Re: [exim] mysql authentication problem...

Top Page
Delete this message
Reply to this message
Author: Alexey V. Degtyarev
Date:  
To: exim-users
Subject: Re: [exim] mysql authentication problem...

[...]

> > I think even more simple would be to use server_advertise_condition option for
> > desired authenticator. This example should work as requested: LOGIN
> > authentication mech won't be advertised (and won't be allowed even if
> > requested) without TLS established:
> >
> > LOGIN:
> >   driver                     = plaintext
> >   server_set_id              = $auth1
> >   server_prompts             = <| Username: | Password:
> >   server_condition           = ${if saslauthd{{$auth1}{$auth2}}}
> >   server_advertise_condition = ${if def:tls_cipher}

>
> I do already have the server_advertise_condition (from the default
> configuration). And it seems to work as when I try to authenticate on
> port 25, exim ignores the login/pass I provided. But I am still
> allowed to send emails (unauthenticated).
>
> What I am trying to do (which should be the same as most email servers):
> - I want the server to receive emails normaly.
> - I want the server to only allow sending emails from authenticated users (with encryption).
>
> So, for sending emails, I want to 'block' port 25 (already removed 587
> from daemon_smtp_ports) and only 'allow' port 465. Or maybe, the
> following would be enough?
>
> acl_check_rcpt:
>   deny    !authenticated = *
>                message         = Must be authenticated over TLS
>    accept

>
> I just want "if trying to send an email and not authenticated, deny".


So according of what you are trying to do, you should have the
following statements in your Exim config:

begin acl

[...]

acl_check_rcpt:

[...]

  accept    authenticated = *
            control       = submission


  require   message = relay not permitted
            domains = +local_domains


[...]

accept

[...]

begin authenticators

[...]
server_advertise_condition = ${if def:tls_cipher}

With that configuration an incoming clients are:

1. allowed to send mail to any domain only beeing authenticated;
2. allowed to authenticate only if TSL was established;
3. allowed to send mail only for local_domains domainlist without any
auth;
4. denied if not accepted by 1-3;

Is that what you are trying to achieve?

--
Alexey V. Degtyarev