients allegedly get upset by 4xx/5xx failures on
> MAIL, rather than reject there you reject at RCPT stage.
>
Thanks. I'll play with it.
> Something like this (untested):
>
> ----------------------------8< cut here >8------------------------------
> # main section:
> hostlist home_net = 192.0.2.0/24
> acl_smtp_mail = acl_check_mail
> acl_smtp_rcpt = acl_check_rcpt
> #...
> begin acl
>
> acl_check_mail:
>
> warn set acl_c_denied_by_mail = no
> set acl_c_dbm_message = Because my configs are broken
>
> accept hosts = !+home_net
>
> accept hosts = +home_net
> condition = ${!=={$received_port}{587}}
> set acl_c_denied_by_mail = yes
> set acl_c_dbm_message = You should use the submission port (587) to send email
>
> deny hosts = +home_net
> !authenticated = *
> set acl_c_denied_by_mail = yes
> set acl_c_dbm_message = Papers, please.
>
> accept
>
> # This one will already exist
> acl_check_rcpt:
>
> deny condition = $acl_c_denied_by_mail
> message = $acl_c_dbm_message
>
> # ALL THE REST OF THE EXISTING ACL GOES HERE
> ----------------------------8< cut here >8------------------------------
>
> Note that you're just adding an extra rejection step at the start of
> acl_check_rcpt, so if you keep all the rest of that logic the same then
> you won't risk an open mail relay (unless you're already an OMR).
>
> Regards,
> -Phil
>
> !DSPAM:4a3ac0a8271031804284693!
>
>
--
Yan Seiner
Support my bid for the 4J School Board.
Visit
http://www.seiner.com/schoolboard