Author: W B Hacker Date: To: exim users Subject: Re: [exim] Sending mails without SMTP authentication
tower wrote: > On 10/13/2011 10:58 AM, W B Hacker wrote:
>> tower wrote:
>>> Hi
>>>
>>> I want to allow sending mail without authentication for single account.
>>> I'm trying to not add another IP to relay_from_hosts, beacuse many
>>> normal users send from that IP. How can I gently modify my acl.conf to
>>> do that?
>>>
>>>
>>> #************************************
>>> acl_check_mail_submission:
>>> #************************************
>>> accept hosts = +relay_from_hosts
>>> require message = Please turn on authentication in
>>> your email client.
>>> authenticated = *
>>> deny message = Mailbox $authenticated_id is
>>> disable. Please contact with number xx-xxxxxx
>>> condition = ${if eq \
>>> {0} \
>>> {${lookup mysql {SELECT
>>> active FROM mailbox \
>>> WHERE
>>> username='${quote_mysql:$authenticated_id}'} \
>>> }} \
>>> }
>>> control = dkim_disable_verify
>>> accept
>>>
>>>
>>
>> Have you considered using the same IP, and/or an uncommon port and
>> protocol for that one account?
>>
>> Non-routable IPv6 if local, for example.
>>
>> Even so, I'd want to use matching PEM certs.
>>
>> You only have to configure the submitter to do SOME form of auth ONCE.
>>
>> Opening the door to compromise OTOH, can lead to a great deal more work.
>>
>> HTH,
>>
>> Bill
>>
>>
> Unfortunately that account is configured on very old MFP, which is
> sending emails only to port 25 and of course without authentication.
>
> Can i use something like that:
>
> #************************************
> acl_check_mail_submission:
> #************************************
> accept hosts = +relay_from_hosts
> *accept local_parts = dumbaccount
> domains = example.com*
> require message = Please turn on authentication in your email client.
> authenticated = *
> deny message = Mailbox $authenticated_id is disable. Please contact with
> number xx-xxxxxx
> condition = ${if eq {0} {${lookup mysql {SELECT active FROM mailbox
> WHERE username='${quote_mysql:$authenticated_id}'}}}}
> control = dkim_disable_verify
> accept
>
> The order is right?
>
Dunno.
I'd simply insist on proper AUTH *AND* on port 587 with TLS myself.
Won't get fixed any other way.
Mind, I've allowed 50 baud and 12.5 baud 'quarter speed' telex w/o auth
into an internet gateway hosted on IBM 3080 & 3090.
OTOH, they WERE arriving from a dominant-carrier's 'nailed up' global
private wire, not IP, and one cannot generate all that much garbage at
those speeds anyway, so not a great deal of risk.
Pehaps you could do that?
Delay and throttle your fossilized account to the point of uselessness
to a zombot farm.
That, too, is an incentive for the sumitter to get their head out.
