Re: [exim] Add a whitelist for senders to skip auth check

On 08/05/2020 13:03, Damon Hill via Exim-users wrote:
> My server, say SERVER A, hosts e-mail for coolstore.com domain, but the
> web is hosted by SERVER B (which uses several servers for mailing). I
> need to exclude from Exim SMTP auth checking in Server A:
> smtp1.serverb.com, smtp2.serverb.com, mailer@??? and
> *.serverb2.com.
>
> The problems is that when the web application (hosted by ServerB) tries
> to send an (unauthenticated) email from sells@??? to
> owner@??? it fails with message: '550 smtp auth requried (in
> reply to RCPT TO command)'
>
> I've got the ACL:
>
>    deny    message       = smtp auth requried
>            sender_domains = +local_domains
>            !authenticated = *
>
> but i cannot make it exclude these domains from the checking.
>
> I tried adding this to ACLs:
>
>    accept  condition     =
> ${lookup{\$sender_address}nwildlsearch{/etc/exim/senders-whitelist.  
> conf}{yes}}

First, that would be relying on info trivially spoofable by an
attacker. You are only gaining security-by-obscurity.

Better to be testing something hard to spoof. The IP(s) or (not quite
so good, but more flexible) names of hosts you trust would be better.

Second: ACL verbs in an ACL are processed in sequence; the order
matters. Within each verb the conditions and actions are processed
in sequence, too ("message" tends be be confusing. I recommend you
place it last, for clarity). You could make this deny verb not
act for the messages you want to trust (due to their source).
--
Cheers,
Jeremy