Re: [exim] Help: SMTP Authentication

Pàgina inicial
Delete this message
Reply to this message
Autor: Todd Lyons
Data:  
A: Faisal Naeem
CC: exim-users
Assumpte: Re: [exim] Help: SMTP Authentication
On Mon, Oct 17, 2011 at 5:49 AM, Faisal Naeem <faisal_naeempk@???> wrote:
>
>    Hello Everyone,
>   Please help me out, I am stuck with SMTP Authentication.  My SMTP
>   Authentication is working but I am unable to force user using SMTP
>   Authentication.  Both Helo and Ehlo are working.  I need to have only
>   Ehlo to restrict my users to SMTP Authentication.
>   Please help me. I am attaching my exim.conf for your kind
>   consideration.


Your entire ACL section consists of this:

begin acl

acl_check_rcpt:
accept domains = testdomain.local : *.testdomain.local
       endpass


require verify = sender

accept authenticated = *

require verify = recipient
control = submission/sender_retain

deny message = Authentication failed

accept hosts = 127.0.0.1 : 192.168.2.0/24

deny message = relay not permitted


But there are some issues with this:

1. First, you accept any email if it says it's from a
user@??? or a user@*.testdomain.local, no matter who it's
to or what IP address it connects from or whether it's smtp auth or
not.    If this is just for testing, then this is probably ok, but
this is probably also what is stopping your smtp auth test from
working because it accepts it immediately without forcing smtp auth.
Add to that section:
    authenticated = *
which will only accept email from those domains if it's an authenticated sender.


2. Then you require the sender to be verified. That means the routers
are looked at (JUST looked at) to decide if one of them thinks it will
know how to handle this email with respect to the sender.

3. Then you accept it if it's authenticated. Unauthenticated emails
will continue to the next verb.

4. Then you verify the recipient and set the appropriate control
(submission/sender_retain).

5. Finally, if it didn't match any of that, you reject the message.

However, this looks a little confused. First, I would start with the
default exim ACL section, you can find it in chapter of the exim
spec: http://www.exim.org/exim-html-current/doc/html/spec_html/ch07.html


As an example, this is what mine looks like (some portions specific to
my configuration have been omitted) :

acl_check_rcpt:
accept hosts = :

  drop    message        = REFUSED - no HELO/EHLO greeting
          log_message    = remote host did not present greeting
          condition      = ${if def:sender_helo_name {false}{true}}


  warn    !senders       = :
          !authenticated = *
          !hosts         = +relay_from_hosts
          !hosts         = ${lookup dnsdb{ptr=$sender_host_address}{$value}}
          log_message    = No reverse DNS for $sender_host_address,
want to greylist check


  deny    local_parts    = ^.*[@%!|] : ^\\.
          message        = Illegal characters in email address


# Always accept mail to postmaster & abuse for any local domain
  accept  local_parts    = postmaster
          domains        = +local_domains


  warn    add_header     = X-Originating-IP: ${sender_host_address}
          set acl_c_rcpt = $local_part@$domain


  require verify         = sender


  accept  authenticated  = *
          control        = submission/sender_retain
          add_header     = X-Authenticated-Sender: ${sender_address}
          set acl_c_authenticated = 1


  deny    condition      = ${if eq {$interface_port}{587} {yes}{no} }
          !authenticated = *
          message        = Relay not permitted, authentication is
required to use submission port


  accept  hosts          = +relay_from_hosts


  deny    message        = $sender_host_address is listed at $dnslist_domain
          !condition     = ${if eq {$acl_c0}{$sender_host_address}}
          hosts          = !+relay_from_hosts
          !authenticated = *
          dnslists       = sbl-xbl.spamhaus.org : bl.spamcop.net :
combined.njabl.org


  accept  domains        = +local_domains
          endpass
          message        = unknown user
          verify         = recipient


  accept  domains        = +relay_to_domains
          endpass
          message        = unrouteable address
          verify         = recipient


  deny    message        = relay not permitted



--
If Americans could eliminate sugary beverages, potatoes, white bread,
pasta, white rice and sugary snacks, we would wipe out almost all the
problems we have with weight and diabetes and other metabolic
diseases. -- Dr. Walter Willett, Harvard School of Public Health