Autor: Jeremy Harris Data: A: exim-users Assumpte: Re: [exim] How to accept e-mail from a certain subnet even if AUTH
Login credentials, are invalid?
On 11/06/14 01:06, Shane Philip wrote: > I have EXIM server setup for e-mail for a domain and it supports all the
> usual stuff AUTH TLS e.t.c. On the network we have three networks the
> internet itself, office network and guest network (10.10.100.0/24).
> Everything is working fine for the domain and office network. However on
> the guest network we can have various users where we have no control
> over there PC's as they are guests, they are also not the most technical
> people around so don't know the first thing about how there e-mail
> clients are setup. So basically I want EXIM to listen for connections
> from the 10.10.100.0/24 subnet and accept all attempts to relay the
> guest mail regardless of whether the sending client uses NO AUTH, or is
> set to AUTH, or is set to the TLS AUTH. This will only need to happen
> for traffic on port 25, and for mail connections from the guest network.
So the first visitor with an infected machine will happily get your
system's IP known as a spam source. Oh well...
>
> I know you can turn off AUTH requirements for a subnet with
> auth_advertise_host, but what I am not sure of is... If a client is set
> to use AUTH and you don't advertise AUTH from the server...
>
> 1. Will the client still try to use AUTH, when it is not advertised?
No.
> 2. If the client does try to use AUTH will the exim server jut ignore it
> and accept the e-mail anyway or will it error?
Error.
> 3. Will this work if the client also uses TLS?
Entirely orthogonal, unless you link the two (which isn't
a bad thing to do, for PLAIN and LOGIN auth styles)
>
> Finally am I on the right track for making this work, or do I need to
> look to advertise AUTH and then just accept any credentials sent, as
> long as the connection originates from the guest network. If this is the
> approach how would I make exim accept any user password combination?
Wrong way about. By all means advertise AUTH, but do not require it.
--
Cheers,
Jeremy