RE: [exim] problem with authentication (and esmtpa)

Mon, 17 Oct 2005 03:49:16 -0700 

On Mon, 17 Oct 2005, Robert Cates wrote:

> OK, thanks Tony, but in my folow-up message I noticed in my log 'P=esmtpsa',
> when I send out per Courier IMAP(-SSL).  I'm not sure what the differences
> are.

Hmm I see a slight documentation problem. $received_protocol refers to RFC
3848 which is the authoritative source. It should be cross-referenced
better. I'll suggest some changes to Philip.

> Next, I have 'relay_from_hosts = 127.0.0.1 : 192.168.1.0/24 : *.kormar.net :
> *.kormar.de' defined.  Should I change that to 'hostlist relay_from_hosts =
> : @[] :'?  Would that be better?

Yes.

> As far as my ACLs, I only have:
> acl_smtp_rcpt = acl_check_rcpt  (the default, nothing changed)

You probably want to adjust the order. Exim 4.60 will have:

  accept  hosts = :

  deny    message       = Restricted characters in address
          domains       = +local_domains
          local_parts   = ^[.] : [EMAIL PROTECTED]/|]

  deny    message       = Restricted characters in address
          domains       = !+local_domains
          local_parts   = ^[./|] : [EMAIL PROTECTED] : ^.*/\\.\\./

  accept  local_parts   = postmaster
          domains       = +local_domains

  require verify        = sender

  accept  hosts         = +relay_from_hosts

  accept  authenticated = *

  # DNS blacklist checks, commented out

  accept  domains       = +local_domains
          endpass
          verify        = recipient

  accept  domains       = +relay_to_domains
          endpass
          verify        = recipient

  deny    message       = relay not permitted

> I would like to use:
> #acl_smtp_auth = acl_check_auth
> #acl_smtp_starttls = acl_check_auth
>
> #acl_check_auth:
>
> #  accept  hosts         = +auth_relay_hosts
> ##          endpass
> #  require verify        = sender
> #  accept  authenticated = *
> #  deny    domains       = !+local_domains
> #          message       = relay forbidden without authentication
>
> but I don't know how to set that up safely.

This won't work, because (1) you can't authenticate before TLS, so
requiring authentication in order to allow TLS doesn't make sense; (2)
the domains condition is only defined in the RCPT ACL - you don't know the
recipient address until then, so checking it beforehand is meaningless.

You don't need to use AUTH or STARTTLS ACLs unless you are doing something
very unusual.

Tony.
-- 
<[EMAIL PROTECTED]>   <[EMAIL PROTECTED]>   http://dotat.at/   ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}

-- 
## List details at http://www.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

Reply via email to