Re: [exim] Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
On Fri, Mar 31, 2023 at 07:18:21PM +0300, Evgeniy Berdnikov via Exim-users wrote: > AFAIR, it has not. There are lot of macros used in Debian config, > I'm pretty sure that only small part of them is covered by wizard. IIRC (I have not used the debian style configuration for a long time), the macros handled by debconf have a specific prefix, like maybe "DC_" (but not at all sure about spelling). Marc, where are you? -- Ian -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Make auth unsuccessful with some conditions
There is no error since I am using dovecot authenticator. I already
checked the config in the case, everything works as it should.
The plaintext authenticator really needs to use $auth2 as the username.
For other authenticators, from the Exim documentation:
"For the other authenticators, server_condition can be used as an
additional authentication or authorization mechanism that is applied
after the other authenticator conditions succeed."
31.03.2023 22:28, Evgeniy Berdnikov via Exim-users write:
On Fri, Mar 31, 2023 at 04:19:05PM +0300, Dzmitry Shykuts via Exim-users wrote:
I found where the problem was!
It turns out that the Thunderbird mail client uses two types of
authentication with an unencrypted password at the same time: PLAIN and
LOGIN. First it tries PLAIN (and my condition just worked correctly and
there was a standard entry about "Incorrect authentication data" in the
log), and then, since PLAIN failed, Thunderbird used LOGIN (I did not add a
condition) and the mail was successfully sent. Yesterday I did not pay
attention to the authenticator of the second (successful) authentication
attempt in the log, where instead of PLAIN there was already LOGIN.
This is one of at least two bugs in your configuration. I think your PLAIN
authenticator should always fail, because you use $auth1 as name and $auth2
as password, while $auth1 should always be null string for PLAIN.
For PLAIN, $auth2 is username and $auth3 is password (in difference with
parameters of CRAM-MD5 and LOGIN). Look into ch.34 for details.
Running Exim with -d+auth+expand option would make it visible.
Here is the resulting auth config (suddenly it will come in handy for
someone):
dovecot_cram_md5:
driver = dovecot
public_name = CRAM-MD5
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
server_advertise_condition = AUTH_ADVERTISE_CONDITION
server_condition = ${if
or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}
dovecot_login:
driver = dovecot
public_name = LOGIN
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
server_advertise_condition = AUTH_ADVERTISE_CONDITION
server_condition = ${if
or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}
dovecot_plain:
driver = dovecot
public_name = PLAIN
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
server_advertise_condition = AUTH_ADVERTISE_CONDITION
server_condition = ${if
or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Make auth unsuccessful with some conditions
On 31/03/2023 20:28, Evgeniy Berdnikov via Exim-users wrote: while $auth1 should always be null string for PLAIN. Wups, not for the dovecot driver. You're thinking of the plaintext driver. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Make auth unsuccessful with some conditions
On Fri, Mar 31, 2023 at 04:19:05PM +0300, Dzmitry Shykuts via Exim-users wrote:
> I found where the problem was!
>
> It turns out that the Thunderbird mail client uses two types of
> authentication with an unencrypted password at the same time: PLAIN and
> LOGIN. First it tries PLAIN (and my condition just worked correctly and
> there was a standard entry about "Incorrect authentication data" in the
> log), and then, since PLAIN failed, Thunderbird used LOGIN (I did not add a
> condition) and the mail was successfully sent. Yesterday I did not pay
> attention to the authenticator of the second (successful) authentication
> attempt in the log, where instead of PLAIN there was already LOGIN.
This is one of at least two bugs in your configuration. I think your PLAIN
authenticator should always fail, because you use $auth1 as name and $auth2
as password, while $auth1 should always be null string for PLAIN.
For PLAIN, $auth2 is username and $auth3 is password (in difference with
parameters of CRAM-MD5 and LOGIN). Look into ch.34 for details.
Running Exim with -d+auth+expand option would make it visible.
> Here is the resulting auth config (suddenly it will come in handy for
> someone):
>
> dovecot_cram_md5:
> driver = dovecot
> public_name = CRAM-MD5
> server_socket = /var/run/dovecot/auth-client
> server_set_id = $auth1
> server_advertise_condition = AUTH_ADVERTISE_CONDITION
> server_condition = ${if
> or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}
>
> dovecot_login:
> driver = dovecot
> public_name = LOGIN
> server_socket = /var/run/dovecot/auth-client
> server_set_id = $auth1
> server_advertise_condition = AUTH_ADVERTISE_CONDITION
> server_condition = ${if
> or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}
>
> dovecot_plain:
> driver = dovecot
> public_name = PLAIN
> server_socket = /var/run/dovecot/auth-client
> server_set_id = $auth1
> server_advertise_condition = AUTH_ADVERTISE_CONDITION
> server_condition = ${if
> or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}
--
Eugene Berdnikov
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Re (2): Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
On Fri, Mar 31, 2023 at 04:22:43PM +0100, Jeremy Harris via Exim-users wrote: > On 31/03/2023 16:15, Evgeniy Berdnikov via Exim-users wrote: > > .ifdef REMOTE_SMTP_SMARTHOST_PROTOCOL > > protocol = REMOTE_SMTP_SMARTHOST_PROTOCOL > > .endif > > Doesn't that imply the wizard has a question that sets that? AFAIR, it has not. There are lot of macros used in Debian config, I'm pretty sure that only small part of them is covered by wizard. -- Eugene Berdnikov -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Re (2): Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
Dňa 31. marca 2023 15:22:43 UTC používateľ Jeremy Harris via Exim-users napísal: >On 31/03/2023 16:15, Evgeniy Berdnikov via Exim-users wrote: >> .ifdef REMOTE_SMTP_SMARTHOST_PROTOCOL >> protocol = REMOTE_SMTP_SMARTHOST_PROTOCOL >> .endif > >Doesn't that imply the wizard has a question that sets that? No, one have to setup it manually and it is not part of stable nor older, only in testing or stable backports yet. regards -- Slavko https://www.slavino.sk/ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
On 31/03/2023 16:36, Peter via Exim-users wrote: submissions 465/tcp ssmtp smtps urd # Submission over TLS [RFC8314] Should a line beginning smtps be added? Eg. smtps 465/tcp ... Not needed. The "smtps" values for the exim smtp transport driver is a keyword, not a reference looked up in /etc/services. But I'm still thinking that the Debian configuration wizard for Exim likely has a question on this, and you shouldn't be needing to manually find the right place in their resulting set of configuration files. This is my inference from the presence of that macros use pointed out by Evgeniy. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
From: Heiko Schlittermann via Exim-users Date: Fri, 31 Mar 2023 16:09:10 +0200 Try adding=20 protocol =3D smtps to your smtp transport. +-+ |protocol|Use: smtp|Type: string|Default: smtp| +-+ I guess somewhere in /etc/exim4/. A rather large hierarchy. =8~/ Someone tell me the location more specifically please. Found port and protocol here. https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_smtp_transport.html No reference to /etc/exim4 in the filesystem. "Note that at least one Linux distribution has been seen failing to put “smtps” in its “/etc/services” file, resulting is such deferrals." motivated a look in Debian 11. This is the only occurance of "smtps". submissions 465/tcp ssmtp smtps urd # Submission over TLS [RFC8314] Should a line beginning smtps be added? Eg. smtps 465/tcp ... Thx, ... P. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Re (2): Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
On 31/03/2023 16:15, Evgeniy Berdnikov via Exim-users wrote: .ifdef REMOTE_SMTP_SMARTHOST_PROTOCOL protocol = REMOTE_SMTP_SMARTHOST_PROTOCOL .endif Doesn't that imply the wizard has a question that sets that? -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Re (2): Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
On Fri, Mar 31, 2023 at 04:09:10PM +0200, Heiko Schlittermann via Exim-users wrote: > Peter via Exim-users (Fr 31 Mär 2023 15:40:35 CEST): > > From: Jeremy Harris via Exim-users > > Subject: Re: [exim] Configuring for non-encrypted MUA to localhost. > > TLS-on-connect, exim to smarthost. > > > Debian has a configuration wizard. In what respect is > > > not offering what you need? [...] > Try adding > protocol = smtps > to your smtp transport. From Debian /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost: remote_smtp_smarthost: [...] .ifdef REMOTE_SMTP_SMARTHOST_PROTOCOL protocol = REMOTE_SMTP_SMARTHOST_PROTOCOL .endif So, this task may be solved by adding REMOTE_SMTP_SMARTHOST_PROTOCOL=smtps to default configuration. -- Eugene Berdnikov -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Re (2): Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
Peter via Exim-users (Fr 31 Mär 2023 15:40:35 CEST):
> From: Jeremy Harris via Exim-users
> Subject: Re: [exim] Configuring for non-encrypted MUA to localhost.
> TLS-on-connect, exim to smarthost.
> > Debian has a configuration wizard. In what respect is
> > not offering what you need?
>
> MUA to exim is OK.
>
> The configuration appears to impose STARTTLS to the smarthost
> while the smarthost is requiring TLS-on-connect.
> Consequently exim queues outgoing messages but can not send to
> smarthost.
Try adding
protocol = smtps
to your smtp transport.
+-+
|protocol|Use: smtp|Type: string|Default: smtp|
+-+
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re (2): Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
From: Jeremy Harris via Exim-users Subject: Re: [exim] Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost. Debian has a configuration wizard. In what respect is not offering what you need? MUA to exim is OK. The configuration appears to impose STARTTLS to the smarthost while the smarthost is requiring TLS-on-connect. Consequently exim queues outgoing messages but can not send to smarthost. Some details here. https://lists.debian.org/debian-user/2023/03/msg00958.html Thx, ... P. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Make auth unsuccessful with some conditions
So far I am working with Debian 10, so the package versions are old, but current for Debian 10. In the near future I plan to switch to version 11, and maybe immediately to 12, which seems to be released in the fall. In the meantime, you have to protect the current running server. 31.03.2023 15:52, Andrew C Aitchison via Exim-users wrote: On Thu, 30 Mar 2023, Dzmitry Shykuts via Exim-users wrote: Hello! I have installed: Exim 4.92-8+deb10u7, Dovecot 1:2.3.4.1-5+deb10u7. Blink. They looks old. Current Exim is 4.96 and Dovecot is 2.3.20. I see that buster-backports has Exim 4.94.2-7~bpo10+1 -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Make auth unsuccessful with some conditions
I found where the problem was!
It turns out that the Thunderbird mail client uses two types of
authentication with an unencrypted password at the same time: PLAIN and
LOGIN. First it tries PLAIN (and my condition just worked correctly and
there was a standard entry about "Incorrect authentication data" in the
log), and then, since PLAIN failed, Thunderbird used LOGIN (I did not
add a condition) and the mail was successfully sent. Yesterday I did not
pay attention to the authenticator of the second (successful)
authentication attempt in the log, where instead of PLAIN there was
already LOGIN.
Summarizing everything, it is correct to immediately add conditions to
all authenticators.
Thank you all for your participation and help!
P.S. I love Exim because it allows me to implement all my ideas... :)
Here is the resulting auth config (suddenly it will come in handy for
someone):
dovecot_cram_md5:
driver = dovecot
public_name = CRAM-MD5
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
server_advertise_condition = AUTH_ADVERTISE_CONDITION
server_condition = ${if
or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}
dovecot_login:
driver = dovecot
public_name = LOGIN
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
server_advertise_condition = AUTH_ADVERTISE_CONDITION
server_condition = ${if
or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}
dovecot_plain:
driver = dovecot
public_name = PLAIN
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
server_advertise_condition = AUTH_ADVERTISE_CONDITION
server_condition = ${if
or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}
31.03.2023 14:39, Jeremy Harris via Exim-users write:
On 30/03/2023 13:58, Dzmitry Shykuts via Exim-users wrote:
I'm trying to deny users successful authentication if they connect
not from the internal network but from the Internet. At the same
time, I have a file with exception users.
server_condition is used to deny authentication. At the same time,
this works for CRAM_MD5, but does not work for PLAIN (an error
message appears in the log, but the message is sent as coming from an
authorized user).
What error message? In what fashion does it "not work"?
Show us an example. Use the debug facilities (quite likely,
doing that will show you where your issue is).
There are also notes for PLAIN in the documentation: "This option
must be set for a plaintext server authenticator, where it is used
directly to control authentication. See section 34.3 for details." I
don't know how to apply or bypass this in my case.
As it says, for a plaintext authenticator. You are not using one,
you are using dovecot authenticators.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Make auth unsuccessful with some conditions
On Thu, 30 Mar 2023, Dzmitry Shykuts via Exim-users wrote: Hello! I have installed: Exim 4.92-8+deb10u7, Dovecot 1:2.3.4.1-5+deb10u7. Blink. They looks old. Current Exim is 4.96 and Dovecot is 2.3.20. I see that buster-backports has Exim 4.94.2-7~bpo10+1 -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Make auth unsuccessful with some conditions
On 30/03/2023 13:58, Dzmitry Shykuts via Exim-users wrote: I'm trying to deny users successful authentication if they connect not from the internal network but from the Internet. At the same time, I have a file with exception users. server_condition is used to deny authentication. At the same time, this works for CRAM_MD5, but does not work for PLAIN (an error message appears in the log, but the message is sent as coming from an authorized user). What error message? In what fashion does it "not work"? Show us an example. Use the debug facilities (quite likely, doing that will show you where your issue is). There are also notes for PLAIN in the documentation: "This option must be set for a plaintext server authenticator, where it is used directly to control authentication. See section 34.3 for details." I don't know how to apply or bypass this in my case. As it says, for a plaintext authenticator. You are not using one, you are using dovecot authenticators. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Make auth unsuccessful with some conditions
I'm sorry, I did not specify, but it does not affect the result.
AUTH_ADVERTISE_CONDITION = ${if
or{{match_ip{$sender_host_address}{LAN}}{!and{{eq{$tls_in_cipher}{}}{eq{$received_port}{25}{*}{}}
31.03.2023 13:16, Jeremy Harris via Exim-users пишет:
On 30/03/2023 13:58, Dzmitry Shykuts via Exim-users wrote:
I have a file with exception users
But the server_advertise_condition wants an emtpty/nonempty string,
and you appear to be handing it a filename.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
On 30/03/2023 20:00, Peter via Exim-users wrote: Debian 11 here with exim4 4.94.2-7. Debian has a configuration wizard. In what respect is not offering what you need? -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Make auth unsuccessful with some conditions
On 30/03/2023 13:58, Dzmitry Shykuts via Exim-users wrote: I have a file with exception users But the server_advertise_condition wants an emtpty/nonempty string, and you appear to be handing it a filename. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] nwildlsearch does not match
On 31/03/2023 07:51, Niels Kobschätzki via Exim-users wrote: What am I doing wrong? I thought that nwildlsearch can use wildcards and * and .* are wildcards to me. https://exim.org/exim-html-current/doc/html/spec_html/ch-file_and_database_lookups.html#SECTsinglekeylookups -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Make auth unsuccessful with some conditions
31.03.2023 11:20, Odhiambo Washington via Exim-users : What server resources are you saving with selective authentication? The goal is not to conserve server resources but to prevent hackers from guessing passwords. Even if the hacker enters the correct user password, if that user is not in the exceptions, the hacker will not know if he entered the correct password. There are about 1000 users on my server, but only 20 can send mail from the Internet. Recently, the number of password guessing attempts has increased. Yes, I have fail2ban installed, but security requires even more stringent measures. In my configuration, for some reason, the server_condition for PLAIN does not work, but for CRAM_MD5 it does. And the condition seems to be simple. It's possible, of course, rewrite everything without a dovecot driver, but if everything worked as it should, then it looks more aesthetically pleasing and is much easier to understand. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Make auth unsuccessful with some conditions
On Fri, Mar 31, 2023 at 11:08 AM Dzmitry Shykuts via Exim-users <
exim-users@exim.org> wrote:
> Hello!
>
> I have installed: Exim 4.92-8+deb10u7, Dovecot 1:2.3.4.1-5+deb10u7.
>
> I'm trying to deny users successful authentication if they connect not
> from the internal network but from the Internet. At the same time, I
> have a file with exception users.
>
> server_condition is used to deny authentication. At the same time, this
> works for CRAM_MD5, but does not work for PLAIN (an error message
> appears in the log, but the message is sent as coming from an authorized
> user).
>
> Used macros:
>
> LAN = 127.0.0.1 : 1 : 192.168.0.0/16 : 172.16.0.0/12 : 10.0.0.0/8
>
> AUTH_EXCEPTIONS = CONFDIR/auth_exceptions
>
>
> And here are my auth config:
>
> dovecot_cram_md5:
>driver = dovecot
>public_name = CRAM-MD5
>server_socket = /var/run/dovecot/auth-client
>server_set_id = $auth1
>server_advertise_condition = AUTH_ADVERTISE_CONDITION
>server_condition = ${if
>
> or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}
>
> dovecot_login:
>driver = dovecot
>public_name = LOGIN
>server_socket = /var/run/dovecot/auth-client
>server_set_id = $auth1
>server_advertise_condition = AUTH_ADVERTISE_CONDITION
>
> dovecot_plain:
>driver = dovecot
>public_name = PLAIN
>server_socket = /var/run/dovecot/auth-client
>server_set_id = $auth1
>server_advertise_condition = AUTH_ADVERTISE_CONDITION
>server_condition = ${if
>
> or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}
>
>
> What could be wrong with PLAIN?
>
> There are also notes for PLAIN in the documentation: "This option must
> be set for a plaintext server authenticator, where it is used directly
> to control authentication. See section 34.3 for details." I don't know
> how to apply or bypass this in my case.
>
> Maybe there is some other way to implement my idea with authentication
> rejection?
>
Yes. It is a lot easier to implement authentication without exceptions.
What server resources are you saving with selective authentication?
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-)
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Make auth unsuccessful with some conditions
Hello!
I have installed: Exim 4.92-8+deb10u7, Dovecot 1:2.3.4.1-5+deb10u7.
I'm trying to deny users successful authentication if they connect not
from the internal network but from the Internet. At the same time, I
have a file with exception users.
server_condition is used to deny authentication. At the same time, this
works for CRAM_MD5, but does not work for PLAIN (an error message
appears in the log, but the message is sent as coming from an authorized
user).
Used macros:
LAN = 127.0.0.1 : 1 : 192.168.0.0/16 : 172.16.0.0/12 : 10.0.0.0/8
AUTH_EXCEPTIONS = CONFDIR/auth_exceptions
And here are my auth config:
dovecot_cram_md5:
driver = dovecot
public_name = CRAM-MD5
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
server_advertise_condition = AUTH_ADVERTISE_CONDITION
server_condition = ${if
or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}
dovecot_login:
driver = dovecot
public_name = LOGIN
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
server_advertise_condition = AUTH_ADVERTISE_CONDITION
dovecot_plain:
driver = dovecot
public_name = PLAIN
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
server_advertise_condition = AUTH_ADVERTISE_CONDITION
server_condition = ${if
or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}
What could be wrong with PLAIN?
There are also notes for PLAIN in the documentation: "This option must
be set for a plaintext server authenticator, where it is used directly
to control authentication. See section 34.3 for details." I don't know
how to apply or bypass this in my case.
Maybe there is some other way to implement my idea with authentication
rejection?
Thanks!
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
Hi, Debian 11 here with exim4 4.94.2-7. On the localhost, the MUA needs a non-encrypted connection on port 25 to exim. Exim to remote smarthost is TLS-on-connect with AUTH PLAIN. The connection was verified with this command. $ openssl s_client -crlf -connect mail.easthope.ca:465 How should this be configured? Thx, ... P. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] nwildlsearch does not match
Le 2023-03-31 08:51, Niels Kobschätzki via Exim-users a écrit :
> Hi,
>
> I have set up a ratelimit for my users and also a whitelist-file.
>
> The acl for the ratelimit looks like this:
>
> defer authenticated = *
> ratelimit = 30 / 5m / strict / $authenticated_id
> condition =
> ${lookup{$sender_address}nwildlsearch{/usr/local/etc/exim/conf/ratelimit_whitelist}{no}{yes}}
> log_message = Sender rate $sender_rate / $sender_rate_period
> ($authenticated_id)
>
> The /usr/local/etc/exim/conf/ratelimit_whitelist is just a file with a
> bunch of e-mail-addresses. For example "ni...@kobschaetzki.net"
>
> I have now a user who sends mail from a mail-address with sub-addressing
> that looks like this:
>
> bounce+123456-crm.lead-98...@domain.com
>
> I tried:
> bounce*@domain.com and bounce.*@domain.com
>
> Both do not match according to a test with "exim -bh"
>
> What am I doing wrong? I thought that nwildlsearch can use wildcards and
> * and .* are wildcards to me.
I think you need to tell exim that it's a regular expression.
To do that, add a ^ at the beginning of the line.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] nwildlsearch does not match
Hi,
I have set up a ratelimit for my users and also a whitelist-file.
The acl for the ratelimit looks like this:
defer authenticated = *
ratelimit = 30 / 5m / strict / $authenticated_id
condition =
${lookup{$sender_address}nwildlsearch{/usr/local/etc/exim/conf/ratelimit_whitelist}{no}{yes}}
log_message = Sender rate $sender_rate / $sender_rate_period
($authenticated_id)
The /usr/local/etc/exim/conf/ratelimit_whitelist is just a file with a
bunch of e-mail-addresses. For example "ni...@kobschaetzki.net"
I have now a user who sends mail from a mail-address with sub-addressing
that looks like this:
bounce+123456-crm.lead-98...@domain.com
I tried:
bounce*@domain.com and bounce.*@domain.com
Both do not match according to a test with "exim -bh"
What am I doing wrong? I thought that nwildlsearch can use wildcards and
* and .* are wildcards to me.
Best,
Niels
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
