Re: [exim] how to get the email address of the sender?

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Phil Pennock
Ημερομηνία:  
Προς: Angelo Chen
Υ/ο: exim-users
Αντικείμενο: Re: [exim] how to get the email address of the sender?
On 2017-10-14 at 22:34 +0800, Angelo Chen via Exim-users wrote:
> I'm trying to set up a gmail relay:


This is modified from my setup, with the bit which relays mail from
exim.org out through the exim.org server; so this isn't 100% known to
work, I might have made typos.

The file /etc/exim/auth/outbound-passwords would need to exist, have
appropriate permissions, and look something like:

------------------------8< outbound-passwords >8------------------------
xyz@???:     user=xyz@??? password=12345678 clienttoken=my-short-persistent-id
zyx@???:   user=dhr.zyx   password=geheim  port=29  tls=yes
------------------------8< outbound-passwords >8------------------------


The default cipherspec looks awful to people who don't understand SMTP
security and cargo-cult everything, but it's better than falling back to
plaintext and is reliant upon TLS correctly picking a good ciphersuite.
If the attribute 'tlshigh' is set then its value is used as a spec, or
if it's set to just 'yes' then the other macro is used.

Note that you should get an "App Specific Password" from Google
<https://myaccount.google.com/apppasswords> and use that for the mail
configs, instead of hard-coding in your regular password. This will
also let you enable 2FA but still use SMTP mail.

-----------------------------8< cut here >8-----------------------------
# macros section
RUNAUTHDIR=/etc/exim/auth
TLS_CLIENT_DEFAULT_CIPHERSPEC=DEFAULT:!SSLv2:!LOW:aNULL:!eNULL
TLS_CLIENT_HIGHSEC_CIPHERSPEC=ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:!MD5:!RC4:!aNULL:!ADH:!DES:!EXP:!NULL
SSL_CERTS_DIR=/etc/ssl/certs


# routers
# nb: on main routers, avoid "same_domain_copy_routing" because it will
# interfere with sender-based routing
via_gmail:
  driver        = manualroute
  senders       = *@gmail.com
  domains       = ! +local_domains
  route_data    = smtp.gmail.com
  transport     = secure_smtp
  address_data  = ${lookup {$sender_address}lsearch{RUNAUTHDIR/outbound-passwords}} authreq=yes tls=yes tlshigh=yes port=587


# transports
secure_smtp:
  driver                  = smtp
  port                    = ${extract{port}{$address_data}{$value}{25}}
  hosts_require_auth      = ${extract{authreq}{$address_data}{${if eq{$value}{yes}{*}{$value}}}{}}
  hosts_require_tls       = ${extract{tls}{$address_data}{${if eq{$value}{yes}{*}{$value}}}{}}
  tls_sni                 = ${extract{tlssni}{$address_data}{$value}{}}
  tls_require_ciphers     = ${extract{tlshigh}{$address_data}{${if eq{$value}{yes}{TLS_CLIENT_HIGHSEC_CIPHERSPEC}{$value}}}{TLS_CLIENT_DEFAULT_CIPHERSPEC}}
  tls_verify_certificates = ${extract{tlsverify}{$address_data}{SSL_CERTS_DIR}fail}
  dnssec_request_domains  = *
  hosts_try_dane          = *
  no_multi_domain
  no_delay_after_cutoff


# authenticators
auth_plain:
  driver            = plaintext
  public_name       = PLAIN
  client_condition  = ${if def:tls_out_cipher}
  client_send       = ^${extract{user}{$address_data}{$value}fail}^${extract{password}{$address_data}{$value}fail}


auth_plain_clienttoken:
  driver            = plaintext
  public_name       = PLAIN-CLIENTTOKEN
  client_condition  = ${if def:tls_out_cipher}
  client_send       = ^${extract{user}{$address_data}{$value}fail}^${extract{password}{$address_data}{$value}fail}^${extract{clienttoken}{$address_data}{$value}fail}


-----------------------------8< cut here >8-----------------------------

This adds support for using PLAIN-CLIENTTOKEN for Gmail instead of
PLAIN; I've added it here based on a description posted by one of
Google's postmasters to another mailing-list recently. Untested by me,
but it should work. If not, just remove that authenticator. The id
should be something short and stable you pick but keep private, changing
it on each machine which uses this, to let Google's security systems
track moving devices and protest if the same token is being used on two
different continents at the same time, etc.

-Phil