Re: [exim] Some LDA questions

Góra strony
Delete this message
Reply to this message
Autor: Todd Lyons
Data:  
Dla: Фадеев Виталий Львович
CC: exim-users
Temat: Re: [exim] Some LDA questions
On Fri, Feb 14, 2014 at 7:05 AM, Фадеев Виталий Львович <fvl@???> wrote:
>
> Some questions is still need to resolve.
> I have 4 IP for 4 domains. Thats is need for TLS.
> So how can I configure exim what would he do the following:
> In header Received: from xxx.net ([11.22.33.44] helo=[192.168.1.77]) by host.aaa.com with esmtpsa (TLS1.0:ECDHE_RSA_AES_128_CBC_SHA1:128) i need to replace "by host.aaa.com" with host from domain of sended mail, not primary hostname of server.


First let me say that I think this is a bad idea.

I suspect you mean "the mail server for the domain name of the recipient email".

# exim -bP | grep received
received_header_text = Received: ${if and
{{def:sender_rcvhost}{!def:authenticated_id}}{from
$sender_rcvhost\n\t}{${if def:sender_ident {from
${quote_local_part:$sender_ident} }{${if def:authenticated_id {from
${quote_local_part:$authenticated_id} }}}}${if def:sender_helo_name
{(helo=$sender_helo_name)\n\t}}}}by $primary_hostname ${if
def:received_protocol {with $received_protocol}} ${if def:tls_cipher
{($tls_cipher)\n\t}}(Exim $version_number)\n\t${if def:sender_address
{(envelope-from <$sender_address>)\n\t}}id $message_exim_id${if
def:received_for {\n\tfor $received_for}}

You would want to redefine this setting, specifically changing the basic:
by $primary_hostname

...to something that does a lookup and puts the value in:
${if def:authenticated_id{by YOUR_HOSTNAME_LOOKUP}{by $primary_hostname}}

Why is this a bad idea? IMHO:
1) What happens if the recipient is <>, as in a bounce message? The
YOUR_HOSTNAME_LOOKUP specifically needs to allow for this special
case.
2) SMTP is (can be) efficient. What happens when another server
realizes that email from two different domains goes the same IP and
tries to deliver two different messages, one from each domain, in the
same connection? The TLS negotiation has already been performed with
the first domain's certificate.
3) This is a layer of complexity that makes it harder to troubleshoot
issues. I'm not saying it's impossible, just that it's much harder.
4) Generally when you try to mask who you really are, it makes you
look shady and not legitimate, ESPECIALLY when people figure out that
you're doing it.

> How to configure EXIM to require use TLS for user authentication when sending mail ?


In one of the early ACL's, you check what encryption cipher is being
used and deny the message if it's empty, as described in this Server
Fault post:

http://serverfault.com/questions/58392/how-can-i-configure-exim-to-drop-non-authenticated-connections-on-alternate-smtp

...Todd
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine