Re: [exim] Block local submission

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] Block local submission
On 19/07/15 16:11, Viktor Dukhovni wrote:
> On Sun, Jul 19, 2015 at 03:44:38PM +0100, Jeremy Harris wrote:
>
>>>>> authenticated = root:exim
>>>>
>>>> Note that the "authenticated" condition
>>>> takes a list of authenticator names, not
>>>> user names.
>>>
>>> Even with mail submitted via Exim's "sendmail" (without -bs)?
>>
>> Yes. The documentation even says so.
>
> What about lines 4745 through 4763 of exim.c:


Not relevant for the ACL authenticated= condition
(but see below for the $authenticated_id variable)

- this condition depends on the sender_host_authenticated
value, which is set in smtp_in_auth(). Apart from
being copied via a spool file I don't see it getting
set to a real value anywhere else in the source.


> 4761   if (authenticated_id == NULL && !host_checking)
> 4762     authenticated_id = originator_login;
> 4763   }

>
> That last 'authenticated_id = originator_login' seems to suggest
> otherwise? One might just have to be careful in the "trusted_caller"
> case.
>
>>> And
>>> what is the value of $authenticated_id in that context? [ Just
>>> trying to make sense of the example ACLs from Lena. ]
>>
>> The $authenticated_id variable is set by an authenticator,
>> using the authenticator server_set_id option. It is not
>> set in any other way. If no authenticator has succeeded,
>> it is not set.
>
> I see that that's all that's documented, but perhaps the documentation
> is not 100% complete in this case?


I was wrong here; sorry. You are correct that $authenticated_id
is set to the user name for a commandline send (apart from
special cases permitted to admins). Docs:


http://exim.org/exim-html-current/doc/html/spec_html/ch-string_expansions.html

"When a message is submitted locally (that is, not over a TCP
connection) the value of $authenticated_id is normally the login name of
the calling process."


--
Cheers,
Jeremy