[exim] Re: Sasl and Exim

Startseite
Nachricht löschen
Nachricht beantworten
Autor: The Doctor
Datum:  
To: Odhiambo Washington
CC: exim-users
Betreff: [exim] Re: Sasl and Exim
On Sun, Feb 25, 2024 at 06:26:02PM +0300, Odhiambo Washington via Exim-users wrote:
> On Sun, Feb 25, 2024 at 5:50???PM The Doctor <doctor@???> wrote:
>
> > On Sun, Feb 25, 2024 at 04:20:38PM +0300, Odhiambo Washington wrote:
> > > On Sun, Feb 25, 2024 at 4:06???PM The Doctor via Exim-users <
> > > exim-users@???> wrote:
> > >
> > > > On Sun, Feb 25, 2024 at 07:12:00AM +0100, Andreas Metzler via
> > Exim-users
> > > > wrote:
> > > > > On 2024-02-25 The Doctor via Exim-users <exim-users@???>
> > > > wrote:
> > > > > > how can one check to see if Exim is using SASL?
> > > > >
> > > > > I do not get this question, is this trolling? You would look at the
> > > > > configuration files obviously.
> > > > >
> > > > > cu Andreas
> > > > >
> > > >
> > > >
> > > > I am trying on one server to send e-mail via user/pw credentials.
> > > >
> > > > The credentials seem not to get passed through.
> > > >
> > >
> > > Please show what your configuration for ASMTP is, accompanied by log
> > > snippets of what is happening.
> >
> > Will do, just remind me on how to exclude comments
> >
>
> No one wants your whole Exim config file. Only the authenticators are
> needed.
> And the logs when you run the test!
> Anyway use: egrep -v '^$|^.*#' /path/to/file
>

domainlist relay_to_domains =
host_reject_connection = +host_rejects
trusted_users = exim : majordomo : www
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
tls_advertise_hosts = *
log_selector = +all
daemon_smtp_ports = 25  : 465:  587
tls_on_connect_ports =   465
begin acl
acl_check_smtp: 
   accept encrypted = *
   accept hosts = :
   accept hosts = +relay_hosts
   deny hosts = +block_hosts
   accept
acl_check_rcpt:
  deny    message       = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text 
     dnslists = sbl-xbl.spamhaus.org : \
                zen.spamhaus.org : \   
            z.mailspike.net : \
                 hostkarma.junkemailfilter.com=127.0.0.2 : \
           bl.spamcop.net  : \
        dnsbl.sorbs.net 
           log_message   = found in $dnslist_domain
warn   dnslists = sbl-xbl.spamhaus.org: \
             zen.spamhaus.org : \
             dnsbl.njabl.org : \
             combined.njabl.org : \
             dev.null.dk : \
             relays.visi.com : \
        dnsbl.sorbs.net :\
             iscbl.anti-spam.org.cn : \
             cbl.anti-spam.org.cn : \
             cblplus.anti-spam.org.cn : \
             cblless.anti-spam.org.cn : \
             hostkarma.junkemailfilter.com=127.0.0.2 :\
         bl.spamcop.net     :\
       dnsbl-1.uceprotect.net :\
          dnsbl-2.uceprotect.net  :\
      dnsbl-3.uceprotect.net 
  deny
    message = The $sender_adress is prohibited to send mail to the $domain 
    senders = lsearch;/usr/local/etc/exim/restricted_sender
    domains = lsearch;/usr/local/etc/exim/restricted_domains
  accept  hosts = :
          control = dkim_disable_verify
  deny    message       = Restricted characters in address
          domains       = +local_domains
          local_parts   = ^[.] : ^.*[@%!/|]
  deny    message       = Restricted characters in address
          domains       = !+local_domains
          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
  accept  local_parts   = postmaster
          domains       = +local_domains
    deny    condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_sni}}}}
            message = sorry
    deny    condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_peerdn}}}}
            message = sorry
deny
    condition = ${if eq{$sender_helo_name}{}}
    message   = HELO required before MAIL
drop  message   = "REJECTED - Bad HELO - Host impersonating [$sender_helo_name]"
      condition = ${if match{$sender_helo_name}{$primary_hostname}}
        !verify   = recipient/callout=2m,defer_ok,use_sender
warn    domains = +local_domains
                !verify = recipient
                set acl_c0 = ${eval: $acl_c0+1}
                delay = ${eval: ($acl_c0 - 1) * 60}s
drop    message = Legitimate bounces are never sent to more than one recipient.
        senders = : postmaster@*
        condition = ${if >{$recipients_count}{0}{true}{false}}
  deny
    message = 5.7.1 Banned TLD in MAIL FROM
    sender_domains = ^(?i).*\\.(ru|sa)\\.com\$
  deny
    message = 5.7.1 Banned TLD in MIME From
    condition = ${if match {$h_from:}{^(?i).*\\.(ru|sa)\\.com>\$}{yes}{no}}
  accept  hosts         = +relay_from_hosts
          control       = submission/sender_retain
          control       = dkim_disable_verify
  accept  authenticated = *
          control       = submission/sender_retain
          control       = dkim_disable_verify
  require message = relay not permitted
          domains = +local_domains : +relay_to_domains
  require verify = recipient
  deny    message       = Rejected IP
          hosts         = 127.0.0.1
  deny      message    = Rejected IP
      hosts        = 192.133.39.0/24
  deny      message    = Rejected IP
      hosts        = 5.34.207.0/24
  deny    message       = Rejected Domain
          domains       = foo.bar : foo2.bar
  deny    message       = Rejected sender
          domains       = dhl.com
          local_parts   = adminsu*
  deny    message       = Rejected sender
          domains       = *.com
          local_parts   = postmail-*
  deny    message       = Rejected sender
          domains       = office.com
          local_parts   = bounce
  deny    message       = Rejected sender
          domains       = usa.com
          local_parts   = express.deli*
  deny    message       = Rejected sender
          domains       = gmail.com
          local_parts   = emarketing2*
  deny    message       = Rejected sender
          domains       = gmail.com
          local_parts   = roach*
  deny    message       = Rejected sender
          domains       = gmail.com
          local_parts   = emarketing2sofsol*
  deny    message       = Rejected sender
          domains       = gmail.com
          local_parts   = umair*
  deny    message       = Rejected sender
          domains       = gmail.com
          local_parts   = umairpbl
  deny    message       = Rejected sender
          domains       = gmail.com
          local_parts   = edusa102
  deny    message    = Rejected sender
      domains    = *.icu
      local_parts   = *
  deny    message    = Rejected sender
      domains    = nubwaygroup.com
      local_parts   = *
  deny    message    = Rejected sender
      domains    = exceptmail.com
      local_parts   = *
  deny    message    = Rejected sender
      domains    = hotmail.com.com
      local_parts   = *
  deny    message    = Rejected sender
      domains    = sanpaolotorino.com
      local_parts   = studio
  deny      message    = Rejected recipient
          domains    = localhost.com
          local_parts    = root
  deny      message    = Rejected recipient
          domains    = freeshell.org
          local_parts    = dino
  deny      message    = Rejected recipient
          domains    = croffervault.com
          local_parts    = concierge
warn ratelimit = 1000 / 1h / strict
     log_message = Sender rate $sender_rate / $sender_rate_period
warn ratelimit = 500 / 1h / per_rcpt / strict
     delay = ${eval: ${sg{$sender_rate}{[.].*}{}} - $sender_rate_limit}s
  accept
acl_check_data:
  accept authenticated = *
     set acl_m_authenticated = 1  
 accept hosts = : 
   deny    malware    = *
           message    = This message contains a virus ($malware_name).


  drop message = This message is denied by policy : $spam_score spam points
       spam = nobody:true
       condition = ${if > {$spam_score_int}{4999}{1}{0}}
   warn    spam       = nobody
           message = Subject: {SPAM?} $rh_subject:
           add_header = X-Spam_score: $spam_score\n\
                        X-Spam_score_int: $spam_score_int\n\
                        X-Spam_bar: $spam_bar\n\
                        X-Spam_report: $spam_report
deny
    !hosts = +relay_from_hosts
    message = This message was considered to be spam
    spam = www:true
    condition = ${if >{$spam_score_int}{4999}{1}{0}} 
deny senders = /usr/local/etc/exim/deny_senders
deny authenticated = *
          ratelimit = 10 / 1d / strict /  $authenticated_id
  accept 
acl_smtp_connect:
            drop message         = You are banned here
            log_message  = Blocked host from 5.34.207.0/24 subnet ($sender_host_address)
            hosts               = +blocked_hosts
begin routers
check_dnslookup:
  driver = dnslookup
  domains = ! +local_domains
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
  verify_only
  no_more
check_system_aliases:
  driver = redirect
  allow_fail
  allow_defer
  data = ${lookup{$local_part}lsearch{/etc/aliases}}
  verify_only
check_localuser:
  driver = accept
  check_local_user
  verify_only
virtuals:
  driver = redirect
  allow_defer
  allow_fail
  domains       = partial-lsearch;/usr/local/etc/exim/vdom3
  data = ${lookup{$local_part@$domain}lsearch*@{/usr/local/etc/exim/virtualaliases}}
  retry_use_local_part
  pipe_transport = address_pipe
  file_transport = address_file
  no_more
dnslookup:
  driver = dnslookup
  domains = ! +local_domains
  transport = remote_smtp
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
  no_more
system_aliases:
  driver = redirect
  allow_fail
  allow_defer
  data = ${lookup{$local_part}lsearch{/etc/aliases}}
  file_transport = address_file
  pipe_transport = address_pipe
userforward:
  driver = redirect
  check_local_user
 local_part_prefix = +* : -*
 local_part_prefix_optional
  file = $home/.forward
  allow_filter
  no_verify
  no_expn
  check_ancestor
  file_transport = address_file
  pipe_transport = address_pipe
  reply_transport = address_reply
localuser:
  driver = accept
  check_local_user
 local_part_prefix = +* : -*
 local_part_prefix_optional
  no_verify
  transport = local_delivery
  cannot_route_message = Unknown user
procmail:
  driver = accept
  check_local_user
  require_files = $home/.procmailrc
  transport = procmail_pipe
lists:
  driver = redirect
  file = /usr/home/majordomo/lists/$local_data
  forbid_pipe
  forbid_file
  errors_to = $local_data-request@???
  user = majordomo
  no_more
begin transports
remote_smtp:
  driver = smtp
  hosts_avoid_esmtp=*
  connect_timeout = 15m
  data_timeout = 15m
  hosts_avoid_tls = 127.0.0.1
procmail_pipe:
  driver = pipe
  command = /usr/bin/procmail -d $local_part
  return_path_add
  delivery_date_add
  envelope_to_add
  check_string = "From "
  escape_string = ">From "
  umask = 077
  user = $local_part
  group = mail


local_delivery:
  driver = appendfile
  file = /var/mail/$local_part_data
  delivery_date_add
  envelope_to_add
  return_path_add
  group = mail
  quota = 30720M
  quota_warn_threshold = 70%
  mode = 0600
address_pipe:
  driver = pipe
  return_output
address_file:
  driver = appendfile
  delivery_date_add
  envelope_to_add
  return_path_add
address_reply:
  driver = autoreply
begin retry
*                      *           F,1h,15m; G,10h,1h,1.5; F,7d,1h
127.0.0.1              *           F,1h,1m; G,2h,10m,1.5; F,5h,10m
204.209.81.1              *           F,1h,1m; G,2h,10m,1.5; F,3h,10m
204.209.81.3              *           F,1h,1m; G,2h,10m,1.5; F,5h,10m
begin rewrite
begin authenticators
PLAIN:
  driver                     = plaintext
  public_name                = PLAIN
  server_set_id              = $auth2
  server_prompts             = :
  server_condition           = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
  server_advertise_condition = ${if def:tls_cipher }
LOGIN:
  driver                     = plaintext
  public_name                = LOGIN
  server_set_id              = $auth1
 server_prompts             = <| Username: | Password:
 server_condition           =  ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
  server_advertise_condition = ${if def:tls_cipher }
sasl_auth:
  driver                     = cyrus_sasl
  public_name                = SASL_AUTH
  server_mech         = PLAIN
  server_set_id              = $auth2
  server_condition           = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
  server_advertise_condition = ${if def:tls_cipher }



From the logs

2024-02-24 20:33:41.957 [60359] H=([sender Ip]) [Sender IP]:52274 I=[mail IP]:587 Ci=60359 incomplete transaction (connection lost) from <Sender> for Self test.


>
> >
> > > You see, most list members broke their crystal glasses and so cannot
> > guess
> > > all that information.
> >
> > I prefer to be prodded.
> >
>
> http://www.catb.org/~esr/faqs/smart-questions.html
>


:-)

>
> --
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254 7 3200 0004/+254 7 2274 3223
> In an Internet failure case, the #1 suspect is a constant: DNS.
> "Oh, the cruft.", egrep -v '^$|^.*#' ??\_(???)_/?? :-)
> [How to ask smart questions:
> http://www.catb.org/~esr/faqs/smart-questions.html]
>
> --
> ## subscription configuration (requires account):
> ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
> ## unsubscribe (doesn't require an account):
> ## exim-users-unsubscribe@???
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/


--
Member - Liberal International This is doctor@??? Ici doctor@???
Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism ; unsubscribe from Google Groups to be seen
What worth the power of law that won't stop lawlessness? -unknown

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/