tower wrote:
On 10/13/2011 10:58 AM, W B Hacker wrote:
tower wrote:
Hi
I want to allow sending mail without authentication for single account.
I'm trying to not add another IP to relay_from_hosts, beacuse many
normal users send from that IP. How can I gently modify my acl.conf to
do that?
#************************************
acl_check_mail_submission:
#************************************
accept hosts = +relay_from_hosts
require message = Please turn on authentication in
your email client.
authenticated = *
deny message = Mailbox $authenticated_id is
disable. Please contact with number xx-xxxxxx
condition = ${if eq \
{0} \
{${lookup mysql {SELECT
active FROM mailbox \
WHERE
username='${quote_mysql:$authenticated_id}'} \
}} \
}
control = dkim_disable_verify
accept
Have you considered using the same IP, and/or an uncommon port and
protocol for that one account?
Non-routable IPv6 if local, for example.
Even so, I'd want to use matching PEM certs.
You only have to configure the submitter to do SOME form of auth ONCE.
Opening the door to compromise OTOH, can lead to a great deal more work.
HTH,
Bill
Unfortunately that account is configured on very old MFP, which is
sending emails only to port 25 and of course without authentication.
Can i use something like that:
#************************************
acl_check_mail_submission:
#************************************
accept hosts = +relay_from_hosts
*accept local_parts = dumbaccount
domains = example.com*
require message = Please turn on authentication in your email client.
authenticated = *
deny message = Mailbox $authenticated_id is disable. Please contact with
number xx-xxxxxx
condition = ${if eq {0} {${lookup mysql {SELECT active FROM mailbox
WHERE username='${quote_mysql:$authenticated_id}'}}}}
control = dkim_disable_verify
accept
The order is right?
Dunno.
I'd simply insist on proper AUTH *AND* on port 587 with TLS myself.
Won't get fixed any other way.
Mind, I've allowed 50 baud and 12.5 baud 'quarter speed' telex w/o auth
into an internet gateway hosted on IBM 3080 & 3090.
OTOH, they WERE arriving from a dominant-carrier's 'nailed up' global
private wire, not IP, and one cannot generate all that much garbage at
those speeds anyway, so not a great deal of risk.
Pehaps you could do that?
Delay and throttle your fossilized account to the point of uselessness
to a zombot farm.
That, too, is an incentive for the sumitter to get their head out.
;-)
Bill
--
韓家標
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
