On Mon, Oct 17, 2011 at 5:49 AM, Faisal Naeem <faisal_naeempk@???> wrote:
>
> Hello Everyone,
> Please help me out, I am stuck with SMTP Authentication. My SMTP
> Authentication is working but I am unable to force user using SMTP
> Authentication. Both Helo and Ehlo are working. I need to have only
> Ehlo to restrict my users to SMTP Authentication.
> Please help me. I am attaching my exim.conf for your kind
> consideration.
Your entire ACL section consists of this:
begin acl
acl_check_rcpt:
accept domains = testdomain.local : *.testdomain.local
endpass
require verify = sender
accept authenticated = *
require verify = recipient
control = submission/sender_retain
deny message = Authentication failed
accept hosts = 127.0.0.1 : 192.168.2.0/24
deny message = relay not permitted
But there are some issues with this:
1. First, you accept any email if it says it's from a
user@??? or a user@*.testdomain.local, no matter who it's
to or what IP address it connects from or whether it's smtp auth or
not. If this is just for testing, then this is probably ok, but
this is probably also what is stopping your smtp auth test from
working because it accepts it immediately without forcing smtp auth.
Add to that section:
authenticated = *
which will only accept email from those domains if it's an authenticated sender.
2. Then you require the sender to be verified. That means the routers
are looked at (JUST looked at) to decide if one of them thinks it will
know how to handle this email with respect to the sender.
3. Then you accept it if it's authenticated. Unauthenticated emails
will continue to the next verb.
4. Then you verify the recipient and set the appropriate control
(submission/sender_retain).
5. Finally, if it didn't match any of that, you reject the message.
However, this looks a little confused. First, I would start with the
default exim ACL section, you can find it in chapter of the exim
spec:
http://www.exim.org/exim-html-current/doc/html/spec_html/ch07.html
As an example, this is what mine looks like (some portions specific to
my configuration have been omitted) :
acl_check_rcpt:
accept hosts = :
drop message = REFUSED - no HELO/EHLO greeting
log_message = remote host did not present greeting
condition = ${if def:sender_helo_name {false}{true}}
warn !senders = :
!authenticated = *
!hosts = +relay_from_hosts
!hosts = ${lookup dnsdb{ptr=$sender_host_address}{$value}}
log_message = No reverse DNS for $sender_host_address,
want to greylist check
deny local_parts = ^.*[@%!|] : ^\\.
message = Illegal characters in email address
# Always accept mail to postmaster & abuse for any local domain
accept local_parts = postmaster
domains = +local_domains
warn add_header = X-Originating-IP: ${sender_host_address}
set acl_c_rcpt = $local_part@$domain
require verify = sender
accept authenticated = *
control = submission/sender_retain
add_header = X-Authenticated-Sender: ${sender_address}
set acl_c_authenticated = 1
deny condition = ${if eq {$interface_port}{587} {yes}{no} }
!authenticated = *
message = Relay not permitted, authentication is
required to use submission port
accept hosts = +relay_from_hosts
deny message = $sender_host_address is listed at $dnslist_domain
!condition = ${if eq {$acl_c0}{$sender_host_address}}
hosts = !+relay_from_hosts
!authenticated = *
dnslists = sbl-xbl.spamhaus.org : bl.spamcop.net :
combined.njabl.org
accept domains = +local_domains
endpass
message = unknown user
verify = recipient
accept domains = +relay_to_domains
endpass
message = unrouteable address
verify = recipient
deny message = relay not permitted
--
If Americans could eliminate sugary beverages, potatoes, white bread,
pasta, white rice and sugary snacks, we would wipe out almost all the
problems we have with weight and diabetes and other metabolic
diseases. -- Dr. Walter Willett, Harvard School of Public Health
