[Pkg-exim4-users] authenticated ACL
Marc Haber
mh+pkg-exim4-users at zugschlus.de
Sun Oct 30 14:48:59 UTC 2005
Hi,
On Sat, Oct 29, 2005 at 11:10:30AM +0200, Andreas Metzler wrote:
> On 2005-10-28 Richard Doyle <rdoyle at islandnetworks.com> wrote:
> > In the check recipient ACL of the stock Debian configuration
> > (30_exim4-config_check_rcpt), the test for authentication of the
> > incoming SMTP connection (accept authenticated = *) is run next to last,
> > right before the final "deny message = relay not permitted" stanza in
> > the ACL. Why does the authentication test run so late in the ACL?
>
> Hello,
> I cannot remember, I guess it simply grew.
It is that way in upstream's default configure file from where we
originally started. Especially the rcpt acl has been severely modified
since then.
> > In particular, I use the DNSBL check, which runs earlier in the
> > check_rcpt ACL, as a blocklist. Because the authentication test runs
> > later, incoming mail from an authenticated SMTP connection will be
> > blocked if the sender is listed in the DNSBL blacklist.
>
> > Will I break anything if I move the test for SMTP authentication to the
> > beginning of the ACL?
>
> I think moving it to the beginning of the ACL is no good idea, there
> is a number of checks where special-casing of relayed messages does not
> make sense, e.g.
>
> - accepting undeliverable mail.
> - accepting blacklisted from. (e.g. viruses)
> etc.
Agreed.
> I'd suggest moving accept authenticated = * after
>
> .ifdef CHECK_RCPT_REVERSE_DNS
> ...
> .endif
>
> Thoughts?
Tony's configuration from cambridge does sender verification after
accepting authenticated senders, so that authenticators senders
receive a bounce to their inbox instead of having the message rejected
(and the SMTP error message probably hidden from them by their
"user-friendly" MUA). I am not sure whether we should go with Tony's
idea which surely is appropriate for the University.
> BTW, I wonder whether we should add
> control = submission/sender_retain
> to the 'accept authenticated = *' statement.[1]
Since we set local_from_check = false and local_sender_retain = true
globally by default, setting submission/sender_retain is a no-op for
our default configuration.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
More information about the Pkg-exim4-users
mailing list