Re: [exim] Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
On Fri, Mar 31, 2023 at 07:18:21PM +0300, Evgeniy Berdnikov via Exim-users wrote: > AFAIR, it has not. There are lot of macros used in Debian config, > I'm pretty sure that only small part of them is covered by wizard. IIRC (I have not used the debian style configuration for a long time), the macros handled by debconf have a specific prefix, like maybe "DC_" (but not at all sure about spelling). Marc, where are you? -- Ian -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Make auth unsuccessful with some conditions
There is no error since I am using dovecot authenticator. I already checked the config in the case, everything works as it should. The plaintext authenticator really needs to use $auth2 as the username. For other authenticators, from the Exim documentation: "For the other authenticators, server_condition can be used as an additional authentication or authorization mechanism that is applied after the other authenticator conditions succeed." 31.03.2023 22:28, Evgeniy Berdnikov via Exim-users write: On Fri, Mar 31, 2023 at 04:19:05PM +0300, Dzmitry Shykuts via Exim-users wrote: I found where the problem was! It turns out that the Thunderbird mail client uses two types of authentication with an unencrypted password at the same time: PLAIN and LOGIN. First it tries PLAIN (and my condition just worked correctly and there was a standard entry about "Incorrect authentication data" in the log), and then, since PLAIN failed, Thunderbird used LOGIN (I did not add a condition) and the mail was successfully sent. Yesterday I did not pay attention to the authenticator of the second (successful) authentication attempt in the log, where instead of PLAIN there was already LOGIN. This is one of at least two bugs in your configuration. I think your PLAIN authenticator should always fail, because you use $auth1 as name and $auth2 as password, while $auth1 should always be null string for PLAIN. For PLAIN, $auth2 is username and $auth3 is password (in difference with parameters of CRAM-MD5 and LOGIN). Look into ch.34 for details. Running Exim with -d+auth+expand option would make it visible. Here is the resulting auth config (suddenly it will come in handy for someone): dovecot_cram_md5: driver = dovecot public_name = CRAM-MD5 server_socket = /var/run/dovecot/auth-client server_set_id = $auth1 server_advertise_condition = AUTH_ADVERTISE_CONDITION server_condition = ${if or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}} dovecot_login: driver = dovecot public_name = LOGIN server_socket = /var/run/dovecot/auth-client server_set_id = $auth1 server_advertise_condition = AUTH_ADVERTISE_CONDITION server_condition = ${if or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}} dovecot_plain: driver = dovecot public_name = PLAIN server_socket = /var/run/dovecot/auth-client server_set_id = $auth1 server_advertise_condition = AUTH_ADVERTISE_CONDITION server_condition = ${if or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}} -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Make auth unsuccessful with some conditions
On 31/03/2023 20:28, Evgeniy Berdnikov via Exim-users wrote: while $auth1 should always be null string for PLAIN. Wups, not for the dovecot driver. You're thinking of the plaintext driver. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Make auth unsuccessful with some conditions
On Fri, Mar 31, 2023 at 04:19:05PM +0300, Dzmitry Shykuts via Exim-users wrote: > I found where the problem was! > > It turns out that the Thunderbird mail client uses two types of > authentication with an unencrypted password at the same time: PLAIN and > LOGIN. First it tries PLAIN (and my condition just worked correctly and > there was a standard entry about "Incorrect authentication data" in the > log), and then, since PLAIN failed, Thunderbird used LOGIN (I did not add a > condition) and the mail was successfully sent. Yesterday I did not pay > attention to the authenticator of the second (successful) authentication > attempt in the log, where instead of PLAIN there was already LOGIN. This is one of at least two bugs in your configuration. I think your PLAIN authenticator should always fail, because you use $auth1 as name and $auth2 as password, while $auth1 should always be null string for PLAIN. For PLAIN, $auth2 is username and $auth3 is password (in difference with parameters of CRAM-MD5 and LOGIN). Look into ch.34 for details. Running Exim with -d+auth+expand option would make it visible. > Here is the resulting auth config (suddenly it will come in handy for > someone): > > dovecot_cram_md5: > driver = dovecot > public_name = CRAM-MD5 > server_socket = /var/run/dovecot/auth-client > server_set_id = $auth1 > server_advertise_condition = AUTH_ADVERTISE_CONDITION > server_condition = ${if > or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}} > > dovecot_login: > driver = dovecot > public_name = LOGIN > server_socket = /var/run/dovecot/auth-client > server_set_id = $auth1 > server_advertise_condition = AUTH_ADVERTISE_CONDITION > server_condition = ${if > or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}} > > dovecot_plain: > driver = dovecot > public_name = PLAIN > server_socket = /var/run/dovecot/auth-client > server_set_id = $auth1 > server_advertise_condition = AUTH_ADVERTISE_CONDITION > server_condition = ${if > or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}} -- Eugene Berdnikov -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Re (2): Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
On Fri, Mar 31, 2023 at 04:22:43PM +0100, Jeremy Harris via Exim-users wrote: > On 31/03/2023 16:15, Evgeniy Berdnikov via Exim-users wrote: > > .ifdef REMOTE_SMTP_SMARTHOST_PROTOCOL > > protocol = REMOTE_SMTP_SMARTHOST_PROTOCOL > > .endif > > Doesn't that imply the wizard has a question that sets that? AFAIR, it has not. There are lot of macros used in Debian config, I'm pretty sure that only small part of them is covered by wizard. -- Eugene Berdnikov -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Re (2): Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
Dňa 31. marca 2023 15:22:43 UTC používateľ Jeremy Harris via Exim-users napísal: >On 31/03/2023 16:15, Evgeniy Berdnikov via Exim-users wrote: >> .ifdef REMOTE_SMTP_SMARTHOST_PROTOCOL >> protocol = REMOTE_SMTP_SMARTHOST_PROTOCOL >> .endif > >Doesn't that imply the wizard has a question that sets that? No, one have to setup it manually and it is not part of stable nor older, only in testing or stable backports yet. regards -- Slavko https://www.slavino.sk/ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
On 31/03/2023 16:36, Peter via Exim-users wrote: submissions 465/tcp ssmtp smtps urd # Submission over TLS [RFC8314] Should a line beginning smtps be added? Eg. smtps 465/tcp ... Not needed. The "smtps" values for the exim smtp transport driver is a keyword, not a reference looked up in /etc/services. But I'm still thinking that the Debian configuration wizard for Exim likely has a question on this, and you shouldn't be needing to manually find the right place in their resulting set of configuration files. This is my inference from the presence of that macros use pointed out by Evgeniy. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
From: Heiko Schlittermann via Exim-users Date: Fri, 31 Mar 2023 16:09:10 +0200 Try adding=20 protocol =3D smtps to your smtp transport. +-+ |protocol|Use: smtp|Type: string|Default: smtp| +-+ I guess somewhere in /etc/exim4/. A rather large hierarchy. =8~/ Someone tell me the location more specifically please. Found port and protocol here. https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_smtp_transport.html No reference to /etc/exim4 in the filesystem. "Note that at least one Linux distribution has been seen failing to put “smtps” in its “/etc/services” file, resulting is such deferrals." motivated a look in Debian 11. This is the only occurance of "smtps". submissions 465/tcp ssmtp smtps urd # Submission over TLS [RFC8314] Should a line beginning smtps be added? Eg. smtps 465/tcp ... Thx, ... P. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Re (2): Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
On 31/03/2023 16:15, Evgeniy Berdnikov via Exim-users wrote: .ifdef REMOTE_SMTP_SMARTHOST_PROTOCOL protocol = REMOTE_SMTP_SMARTHOST_PROTOCOL .endif Doesn't that imply the wizard has a question that sets that? -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Re (2): Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
On Fri, Mar 31, 2023 at 04:09:10PM +0200, Heiko Schlittermann via Exim-users wrote: > Peter via Exim-users (Fr 31 Mär 2023 15:40:35 CEST): > > From: Jeremy Harris via Exim-users > > Subject: Re: [exim] Configuring for non-encrypted MUA to localhost. > > TLS-on-connect, exim to smarthost. > > > Debian has a configuration wizard. In what respect is > > > not offering what you need? [...] > Try adding > protocol = smtps > to your smtp transport. From Debian /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost: remote_smtp_smarthost: [...] .ifdef REMOTE_SMTP_SMARTHOST_PROTOCOL protocol = REMOTE_SMTP_SMARTHOST_PROTOCOL .endif So, this task may be solved by adding REMOTE_SMTP_SMARTHOST_PROTOCOL=smtps to default configuration. -- Eugene Berdnikov -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Re (2): Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
Peter via Exim-users (Fr 31 Mär 2023 15:40:35 CEST): > From: Jeremy Harris via Exim-users > Subject: Re: [exim] Configuring for non-encrypted MUA to localhost. > TLS-on-connect, exim to smarthost. > > Debian has a configuration wizard. In what respect is > > not offering what you need? > > MUA to exim is OK. > > The configuration appears to impose STARTTLS to the smarthost > while the smarthost is requiring TLS-on-connect. > Consequently exim queues outgoing messages but can not send to > smarthost. Try adding protocol = smtps to your smtp transport. +-+ |protocol|Use: smtp|Type: string|Default: smtp| +-+ Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re (2): Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
From: Jeremy Harris via Exim-users Subject: Re: [exim] Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost. Debian has a configuration wizard. In what respect is not offering what you need? MUA to exim is OK. The configuration appears to impose STARTTLS to the smarthost while the smarthost is requiring TLS-on-connect. Consequently exim queues outgoing messages but can not send to smarthost. Some details here. https://lists.debian.org/debian-user/2023/03/msg00958.html Thx, ... P. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Make auth unsuccessful with some conditions
So far I am working with Debian 10, so the package versions are old, but current for Debian 10. In the near future I plan to switch to version 11, and maybe immediately to 12, which seems to be released in the fall. In the meantime, you have to protect the current running server. 31.03.2023 15:52, Andrew C Aitchison via Exim-users wrote: On Thu, 30 Mar 2023, Dzmitry Shykuts via Exim-users wrote: Hello! I have installed: Exim 4.92-8+deb10u7, Dovecot 1:2.3.4.1-5+deb10u7. Blink. They looks old. Current Exim is 4.96 and Dovecot is 2.3.20. I see that buster-backports has Exim 4.94.2-7~bpo10+1 -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Make auth unsuccessful with some conditions
I found where the problem was! It turns out that the Thunderbird mail client uses two types of authentication with an unencrypted password at the same time: PLAIN and LOGIN. First it tries PLAIN (and my condition just worked correctly and there was a standard entry about "Incorrect authentication data" in the log), and then, since PLAIN failed, Thunderbird used LOGIN (I did not add a condition) and the mail was successfully sent. Yesterday I did not pay attention to the authenticator of the second (successful) authentication attempt in the log, where instead of PLAIN there was already LOGIN. Summarizing everything, it is correct to immediately add conditions to all authenticators. Thank you all for your participation and help! P.S. I love Exim because it allows me to implement all my ideas... :) Here is the resulting auth config (suddenly it will come in handy for someone): dovecot_cram_md5: driver = dovecot public_name = CRAM-MD5 server_socket = /var/run/dovecot/auth-client server_set_id = $auth1 server_advertise_condition = AUTH_ADVERTISE_CONDITION server_condition = ${if or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}} dovecot_login: driver = dovecot public_name = LOGIN server_socket = /var/run/dovecot/auth-client server_set_id = $auth1 server_advertise_condition = AUTH_ADVERTISE_CONDITION server_condition = ${if or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}} dovecot_plain: driver = dovecot public_name = PLAIN server_socket = /var/run/dovecot/auth-client server_set_id = $auth1 server_advertise_condition = AUTH_ADVERTISE_CONDITION server_condition = ${if or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}} 31.03.2023 14:39, Jeremy Harris via Exim-users write: On 30/03/2023 13:58, Dzmitry Shykuts via Exim-users wrote: I'm trying to deny users successful authentication if they connect not from the internal network but from the Internet. At the same time, I have a file with exception users. server_condition is used to deny authentication. At the same time, this works for CRAM_MD5, but does not work for PLAIN (an error message appears in the log, but the message is sent as coming from an authorized user). What error message? In what fashion does it "not work"? Show us an example. Use the debug facilities (quite likely, doing that will show you where your issue is). There are also notes for PLAIN in the documentation: "This option must be set for a plaintext server authenticator, where it is used directly to control authentication. See section 34.3 for details." I don't know how to apply or bypass this in my case. As it says, for a plaintext authenticator. You are not using one, you are using dovecot authenticators. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Make auth unsuccessful with some conditions
On Thu, 30 Mar 2023, Dzmitry Shykuts via Exim-users wrote: Hello! I have installed: Exim 4.92-8+deb10u7, Dovecot 1:2.3.4.1-5+deb10u7. Blink. They looks old. Current Exim is 4.96 and Dovecot is 2.3.20. I see that buster-backports has Exim 4.94.2-7~bpo10+1 -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Make auth unsuccessful with some conditions
On 30/03/2023 13:58, Dzmitry Shykuts via Exim-users wrote: I'm trying to deny users successful authentication if they connect not from the internal network but from the Internet. At the same time, I have a file with exception users. server_condition is used to deny authentication. At the same time, this works for CRAM_MD5, but does not work for PLAIN (an error message appears in the log, but the message is sent as coming from an authorized user). What error message? In what fashion does it "not work"? Show us an example. Use the debug facilities (quite likely, doing that will show you where your issue is). There are also notes for PLAIN in the documentation: "This option must be set for a plaintext server authenticator, where it is used directly to control authentication. See section 34.3 for details." I don't know how to apply or bypass this in my case. As it says, for a plaintext authenticator. You are not using one, you are using dovecot authenticators. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Make auth unsuccessful with some conditions
I'm sorry, I did not specify, but it does not affect the result. AUTH_ADVERTISE_CONDITION = ${if or{{match_ip{$sender_host_address}{LAN}}{!and{{eq{$tls_in_cipher}{}}{eq{$received_port}{25}{*}{}} 31.03.2023 13:16, Jeremy Harris via Exim-users пишет: On 30/03/2023 13:58, Dzmitry Shykuts via Exim-users wrote: I have a file with exception users But the server_advertise_condition wants an emtpty/nonempty string, and you appear to be handing it a filename. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
On 30/03/2023 20:00, Peter via Exim-users wrote: Debian 11 here with exim4 4.94.2-7. Debian has a configuration wizard. In what respect is not offering what you need? -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Make auth unsuccessful with some conditions
On 30/03/2023 13:58, Dzmitry Shykuts via Exim-users wrote: I have a file with exception users But the server_advertise_condition wants an emtpty/nonempty string, and you appear to be handing it a filename. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] nwildlsearch does not match
On 31/03/2023 07:51, Niels Kobschätzki via Exim-users wrote: What am I doing wrong? I thought that nwildlsearch can use wildcards and * and .* are wildcards to me. https://exim.org/exim-html-current/doc/html/spec_html/ch-file_and_database_lookups.html#SECTsinglekeylookups -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Make auth unsuccessful with some conditions
31.03.2023 11:20, Odhiambo Washington via Exim-users : What server resources are you saving with selective authentication? The goal is not to conserve server resources but to prevent hackers from guessing passwords. Even if the hacker enters the correct user password, if that user is not in the exceptions, the hacker will not know if he entered the correct password. There are about 1000 users on my server, but only 20 can send mail from the Internet. Recently, the number of password guessing attempts has increased. Yes, I have fail2ban installed, but security requires even more stringent measures. In my configuration, for some reason, the server_condition for PLAIN does not work, but for CRAM_MD5 it does. And the condition seems to be simple. It's possible, of course, rewrite everything without a dovecot driver, but if everything worked as it should, then it looks more aesthetically pleasing and is much easier to understand. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Make auth unsuccessful with some conditions
On Fri, Mar 31, 2023 at 11:08 AM Dzmitry Shykuts via Exim-users < exim-users@exim.org> wrote: > Hello! > > I have installed: Exim 4.92-8+deb10u7, Dovecot 1:2.3.4.1-5+deb10u7. > > I'm trying to deny users successful authentication if they connect not > from the internal network but from the Internet. At the same time, I > have a file with exception users. > > server_condition is used to deny authentication. At the same time, this > works for CRAM_MD5, but does not work for PLAIN (an error message > appears in the log, but the message is sent as coming from an authorized > user). > > Used macros: > > LAN = 127.0.0.1 : 1 : 192.168.0.0/16 : 172.16.0.0/12 : 10.0.0.0/8 > > AUTH_EXCEPTIONS = CONFDIR/auth_exceptions > > > And here are my auth config: > > dovecot_cram_md5: >driver = dovecot >public_name = CRAM-MD5 >server_socket = /var/run/dovecot/auth-client >server_set_id = $auth1 >server_advertise_condition = AUTH_ADVERTISE_CONDITION >server_condition = ${if > > or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}} > > dovecot_login: >driver = dovecot >public_name = LOGIN >server_socket = /var/run/dovecot/auth-client >server_set_id = $auth1 >server_advertise_condition = AUTH_ADVERTISE_CONDITION > > dovecot_plain: >driver = dovecot >public_name = PLAIN >server_socket = /var/run/dovecot/auth-client >server_set_id = $auth1 >server_advertise_condition = AUTH_ADVERTISE_CONDITION >server_condition = ${if > > or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}} > > > What could be wrong with PLAIN? > > There are also notes for PLAIN in the documentation: "This option must > be set for a plaintext server authenticator, where it is used directly > to control authentication. See section 34.3 for details." I don't know > how to apply or bypass this in my case. > > Maybe there is some other way to implement my idea with authentication > rejection? > Yes. It is a lot easier to implement authentication without exceptions. What server resources are you saving with selective authentication? -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Make auth unsuccessful with some conditions
Hello! I have installed: Exim 4.92-8+deb10u7, Dovecot 1:2.3.4.1-5+deb10u7. I'm trying to deny users successful authentication if they connect not from the internal network but from the Internet. At the same time, I have a file with exception users. server_condition is used to deny authentication. At the same time, this works for CRAM_MD5, but does not work for PLAIN (an error message appears in the log, but the message is sent as coming from an authorized user). Used macros: LAN = 127.0.0.1 : 1 : 192.168.0.0/16 : 172.16.0.0/12 : 10.0.0.0/8 AUTH_EXCEPTIONS = CONFDIR/auth_exceptions And here are my auth config: dovecot_cram_md5: driver = dovecot public_name = CRAM-MD5 server_socket = /var/run/dovecot/auth-client server_set_id = $auth1 server_advertise_condition = AUTH_ADVERTISE_CONDITION server_condition = ${if or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}} dovecot_login: driver = dovecot public_name = LOGIN server_socket = /var/run/dovecot/auth-client server_set_id = $auth1 server_advertise_condition = AUTH_ADVERTISE_CONDITION dovecot_plain: driver = dovecot public_name = PLAIN server_socket = /var/run/dovecot/auth-client server_set_id = $auth1 server_advertise_condition = AUTH_ADVERTISE_CONDITION server_condition = ${if or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}} What could be wrong with PLAIN? There are also notes for PLAIN in the documentation: "This option must be set for a plaintext server authenticator, where it is used directly to control authentication. See section 34.3 for details." I don't know how to apply or bypass this in my case. Maybe there is some other way to implement my idea with authentication rejection? Thanks! -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
Hi, Debian 11 here with exim4 4.94.2-7. On the localhost, the MUA needs a non-encrypted connection on port 25 to exim. Exim to remote smarthost is TLS-on-connect with AUTH PLAIN. The connection was verified with this command. $ openssl s_client -crlf -connect mail.easthope.ca:465 How should this be configured? Thx, ... P. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] nwildlsearch does not match
Le 2023-03-31 08:51, Niels Kobschätzki via Exim-users a écrit : > Hi, > > I have set up a ratelimit for my users and also a whitelist-file. > > The acl for the ratelimit looks like this: > > defer authenticated = * > ratelimit = 30 / 5m / strict / $authenticated_id > condition = > ${lookup{$sender_address}nwildlsearch{/usr/local/etc/exim/conf/ratelimit_whitelist}{no}{yes}} > log_message = Sender rate $sender_rate / $sender_rate_period > ($authenticated_id) > > The /usr/local/etc/exim/conf/ratelimit_whitelist is just a file with a > bunch of e-mail-addresses. For example "ni...@kobschaetzki.net" > > I have now a user who sends mail from a mail-address with sub-addressing > that looks like this: > > bounce+123456-crm.lead-98...@domain.com > > I tried: > bounce*@domain.com and bounce.*@domain.com > > Both do not match according to a test with "exim -bh" > > What am I doing wrong? I thought that nwildlsearch can use wildcards and > * and .* are wildcards to me. I think you need to tell exim that it's a regular expression. To do that, add a ^ at the beginning of the line. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] nwildlsearch does not match
Hi, I have set up a ratelimit for my users and also a whitelist-file. The acl for the ratelimit looks like this: defer authenticated = * ratelimit = 30 / 5m / strict / $authenticated_id condition = ${lookup{$sender_address}nwildlsearch{/usr/local/etc/exim/conf/ratelimit_whitelist}{no}{yes}} log_message = Sender rate $sender_rate / $sender_rate_period ($authenticated_id) The /usr/local/etc/exim/conf/ratelimit_whitelist is just a file with a bunch of e-mail-addresses. For example "ni...@kobschaetzki.net" I have now a user who sends mail from a mail-address with sub-addressing that looks like this: bounce+123456-crm.lead-98...@domain.com I tried: bounce*@domain.com and bounce.*@domain.com Both do not match according to a test with "exim -bh" What am I doing wrong? I thought that nwildlsearch can use wildcards and * and .* are wildcards to me. Best, Niels -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/