Greetings list,
After several days of frustrated googling and rtfm'ing I am at a loss
and this throw myself upon the mercies of this list.
My Exim foo is pretty weak when it comes to the more complex syntax.
I have inherited a fairly complex Exim/LDAP solution that services 700K+
users.
It allows any user the LDAP tree do do smtp-auth and I am suffering from
spam-by-smtpauth as many of the user passwords
are insufficiently robust and/or the users have their password stolen by
malware.
I would very much like to fix this.
The current authenticator:
plain:
driver= plaintext
public_name = PLAIN
server_condition = ${if ldapauth \
{user="cn=${quote_ldap_dn:$2},o=southover,c=uk" \
pass=${quote:$3} \
ldap://ldap.southover.net/}{yes}{no}}
server_set_id=$2
In the LDAP tree there is to be an attribute 'smtpauth' which is set
TRUE or FALSE by our control panel.
dn: cn=xelp,o=southover,c=uk
cn: xelp
objectClass: popperson
objectClass: radiusprofile
mainmail: xelp@???
enabled: TRUE
maildrop: /mailstore/a/b/5/xelp/
*smtpauth**: TRUE*
mail: xelp@???
I want to use this to configure Exim to only allow smtp-auth from
specified users rather than every user.
According to my logs there are only about 1500 users that require
smtp-auth from non-local networks.
But I am unable to figure out the correct syntax required in the
plaintext authenticator - exim just barfs with my every feeble attempt.
I would like to do something like this:
server_condition = if
#check the smtpauth flag for TRUE
lookup
ldap{ldap:///o=southover,c=uk?mail?sub? (&
(cn=${quote_ldap_dn:$1})(smtpauth=${quote_ldap:TRUE}))}
and
#can this user do ldapauth:
ldapauth{user="cn=${quote_ldap_dn:$1},o=southover,c=uk" pass=${quote:$2}
ldap://ldap.southover.net/}
I would be eternally grateful for any assistance.
many thanks for reading.
n.
