Author: W B Hacker Date: To: exim users Subject: Re: [exim] Sending mails without SMTP authentication
tower wrote: > On 10/13/2011 11:30 AM, tower wrote:
>> On 10/13/2011 10:58 AM, W B Hacker wrote:
>>> tower wrote:
>>>> Hi
>>>>
>>>> I want to allow sending mail without authentication for single account.
>>>> I'm trying to not add another IP to relay_from_hosts, beacuse many
>>>> normal users send from that IP. How can I gently modify my acl.conf to
>>>> do that?
>>>>
>>>>
>>>> #************************************
>>>> acl_check_mail_submission:
>>>> #************************************
>>>> accept hosts = +relay_from_hosts
>>>> require message = Please turn on authentication in
>>>> your email client.
>>>> authenticated = *
>>>> deny message = Mailbox $authenticated_id is
>>>> disable. Please contact with number xx-xxxxxx
>>>> condition = ${if eq \
>>>> {0} \
>>>> {${lookup mysql {SELECT
>>>> active FROM mailbox \
>>>> WHERE
>>>> username='${quote_mysql:$authenticated_id}'} \
>>>> }} \
>>>> }
>>>> control = dkim_disable_verify
>>>> accept
>>>>
>>>>
>>>
>>> Have you considered using the same IP, and/or an uncommon port and
>>> protocol for that one account?
>>>
>>> Non-routable IPv6 if local, for example.
>>>
>>> Even so, I'd want to use matching PEM certs.
>>>
>>> You only have to configure the submitter to do SOME form of auth ONCE.
>>>
>>> Opening the door to compromise OTOH, can lead to a great deal more work.
>>>
>>> HTH,
>>>
>>> Bill
>>>
>>>
>> Unfortunately that account is configured on very old MFP, which is
>> sending emails only to port 25 and of course without authentication.
>>
>> Can i use something like that:
>>
>> #************************************
>> acl_check_mail_submission:
>> #************************************
>> accept hosts = +relay_from_hosts
>> *accept local_parts = dumbaccount
>> domains = example.com*
>> require message = Please turn on authentication in your email client.
>> authenticated = *
>> deny message = Mailbox $authenticated_id is disable. Please contact
>> with number xx-xxxxxx
>> condition = ${if eq {0} {${lookup mysql {SELECT active FROM mailbox
>> WHERE username='${quote_mysql:$authenticated_id}'}}}}
>> control = dkim_disable_verify
>> accept
>>
>> The order is right?
>>
> No, I can't do that, log says:
>
> rejected MAIL dumbaccount@???: cannot test local_parts condition
> in MAIL ACL
>
You do not have to do so.
Save anything not already being preserved into variables, transfer any
acl_c into acl_m at the appropriate point if need be.
THEN apply the test anytime before end of acl_smtp_data phase.
Earlier is better as far as freeing-up resources, but if you are looking
for a COMBINATION of conditions to be met or failed, you have to wait
'til ALL votes can be counted.
Don't forget that having SQL already handy can allow you to do some
non-standard and creative stuff.
If you cannot change the submission port and protocol of the sending
fossil, what about format or content?
Think of how MLM's do that in their 'administrivia', and look at use of
an X-header, body preamble, body footer, attachment, 'token' or PGP sig.
