Autor: Jeremy Harris Fecha: A: exim-users Asunto: Re: [exim] Add a whitelist for senders to skip auth check
On 08/05/2020 13:03, Damon Hill via Exim-users wrote: > My server, say SERVER A, hosts e-mail for coolstore.com domain, but the
> web is hosted by SERVER B (which uses several servers for mailing). I
> need to exclude from Exim SMTP auth checking in Server A:
> smtp1.serverb.com, smtp2.serverb.com, mailer@??? and
> *.serverb2.com.
>
> The problems is that when the web application (hosted by ServerB) tries
> to send an (unauthenticated) email from sells@??? to
> owner@??? it fails with message: '550 smtp auth requried (in
> reply to RCPT TO command)'
>
> I've got the ACL:
>
> deny message = smtp auth requried
> sender_domains = +local_domains
> !authenticated = *
>
> but i cannot make it exclude these domains from the checking.
>
> I tried adding this to ACLs:
>
> accept condition =
> ${lookup{\$sender_address}nwildlsearch{/etc/exim/senders-whitelist.
> conf}{yes}}
First, that would be relying on info trivially spoofable by an
attacker. You are only gaining security-by-obscurity.
Better to be testing something hard to spoof. The IP(s) or (not quite
so good, but more flexible) names of hosts you trust would be better.
Second: ACL verbs in an ACL are processed in sequence; the order
matters. Within each verb the conditions and actions are processed
in sequence, too ("message" tends be be confusing. I recommend you
place it last, for clarity). You could make this deny verb not
act for the messages you want to trust (due to their source).
--
Cheers,
Jeremy