[debian-edu-commits] debian-edu/ 01/01: Adjust exim config on the main server to be closer to the default in Debian, and explain why the kerberos id is checked when using SMTP.
Petter Reinholdtsen
pere at moszumanska.debian.org
Sun Oct 12 10:04:48 UTC 2014
This is an automated email from the git hooks/post-receive script.
pere pushed a commit to branch master
in repository debian-edu-config.
commit 183149d5d20e8d57060070e6fdcdd264cf11e994
Author: Petter Reinholdtsen <pere at hungry.com>
Date: Sun Oct 12 12:04:19 2014 +0200
Adjust exim config on the main server to be closer to the default in Debian, and explain why the kerberos id is checked when using SMTP.
---
debian/changelog | 2 ++
etc/exim4/exim-ldap-server-v4.conf | 15 ++++++++++-----
2 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 02e4abf..002fff9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -40,6 +40,8 @@ debian-edu-config (1.810) UNRELEASED; urgency=high
/skole/backup file system on the main server profile.
* Fix typo in the nfs-server testsuite check, reporting error on all
non-server installations.
+ * Adjust exim config on the main server to be closer to the default in
+ Debian, and explain why the kerberos id is checked when using SMTP.
-- Wolfgang Schweer <wschweer at arcor.de> Tue, 07 Oct 2014 12:47:06 +0200
diff --git a/etc/exim4/exim-ldap-server-v4.conf b/etc/exim4/exim-ldap-server-v4.conf
index 93cfbe3..7b3fbc1 100644
--- a/etc/exim4/exim-ldap-server-v4.conf
+++ b/etc/exim4/exim-ldap-server-v4.conf
@@ -15,8 +15,8 @@ LDAPSERVER = ldap
LOCALHOST = 127.0.0.1/8
-acl_smtp_rcpt = check_recipient
-acl_smtp_data = check_message
+acl_smtp_rcpt = acl_check_rcpt
+acl_smtp_data = acl_check_data
# These options specify the Access Control Lists (ACLs) that
# are used to control the ETRN, EXPN, and VRFY commands.
@@ -184,21 +184,26 @@ received_header_text = "Received: \
begin acl
# ACL that is used after the RCPT command
-check_recipient:
+acl_check_rcpt:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
+
+ # Make sure users can not fake sender address vis SMTP. Reject
+ # unauthenticated connections and check that the sender is the same
+ # as the Kerberos ID.
deny !authenticated = *
message = SMTP server requires authentication. Check your SMTP client configuration.
deny condition = ${if eq{$authenticated_id}{$sender_address_local_part at INTERN}{false}{true}}
- message = Sender address $sender_address conflicts with authentication $authenticated_id.
+ message = Sender address $sender_address conflicts with authentication $authenticated_id.
+
accept hosts = :
accept domains = +local_domains
accept hosts = +relay_hosts
deny message = relay not permitted
# ACL that is used after the DATA command
-check_message:
+acl_check_data:
require verify = header_syntax
accept
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-edu/debian-edu-config.git
More information about the debian-edu-commits
mailing list