Re: [exim] Deny authentication to some users

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Todd Lyons
Datum:  
To: Jason L Tibbitts III
CC: exim-users
Betreff: Re: [exim] Deny authentication to some users
On Wed, Apr 30, 2014 at 11:34 AM, Jason L Tibbitts III
<tibbs@???> wrote:
>
> I'm looking to deny authenticated SMTP access to some users. We've had
> a phishing problem and I'd like to be able to ban some users from using
> various services. In this case, I need to shut off authenticated SMTP.
> Fortunately the spammers have only exploited our webmail system and
> haven't gone directly to the submission port yet, but I figure it's only
> a matter of time.


Yes, it's only a matter of time. Kudos for being preventative instead
of reactive!

> Ideally, I'd just add a user to a particular group in LDAP and be done
> (as I can do with ssh and DenyGroup) but the mechanics of adding an LDAP
> lookup to an authenticator seem to elude me, as does the method for
> actually doing an LDAP group membership lookup. I'm starting from this
> simple authenticator:
>
> plain:
>    driver = plaintext
>    public_name = PLAIN
>    server_prompts = :
>    server_condition = "${if saslauthd{{$2}{$3}{smtp}} {1}}"
>    server_set_id = $2

>
> I'm pretty sure it's just a matter of nesting an LDAP lookup inside of
> server_condition


Correct.

We use database backed lookups, but it's similar to what you're trying to do:

login:
  driver = plaintext
  public_name = LOGIN
  server_prompts = Username:: : Password::
  server_condition = ${if and { \
        {!eq{$auth1}{}} \
        {!eq{$auth2}{}} \
        { crypteq{$auth2}{\{crypt\}${lookup mysql{ \
            SELECT u.password FROM user u
            JOIN email e ON u.email_id=e.id
            JOIN domain d ON e.domain_id=d.id
            JOIN website AS w ON w.user_id=d.user_id
            WHERE e.name=substring_index('${quote_mysql:$auth1}','@',1)
            AND d.name=substring_index('${quote_mysql:$auth1}','@',-1)
            AND e.active=1
            AND d.active=1
            AND w.active=1;}{$value}fail}} } \
        }}
  server_set_id = $auth1


> Thanks in advance for any suggestions.


Structure your exim logic according to opening and closing braces, and
it will be easier to troubleshoot when you're having a problem.

Also note that you can troubleshoot your lookups from the commandline with:

exim -be '${lookup ldap{blah}}'

You must substitute real values that would be submitted to the
authentication module as $auth1/$auth2 because you are just testing
from the commandline, but you can see the results that the lookup will
provide, which helps you to know what will happen in the
authenticator.

...Todd

--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine