On Fri, Mar 31, 2023 at 11:08 AM Dzmitry Shykuts via Exim-users < exim-users@exim.org> wrote:
> Hello! > > I have installed: Exim 4.92-8+deb10u7, Dovecot 1:2.3.4.1-5+deb10u7. > > I'm trying to deny users successful authentication if they connect not > from the internal network but from the Internet. At the same time, I > have a file with exception users. > > server_condition is used to deny authentication. At the same time, this > works for CRAM_MD5, but does not work for PLAIN (an error message > appears in the log, but the message is sent as coming from an authorized > user). > > Used macros: > > LAN = 127.0.0.1 : ::::1 : 192.168.0.0/16 : 172.16.0.0/12 : 10.0.0.0/8 > > AUTH_EXCEPTIONS = CONFDIR/auth_exceptions > > > And here are my auth config: > > dovecot_cram_md5: > driver = dovecot > public_name = CRAM-MD5 > server_socket = /var/run/dovecot/auth-client > server_set_id = $auth1 > server_advertise_condition = AUTH_ADVERTISE_CONDITION > server_condition = ${if > > or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}} > > dovecot_login: > driver = dovecot > public_name = LOGIN > server_socket = /var/run/dovecot/auth-client > server_set_id = $auth1 > server_advertise_condition = AUTH_ADVERTISE_CONDITION > > dovecot_plain: > driver = dovecot > public_name = PLAIN > server_socket = /var/run/dovecot/auth-client > server_set_id = $auth1 > server_advertise_condition = AUTH_ADVERTISE_CONDITION > server_condition = ${if > > or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}} > > > What could be wrong with PLAIN? > > There are also notes for PLAIN in the documentation: "This option must > be set for a plaintext server authenticator, where it is used directly > to control authentication. See section 34.3 for details." I don't know > how to apply or bypass this in my case. > > Maybe there is some other way to implement my idea with authentication > rejection? > Yes. It is a lot easier to implement authentication without exceptions. What server resources are you saving with selective authentication? -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/