Re: [exim] [Patch supplied] Exim enhancement request.
On Thu, 23 Feb 2006, Dennis Davis wrote: I'd like to request an additional private option -- force_local_authenticated -- for the SMTP transport. This option will be immediately useful in integrating exim with the Cyrus IMAP server and may be of more general use. I'm waiting to see if any Cyrus experts jump in here to comment on this, but on the face if it, your patch seems a perfectly reasonable one. -- Philip HazelUniversity of Cambridge Computing Service Get the Exim 4 book:http://www.uit.co.uk/exim-book -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
Re: Re: [exim] Exim: smart_route / routing based on From:
On 2006-02-24 at 08:18 +0100, [EMAIL PROTECTED] wrote:
My config now looks like:
addresslist senders_to_xyz = [EMAIL PROTECTED] : [EMAIL PROTECTED]
smart_route_xyz:
condition = ${if match_address{${address:$h_from}}{+senders_to_xyz}
{yes}{no}}
driver = manualroute
transport = remote_smtp
route_list = * mailserverA
Exim does send Mails but the smart_route´s do not work; instead I see the
following exim´s Logfile:
2006-02-24 08:13:51 1FCX9D-0004nP-9U = [EMAIL PROTECTED] U=ops P=local S=359
2006-02-24 08:13:51 1FCX9D-0004nP-9U failed to expand condition ${if
match_address{${address:$h_from}}{+senders_to_xyz} {yes}{no}} for
smart_route_xyz router: missing 2nd string in {} after match_address
2006-02-24 08:13:51 1FCX9D-0004nP-9U = [EMAIL PROTECTED] R=smart_route
T=remote_smtp H=mailserverB
2006-02-24 08:13:51 1FCX9D-0004nP-9U Completed
I might need more coffee, but that config looks fine to me.
The best I can think of is that your real config has a spelling
mistake, so that you spell senders_to_xyz one way in the addresslist and
the other way in the condition, so that an empty addresslist is being
filled in.
If those are both spelled the same, with whatever name you're using
instead of senders_to_xyz, then what version of Exim are you using?
match_address was added in Exim 4.33, so you need to be running at least
that.
Erk! Looking at the ChangeLog for Exim 4.60, you definitely want to
upgrade to that if you're using an older version, because of a possible
crash bug (but without re-checking the docs, I think that a bare
left-hand-side in From: will have been qualified first, so you might be
safe. Better to update).
--
I am keeping international relations on a peaceable footing.
You are biding your time before acting.
He is coddling tyrants.
-- Roger BW on topic of verb conjugation
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
Re: [exim] [Patch supplied] Exim enhancement request.
On 2006-02-23 at 14:52 +, Dennis Davis wrote: Anyone should feel free to shoot my ideas down in flames if they can think of a better way of doing the following. Not in flames; the Exim stuff is useful, I can't think of a way to do it without modifying either Exim or Cyrus and your way works. But I'm not sure if you've thought of a potentially nasty side-effect of doing it without Cyrus knowing about it. I'd like to request an additional private option -- force_local_authenticated That part's good and generally useful for Exim, but what you're doing with it seems dangerous, unless I'm misunderstanding. Beware that there's a lot of personal opinion below, as this is a judgement call (which you're obviously free to ignore, but please do think about the points). Sorry about all the I/me/yada. cyrus_ltmp_plus_something: force_local_authenticated = true authenticated_sender = $local_part So Exim will authenticate as the user and so allow delivery to any folder which the user can write to? That means that _anyone_ can send email to D.H.Davis+Received (for instance) and you'll never see it, but in the event of a legal dispute they could claim that you must have seen it and read it. Is this just not a concern in your set-up? It makes me nervous, but to each their own and my needs aren't yours. I could just be misunderstanding; I just want to make sure that you've thought this through (sorry if this is patronising). My work set-up is closest to the environment you have, I think; I suspect that our legal counsel would scream blue murder if I let anyone on the Internet control which of _any_ of her folders a mail from them was delivered to. (That's not a complaint; our bedrijfsjurist (legal counsel) just tends to think through to consequences more than the users who go ooh shiny and stop thinking). I'd be more inclined to hack Cyrus to have a new option, letting an unauthenticated user use the rcpt+folder delivery to any sub-folder of rcpt's INBOX _IF_ that folder is on rcpt's subscription list. Even better would be to allow those knowledgeable enough to turn it on with an ANNOTATEMORE attribute on their INBOX folder. It might be elitist, but I strongly suspect that people clueful enough to use +ext and want direct-to-folder delivery are capable of speaking raw IMAP to turn it on, if their client doesn't support ANNOTATEMORE. If you want me to provide a Cyrus patch (money where my mouth is), I can take a look this weekend. I didn't respond immediately because I needed to think it through, because I use a somewhat different set-up to achieve the same thing at home. For user-controllable de-multiplexing, my set-up doesn't scale beyond household level, because it relies upon an entire mail-domain with the people using the service able to choose what should happen to any mail in that domain. The same Exim/Cyrus set-up is used at work, but with the ACLs not granting that user control, so it just handles admin-created shared folders. I'll explain my set-up both because it might be useful for thinking from a different angle and because my wife is happy using it with Thunderbird, so it's something which a general userbase can understand. The ISP[1] I use supplies all left-hand-sides @accountname.isp to me; I use careful group membership with Exim and Cyrus to let Exim see which shared folders exist and deliver straight to the shared folder if it exists, or to a last-resort bucket otherwise. (We don't use dedicated folders for pizza delivery orders, but we do use a pizza-co@ LHS so that we can see who leaks addresses to spammers.) This works well enough that my less-technical wife is happy using it with Thunderbird. At work, something similar is used but users don't have the ability to create or delete folders; it just handles those shared folders the mail-admin create for staff. I'm happy to supply Exim/Cyrus configs and details; the only caveat is to make sure that no user can delete the last-resort folder, because an accidental GUI mis-click moving your last-resort folder to become a child of another folder will result in your system bouncing mail. Received enlightentment the hard way. [1] full disclosure: I work for that ISP, *cough* often dealing with the SMTP/POP3 mail-systems; but I use IMAP at home. -- I am keeping international relations on a peaceable footing. You are biding your time before acting. He is coddling tyrants. -- Roger BW on topic of verb conjugation -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
Re: [exim] [Patch supplied] Exim enhancement request.
On Fri, 24 Feb 2006, Phil Pennock wrote:
I'd be more inclined to hack Cyrus to have a new option, letting an
unauthenticated user use the rcpt+folder delivery to any sub-folder of
rcpt's INBOX _IF_ that folder is on rcpt's subscription list. Even
better would be to allow those knowledgeable enough to turn it on with
an ANNOTATEMORE attribute on their INBOX folder. It might be elitist,
but I strongly suspect that people clueful enough to use +ext and want
direct-to-folder delivery are capable of speaking raw IMAP to turn it
on, if their client doesn't support ANNOTATEMORE.
Doesn't Cyrus's sieve subaddress facility handle this already? We do
unauthenticated delivery to Cyrus over LMTP and have unofficial support
for +subaddresses, which get delivered to the user's inbox unless they
have written appropriate Sieve code.
Tony.
--
[EMAIL PROTECTED] [EMAIL PROTECTED] http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
Re: [exim] [Patch supplied] Exim enhancement request.
On 2006-02-24 at 11:41 +, Tony Finch wrote: Doesn't Cyrus's sieve subaddress facility handle this already? We do unauthenticated delivery to Cyrus over LMTP and have unofficial support for +subaddresses, which get delivered to the user's inbox unless they have written appropriate Sieve code. Is that a generic case or an instance of writing a new Sieve rule for each folder? If the former, I'm interested; if the latter, I do it at work. The OP's issue was that he didn't want to be setting ACL entries for each sub-folder; if setting an ACL is an issue, extra Sieve rules are likely to be an issue too. Cyrus supports +subaddress delivery to a sub-folder of INBOX called subaddress, automatically, _if_ it has 'p' permission for the authenticated user; unauthenticated LMTP needs to use the anyone identifier. If I deliver to LMTP (local socket) using a transport which has rcpt_include_affixes set, then all that's needed is: tag SETACL subfoldername anyone p in IMAP to allow the delivery to work. The OP is wanting to not need to set the Post privilege by making Exim authenticate as a client using the same credential Cyrus has, so that all inbound email to user fred is authenticated as posted BY user fred. That scenario worries me at several levels, but the lack of mailbox-owner's control over which sub-folders a malicious Internet denizen sends mail to is the scenario which comes to mind. At least, that's my interpretation of the situation. Dennis, if I've got this wrong then sorry, and please correct me. -- I am keeping international relations on a peaceable footing. You are biding your time before acting. He is coddling tyrants. -- Roger BW on topic of verb conjugation -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
Re: [exim] [Patch supplied] Exim enhancement request.
On Fri, 24 Feb 2006, Phil Pennock wrote:
On 2006-02-24 at 11:41 +, Tony Finch wrote:
We do unauthenticated delivery to Cyrus over LMTP and have unofficial
support for +subaddresses, which get delivered to the user's inbox
unless they have written appropriate Sieve code.
Is that a generic case or an instance of writing a new Sieve rule for
each folder? If the former, I'm interested; if the latter, I do it at
work.
You can do it as a general rule if you have a sufficiently studly sieve
implementation - it needs the variables extension.
Tony.
--
[EMAIL PROTECTED] [EMAIL PROTECTED] http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
[OT] Sieve/Cyrus (was Re: [exim] [Patch supplied] Exim enhancement request.)
On 2006-02-24 at 13:21 +, Tony Finch wrote:
You can do it as a general rule if you have a sufficiently studly sieve
implementation - it needs the variables extension.
Since draft-ietf-sieve-variables-08.txt only defines scalar variables,
you're not going to be able to validate the sub-address against a
known-good list. So it's probably safe if you map to INBOX.list.${1} or
whatever (especially if you check for . to prevent auto-filing to a
spam folder (not the same security risk)) and so better than the normal
behaviour, yes. Quite tasty looking, in fact.
But the Cyrus auto stuff, which Dennis was invoking, doesn't insert that
extra hierarchical componenent and so the entire hierarchy under INBOX
(and Post-able by the recipient) is affected; that includes trash
folders, special action folders (auto-learn as spam/ham folders) and so
on.
Earlier today I updated the cmu.edu cyrus-imapd CVS check-out I have and
I'm not seeing support; do you have this support as a patch to Cyrus, or
to another Sieve implementation? Any details available online?
Ta,
--
I am keeping international relations on a peaceable footing.
You are biding your time before acting.
He is coddling tyrants.
-- Roger BW on topic of verb conjugation
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
Re: [OT] Sieve/Cyrus (was Re: [exim] [Patch supplied] Exim enhancement request.)
On Fri, 24 Feb 2006, Phil Pennock wrote:
Earlier today I updated the cmu.edu cyrus-imapd CVS check-out I have and
I'm not seeing support; do you have this support as a patch to Cyrus, or
to another Sieve implementation? Any details available online?
We're still on Cyrus 2.1 owing to our vast improvements. I don't know of
the implementation status of the variables extension.
Tony.
--
[EMAIL PROTECTED] [EMAIL PROTECTED] http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
Re: [exim] [Patch supplied] Exim enhancement request.
On Fri, 24 Feb 2006, Phil Pennock wrote: Date: Fri, 24 Feb 2006 14:02:12 +0100 From: Phil Pennock [EMAIL PROTECTED] To: exim-users@exim.org Cc: Dennis Davis [EMAIL PROTECTED] Subject: Re: [exim] [Patch supplied] Exim enhancement request. ... The OP is wanting to not need to set the Post privilege by making Exim authenticate as a client using the same credential Cyrus has, so that all inbound email to user fred is authenticated as posted BY user fred. That scenario worries me at several levels, but the lack of mailbox-owner's control over which sub-folders a malicious Internet denizen sends mail to is the scenario which comes to mind. At least, that's my interpretation of the situation. Dennis, if I've got this wrong then sorry, and please correct me. I share your concerns. The documentation for such a facility would need to include phrases such as: This facility should be used with caution. It certainly has the ability to bypass any access controls on a Cyrus IMAP server. I'd only want to use this on a subset of mail folders. I'll give an example. Institutions often set up generic contact addresses. Making up some for this University, and the target mail folders on a Cyrus IMAP server, we might have: [EMAIL PROTECTED] -- user.library-shared.holdings [EMAIL PROTECTED]-- user.library-shared.survey [EMAIL PROTECTED] -- user.library-shared.staff ie the target mailboxes are subfolders of a pseudo-user, library-shared. The usual Cyrus access control mechanisms are applied to each mail folder with one or more people being given administrative rights. (I'm sure this isn't the only way to set up shared folders on a Cyrus server and isn't necessarily the best. However I've seen it done this way. However I'm by no means a Cyrus expert. So feel free to correct me on Cyrus matters. Even though I suspect this mailing list might not be the best place to discuss these issues.) Administrators of the above mail folders control access rights. However they must ensure the anyone user has p (posting) rights for mail to be delivered. I was wondering if it was possible to get exim to force mail delivery to the above folders via lmtp without the anyone user having p rights. Certainly administrators have mistakenly removed this access, resulting in time[1] being spent moving messages from the parent folder into the relevant subfolder. This was the basis for my original request. [1] Fortunately not my time... -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK [EMAIL PROTECTED] Phone: +44 1225 386101 -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
[exim] spammers IP ban
Hello, I'm of the admins of Gna! (http://gna.org), a software development platform sponsored by the FSF France. We have an antispam policy composed of DSNBL checks at SMTP time and spamassassin checks afterwards (tagging mails sent to users, redirecting spams to a dedicated spam list mails sent to mailing-lists, deleting such mails getting score higher to 13). I'd like to keep do IP bans for boxes that send us spam. For instance, to do such ban if we are in case of deny at SMTP time due to DNSBL or in a case of a mail that got a spamassassin score higher than 13. This would be a short ban, for say one hour, just to make ineffective the spammer/virus that would have to find another @domain to spam at least for the next hour, without costing too much in case a legitate user was affected by this ban Exim is using through xinetd, so xinetd could do the filtering by itself, provided we give to him appropriate IPs (drawback: it requires to restart xinetd each time we would like to update the list to get no_access taken into account; unless we somehow find a way to use the sensors mechanism for this purpose). I've searched a bit on the internet, indeed in the Exim FAQ, but found nothing helpful to me. Did I miss something? If not, any suggestions? Regards, -- Mathieu Roy +-+ | General Homepage: http://yeupou.coleumes.org/ | | Computing Homepage: http://alberich.coleumes.org/ | | Not a native english speaker: | | http://stock.coleumes.org/doc.php?i=/misc-files/flawed-english | +-+ pgpugnPYLfKc1.pgp Description: PGP signature -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
Re: [exim] spammers IP ban
I do something similar to this. When I've rejected a message as known spam, a log entry is posted in maillog. I then use logsurfer to monitor maillog for these entries. Logsurfer parses out the IP and passes it on to a script that temporarily adds a blocking rule to the firewall, and comes back a while later to remove the rule. This could probably also be done from a router transport combination as well. I used logsurfer because I was already using it for other purposes. --- /\---/\ Eric J Fox / o o \ Small Business Computer Support \.\ /./ in the Phoenix Metropolitan Area \@/http://www.bsdsystems.com/support/ On Fri, 24 Feb 2006, Mathieu Roy wrote: Hello, I'm of the admins of Gna! (http://gna.org), a software development platform sponsored by the FSF France. We have an antispam policy composed of DSNBL checks at SMTP time and spamassassin checks afterwards (tagging mails sent to users, redirecting spams to a dedicated spam list mails sent to mailing-lists, deleting such mails getting score higher to 13). I'd like to keep do IP bans for boxes that send us spam. For instance, to do such ban if we are in case of deny at SMTP time due to DNSBL or in a case of a mail that got a spamassassin score higher than 13. This would be a short ban, for say one hour, just to make ineffective the spammer/virus that would have to find another @domain to spam at least for the next hour, without costing too much in case a legitate user was affected by this ban Exim is using through xinetd, so xinetd could do the filtering by itself, provided we give to him appropriate IPs (drawback: it requires to restart xinetd each time we would like to update the list to get no_access taken into account; unless we somehow find a way to use the sensors mechanism for this purpose). I've searched a bit on the internet, indeed in the Exim FAQ, but found nothing helpful to me. Did I miss something? If not, any suggestions? Regards, -- Mathieu Roy +-+ | General Homepage: http://yeupou.coleumes.org/ | | Computing Homepage: http://alberich.coleumes.org/ | | Not a native english speaker: | | http://stock.coleumes.org/doc.php?i=/misc-files/flawed-english | +-+ -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
[exim] Authentication and Relaying
I have tried to read the docs and find a good example, however I am
at a loss. I have tried to set up the ability for authorized users to
relay through our smtp server. Anytime a user tries to connect and
login and send messages thorugh to a non-local hosted domain we get
a 501 - Relay Denied. I would appreciate any help someone can give.
From my config:
acl_check_rcpt:
accept
hosts = :
accept authenticated = *
accept
hosts = +relay_from_hosts
accept authenticated = *
accept
authenticated = *
begin authenticators
plain_saslauthd_server:
driver = plaintext
public_name = PLAIN
server_condition = ${if saslauthd{{$2}{$3}}{1}{0}}
server_set_id = $2
server_prompts = :
server_advertise_condition = yes
login_saslauthd_server:
driver = plaintext
public_name = LOGIN
server_prompts = Username:: : Password::
server_condition = ${if saslauthd{{$1}{$2}}{1}{0}}
server_set_id = $1
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
plain:
driver = plaintext
public_name = PLAIN
.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
client_send = ${if !eq{$tls_cipher}{}{\
^${extract{1}{::}\
{${lookup{$host}lsearch*{CONFDIR/
passwd.client}{$value}fail}}}\
^${extract{2}{::}\
{${lookup{$host}lsearch*{CONFDIR/
passwd.client}{$value}fail}}}\
}fail}
.else
client_send = ^${extract{1}{::}{${lookup{$host}lsearch*{CONFDIR/
passwd.client}{$value}fail}}}^${extract{2}{::}{${lookup
{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}
.endif
login:
driver = plaintext
public_name = LOGIN
.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
client_send = ${if and{\
{!eq{$tls_cipher}{}}\
{!eq\
{${lookup{$host}lsearch*{CONFDIR/
passwd.client}\
{$value}fail}}\
{}}\
}\
{}fail}\
: ${extract{1}{::}\
{${lookup{$host}lsearch*{CONFDIR/
passwd.client}{$value}fail}}} \
: ${extract{2}{::}\
{${lookup{$host}lsearch*{CONFDIR/passwd.client}
{$value}fail}}}
.else
client_send = ${if !eq\
{${lookup\
{$host}lsearch*{CONFDIR/passwd.client}\
{$value}fail}}\
{}\
{}fail}\
: ${extract{1}{::}\
{${lookup{$host}lsearch*{CONFDIR/
passwd.client}{$value}fail}}} \
: ${extract{2}{::}\
{${lookup{$host}lsearch*{CONFDIR/
passwd.client}{$value}fail}}}
.endif
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
