Re: [exim] Make auth unsuccessful with some conditions

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Odhiambo Washington
Dátum:  
Címzett: Dzmitry Shykuts
CC: exim-users
Tárgy: Re: [exim] Make auth unsuccessful with some conditions
On Fri, Mar 31, 2023 at 11:08 AM Dzmitry Shykuts via Exim-users <
exim-users@???> wrote:

> Hello!
>
> I have installed: Exim 4.92-8+deb10u7, Dovecot 1:2.3.4.1-5+deb10u7.
>
> I'm trying to deny users successful authentication if they connect not
> from the internal network but from the Internet. At the same time, I
> have a file with exception users.
>
> server_condition is used to deny authentication. At the same time, this
> works for CRAM_MD5, but does not work for PLAIN (an error message
> appears in the log, but the message is sent as coming from an authorized
> user).
>
> Used macros:
>
> LAN = 127.0.0.1 : ::::1 : 192.168.0.0/16 : 172.16.0.0/12 : 10.0.0.0/8
>
> AUTH_EXCEPTIONS = CONFDIR/auth_exceptions
>
>
> And here are my auth config:
>
> dovecot_cram_md5:
>    driver = dovecot
>    public_name = CRAM-MD5
>    server_socket = /var/run/dovecot/auth-client
>    server_set_id = $auth1
>    server_advertise_condition = AUTH_ADVERTISE_CONDITION
>    server_condition = ${if

>
> or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}}
>
> dovecot_login:
>    driver = dovecot
>    public_name = LOGIN
>    server_socket = /var/run/dovecot/auth-client
>    server_set_id = $auth1
>    server_advertise_condition = AUTH_ADVERTISE_CONDITION

>
> dovecot_plain:
>    driver = dovecot
>    public_name = PLAIN
>    server_socket = /var/run/dovecot/auth-client
>    server_set_id = $auth1
>    server_advertise_condition = AUTH_ADVERTISE_CONDITION
>    server_condition = ${if

>
> or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}}
>
>
> What could be wrong with PLAIN?
>
> There are also notes for PLAIN in the documentation: "This option must
> be set for a plaintext server authenticator, where it is used directly
> to control authentication. See section 34.3 for details." I don't know
> how to apply or bypass this in my case.
>
> Maybe there is some other way to implement my idea with authentication
> rejection?
>


Yes. It is a lot easier to implement authentication without exceptions.
What server resources are you saving with selective authentication?

--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-)