On 2008-06-20 at 00:07 -0400, Eli C wrote:
> Do you have an example of this?

I have a rather complex setup for my laptop.  It does this and more.
Details below.  Used on MacOS.

> And thanks for the tip about checking for TLS if using auth PLAIN. Does
> $tls_cipher count SSL connections as well? A disturbing number of
> servers use PLAIN over unencrypted SMTP...

AFAIK, $tls_cipher counts SSL connections, but I don't think Exim
supports SSL-on-connect outbound.  That is strictly for legacy client
support, Exim supports it for inbound connections only.  I think.


Okay, my laptop.  This does not highlight how easy Exim can be to
configure for many scenarios (once you know _how_, which is always the
sticking point); rather, it's a glimpse of the power you get from the
rather complete string expansion language.  And a glimpse of how nuts I
am.

There will be various macros and hostlists which you define for
yourself.  There are two special external files which are the heart of
it.  "smarthosts" and "client-passwords".  Example here uses Gmail
because that's what I have configured (various disclaimers apply).
Gmail's delivery folks aren't entirely enthralled with people routing
mail through Gmail and sending bounces, risking mail-loops, etc, so if
you mismanage this and damage your account's spam reputation score, on
your head be it.

smarthosts:
----------------------------8< cut here >8------------------------------
gmail.com:      host=smtp.gmail.com    submission=yes tls=yes [EMAIL PROTECTED]
googlemail.com: host=smtp.gmail.com    submission=yes tls=yes [EMAIL PROTECTED]
*:              host=mail.example.org  submission=yes tls=yes
----------------------------8< cut here >8------------------------------

For the "client-passwords" file, I don't keep that in source-code
control and I'm not on the laptop right now, so I might be making a
mistake, but I believe it goes something like:
----------------------------8< cut here >8------------------------------
[EMAIL PROTECTED]:      password=12345678
mail.example.org:       user=fred  password=sekret
----------------------------8< cut here >8------------------------------
Note how when a user is specified in smarthosts, the client-passwords
file is keyed by that, otherwise it's keyed by the smarthost (or parent
domains thereof).

Routers first; the first Router lets me declare for which domains I'll
send direct to MX, by creating a file named for the domain in a special
directory.  The second Router verifies DNS so that I don't pass invalid
domains on and damage my reputation with remote systems; this does mean
that I need to be online whilst submitting email to Exim though.

----------------------------8< cut here >8------------------------------
begin routers

direct_to_mx:
  driver = dnslookup
  domains = partial()dsearch;DIRECT_OUT_DIR
  transport = remote_smtp
  ignore_target_hosts = +special_ipv4_bad
  same_domain_copy_routing
  no_more

remote_dns_verify:
  driver = dnslookup
  domains = ! +local_domains
  transport = remote_smtp
  ignore_target_hosts = +special_ipv4_bad
  same_domain_copy_routing
  verify_only
  no_more

smarthost:
  driver = manualroute
  domains = ! +local_domains
  transport = smarthost_smtp
  ignore_target_hosts = +special_ipv4_bad
  route_data = 
${extract{host}{${lookup{$domain}partial()lsearch*{RUNCONFDIR/smarthosts}}}}
  address_data = ${lookup{$domain}partial()lsearch*{RUNCONFDIR/smarthosts}}
  same_domain_copy_routing
  no_verify
  no_more

----------------------------8< cut here >8------------------------------

The route_data extracts the 'host' field from the smarthosts file;
address_data associates the entire line from smarthosts with the
address, for later extraction.

----------------------------8< cut here >8------------------------------
begin transports

remote_smtp:
  driver = smtp
.ifndef TLS_ALLOWED_OUTBOUND
  hosts_avoid_tls = *
.endif
  hosts_require_tls = +tls_required_to
  hosts_try_auth = +authenticate_attempt_to

smarthost_smtp:
  driver = smtp
  port = ${extract{port}{$address_data}{$value}{\
          ${extract{submission}{$address_data}{587}{25}}\
          }}
  hosts_require_tls = ${extract{tls}{$address_data}{*}{+tls_required_to}}
  hosts_require_auth = 
${extract{user}{$address_data}{*}{+authenticate_required_to}}
  helo_data = ${extract{helo}{$address_data}{$value}{MYHELO_TO_SMARTHOST}}
----------------------------8< cut here >8------------------------------

The TLS_ALLOWED_OUTBOUND is something I might define on the command-line
to send mail with a queue-run to someone whose TLS is currently broken.

The hostlist authenticate_attempt_to is used for stuff not going via a
smarthost.

The hostlists tls_required_to and authenticate_required_to are fallbacks
for when the fields are not present.  You can easily remove those and
just have no coerced default.  Note the default HELO parameter is a
macro.  No, none of the lines in the example smarthosts file set helo,
so I always use that default.

For the authenticators, I'll remove the server_* fields which aren't
relevant; in theory I might start my laptop's Exim accepting remote mail
from the local network, authenticated, and send via that.  I've done
that once, maybe twice, so it's just a distraction here.  But if you do
want to handle authentication server-side, you just add the server_*
fields to these same authenticators.

----------------------------8< cut here >8------------------------------
begin authenticators

auth_cram:
  driver        = cram_md5
  public_name   = CRAM-MD5
# If smarthosts address_data gives us a user, use that; else do
# a domain search on client-passwords (no * default support)
  client_name = ${extract{user}{$address_data}{$value}{\
        
${extract{user}{${lookup{$host}partial()lsearch{RUNAUTHDIR/client-passwords}}}{$value}fail}}}
# The password, however, always comes from client-passwords
  client_secret = ${extract{password}{${lookup{\
        ${extract{user}{$address_data}{$value}{$host}}\
        }partial()lsearch{RUNAUTHDIR/client-passwords}}}{$value}fail}

auth_plain:
  driver        = plaintext
  public_name   = PLAIN
  client_condition      = ${if def:tls_cipher}
  client_send = ^${extract{user}{$address_data}{$value}{\
           
${extract{user}{${lookup{$host}partial()lsearch{RUNAUTHDIR/client-passwords}}}{$value}fail}}}\
        ^${extract{password}{${lookup{\
           ${extract{user}{$address_data}{$value}{$host}}\
           }partial()lsearch{RUNAUTHDIR/client-passwords}}}{$value}fail}
----------------------------8< cut here >8------------------------------

There's no GSSAPI support client-side because I only use that with
GSSAPI-enabled MUAs, not from an MTA.  I could create a server principal
with no bound address, I suppose, but I don't want to.

I think I got the full details.

-- 
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to