Re: [exim] mysql authentication problem...

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Phil Pennock
Date:  
À: John Doe
CC: exim-users
Sujet: Re: [exim] mysql authentication problem...
On 2009-10-13 at 09:12 -0700, John Doe wrote:
> From: Phil Pennock <exim-users@???>
> > Since you're on 4.63, you can also use $auth2 instead of $2, for clarity
> > (just double-checked, the clearer names were introduced in 4.61).
>
> done, thx.
>
> >> I have another question: how can I allow only encrypted/authenticated
> >> connections?
> >
> > In the ACL logic for the MAIL or RCPT commands, you write rules which
> > state that if not on port 25, then you "require" an encrypted connection
> > and you require that $authenticated_id be set; that's part of what your
> > using server_set_id buys you.
> >
> > RCPT probably better, some clients allegedly get confused if the MAIL
> > command fails.
> >
> > The cleanest way of doing it is likely to be to have a sub-ACL for doing
> > the check, which returns accept for port 25, or for both authenticated
> > and encrypted, else returns reject, and then use "require acl = ..." in
> > the RCPT logic.
>
> Hum... I must say that I have very poor knowledge of exim syntax...
> Been using copy/paste so far. Something like the following?
>
> PORT25 = ${if ={25}{$interface_port}}
> PORT587 = ${if ={587}{$interface_port}}
>
> acl_check_rcpt:
> deny    message       = TLS required
>             condition       = PORT25 : PORT587

>
> Or would that block too much?


That would block all mail.

> I understand that the following will prevent other servers to connect...?
>
> acl_smtp_mail:
>   deny   !encrypted  = *
>              message    = TLS required
>   accept


Yes.

You want something like this (untested):

acl_signedin_or25_check:
accept condition = ${if ={25}{$interface_port}}

  require  authenticated = *
           condition = ${if def:tls_cipher}
       message = Must be authenticated over TLS


accept


and then inside acl_check_rcpt you would have:

require acl = acl_signedin_or25_check


Make sense?
-Phil