Re: [exim] How to accept e-mail from a certain subnet even i…

Top Page
Delete this message
Reply to this message
Author: Jasper Wallace
Date:  
To: Heiko Schlittermann
CC: exim-users
Subject: Re: [exim] How to accept e-mail from a certain subnet even if AUTH Login credentials, are invalid?
On Thu, 12 Jun 2014, Heiko Schlittermann wrote:

> Shane Philip <shanep@???> (Mi 11 Jun 2014 02:06:16 CEST):
> …
> > people around so don't know the first thing about how there e-mail
> > clients are setup. So basically I want EXIM to listen for connections
> > from the 10.10.100.0/24 subnet and accept all attempts to relay the
> > guest mail regardless of whether the sending client uses NO AUTH, or is
> > set to AUTH, or is set to the TLS AUTH. This will only need to happen
> > for traffic on port 25, and for mail connections from the guest network.
>
> "attempt to relay" means, the client has some idea about a relay host.
>
> A totally stupid, unconfigured client probably would use DNS MX lookups
> and send the mail directly.
>
>
> If the client knows about a relay host, you can just allow the TCP
> connections, That's nothing Exim has to deal with.
>
> Or you can intercept the connections (using address translation) and ask
> your Exim to simulate the behaviour of the relay host. (But why should
> you do this?)
>
> Or you can be the relay host the clients know, but this needs
> configuration on the client side too.
>
>
> I understand that you want to intercept the traffic and simulate the
> relay host.


If that's what Shane is trying to do then it's a really bad idea.

In todays world of SPF/DMARC/DKIM you are just going to break the email of
everyone that trys to use your guest network.

> > 1. Will the client still try to use AUTH, when it is not advertised?
>
> I'd not rely on some specian behaviour. (Exim as a client won't issue
> AUTH if the server doesn't advertise AUTH, but I can't speak for the
> various MUAs around.)
>
> > 2. If the client does try to use AUTH will the exim server jut ignore it
> > and accept the e-mail anyway or will it error?
>
> Exim wants the authentication to succeed. If the server_condition fails,
> the connection closes.
>
> There are authenticators that do not use the server_condition
> in the first place, but iff server_condition exists, they use it as a
> secondary check.
>
> > 3. Will this work if the client also uses TLS?
>
> Yes, but if the client tries to verify the server certificate, you're
> lost.
>
> > Finally am I on the right track for making this work, or do I need to
> > look to advertise AUTH and then just accept any credentials sent, as
> > long as the connection originates from the guest network. If this is the
> > approach how would I make exim accept any user password combination?
>
>     login:
>         driver = plain
>         …
>         server_condition = true

>
> But of course a bit more complex, to include the source IP network.
> $sender_host_address should contain the IP of the connecting client.
>
>     Best regards from Dresden/Germany
>     Viele Grüße aus Dresden
>     Heiko Schlittermann

>


-- 
[http://pointless.net/]                                   [0x2ECA0975]