On 2008-06-20 at 00:07 -0400, Eli C wrote: > Do you have an example of this?
I have a rather complex setup for my laptop. It does this and more. Details below. Used on MacOS. > And thanks for the tip about checking for TLS if using auth PLAIN. Does > $tls_cipher count SSL connections as well? A disturbing number of > servers use PLAIN over unencrypted SMTP... AFAIK, $tls_cipher counts SSL connections, but I don't think Exim supports SSL-on-connect outbound. That is strictly for legacy client support, Exim supports it for inbound connections only. I think. Okay, my laptop. This does not highlight how easy Exim can be to configure for many scenarios (once you know _how_, which is always the sticking point); rather, it's a glimpse of the power you get from the rather complete string expansion language. And a glimpse of how nuts I am. There will be various macros and hostlists which you define for yourself. There are two special external files which are the heart of it. "smarthosts" and "client-passwords". Example here uses Gmail because that's what I have configured (various disclaimers apply). Gmail's delivery folks aren't entirely enthralled with people routing mail through Gmail and sending bounces, risking mail-loops, etc, so if you mismanage this and damage your account's spam reputation score, on your head be it. smarthosts: ----------------------------8< cut here >8------------------------------ gmail.com: host=smtp.gmail.com submission=yes tls=yes [EMAIL PROTECTED] googlemail.com: host=smtp.gmail.com submission=yes tls=yes [EMAIL PROTECTED] *: host=mail.example.org submission=yes tls=yes ----------------------------8< cut here >8------------------------------ For the "client-passwords" file, I don't keep that in source-code control and I'm not on the laptop right now, so I might be making a mistake, but I believe it goes something like: ----------------------------8< cut here >8------------------------------ [EMAIL PROTECTED]: password=12345678 mail.example.org: user=fred password=sekret ----------------------------8< cut here >8------------------------------ Note how when a user is specified in smarthosts, the client-passwords file is keyed by that, otherwise it's keyed by the smarthost (or parent domains thereof). Routers first; the first Router lets me declare for which domains I'll send direct to MX, by creating a file named for the domain in a special directory. The second Router verifies DNS so that I don't pass invalid domains on and damage my reputation with remote systems; this does mean that I need to be online whilst submitting email to Exim though. ----------------------------8< cut here >8------------------------------ begin routers direct_to_mx: driver = dnslookup domains = partial()dsearch;DIRECT_OUT_DIR transport = remote_smtp ignore_target_hosts = +special_ipv4_bad same_domain_copy_routing no_more remote_dns_verify: driver = dnslookup domains = ! +local_domains transport = remote_smtp ignore_target_hosts = +special_ipv4_bad same_domain_copy_routing verify_only no_more smarthost: driver = manualroute domains = ! +local_domains transport = smarthost_smtp ignore_target_hosts = +special_ipv4_bad route_data = ${extract{host}{${lookup{$domain}partial()lsearch*{RUNCONFDIR/smarthosts}}}} address_data = ${lookup{$domain}partial()lsearch*{RUNCONFDIR/smarthosts}} same_domain_copy_routing no_verify no_more ----------------------------8< cut here >8------------------------------ The route_data extracts the 'host' field from the smarthosts file; address_data associates the entire line from smarthosts with the address, for later extraction. ----------------------------8< cut here >8------------------------------ begin transports remote_smtp: driver = smtp .ifndef TLS_ALLOWED_OUTBOUND hosts_avoid_tls = * .endif hosts_require_tls = +tls_required_to hosts_try_auth = +authenticate_attempt_to smarthost_smtp: driver = smtp port = ${extract{port}{$address_data}{$value}{\ ${extract{submission}{$address_data}{587}{25}}\ }} hosts_require_tls = ${extract{tls}{$address_data}{*}{+tls_required_to}} hosts_require_auth = ${extract{user}{$address_data}{*}{+authenticate_required_to}} helo_data = ${extract{helo}{$address_data}{$value}{MYHELO_TO_SMARTHOST}} ----------------------------8< cut here >8------------------------------ The TLS_ALLOWED_OUTBOUND is something I might define on the command-line to send mail with a queue-run to someone whose TLS is currently broken. The hostlist authenticate_attempt_to is used for stuff not going via a smarthost. The hostlists tls_required_to and authenticate_required_to are fallbacks for when the fields are not present. You can easily remove those and just have no coerced default. Note the default HELO parameter is a macro. No, none of the lines in the example smarthosts file set helo, so I always use that default. For the authenticators, I'll remove the server_* fields which aren't relevant; in theory I might start my laptop's Exim accepting remote mail from the local network, authenticated, and send via that. I've done that once, maybe twice, so it's just a distraction here. But if you do want to handle authentication server-side, you just add the server_* fields to these same authenticators. ----------------------------8< cut here >8------------------------------ begin authenticators auth_cram: driver = cram_md5 public_name = CRAM-MD5 # If smarthosts address_data gives us a user, use that; else do # a domain search on client-passwords (no * default support) client_name = ${extract{user}{$address_data}{$value}{\ ${extract{user}{${lookup{$host}partial()lsearch{RUNAUTHDIR/client-passwords}}}{$value}fail}}} # The password, however, always comes from client-passwords client_secret = ${extract{password}{${lookup{\ ${extract{user}{$address_data}{$value}{$host}}\ }partial()lsearch{RUNAUTHDIR/client-passwords}}}{$value}fail} auth_plain: driver = plaintext public_name = PLAIN client_condition = ${if def:tls_cipher} client_send = ^${extract{user}{$address_data}{$value}{\ ${extract{user}{${lookup{$host}partial()lsearch{RUNAUTHDIR/client-passwords}}}{$value}fail}}}\ ^${extract{password}{${lookup{\ ${extract{user}{$address_data}{$value}{$host}}\ }partial()lsearch{RUNAUTHDIR/client-passwords}}}{$value}fail} ----------------------------8< cut here >8------------------------------ There's no GSSAPI support client-side because I only use that with GSSAPI-enabled MUAs, not from an MTA. I could create a server principal with no bound address, I suppose, but I don't want to. I think I got the full details. -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/