[Pkg-exim4-users] authenticated ACL

Marc Haber mh+pkg-exim4-users at zugschlus.de
Sun Oct 30 14:48:59 UTC 2005 

Hi,

On Sat, Oct 29, 2005 at 11:10:30AM +0200, Andreas Metzler wrote:
> On 2005-10-28 Richard Doyle <rdoyle at islandnetworks.com> wrote:
> > In the check recipient ACL of the stock Debian configuration
> > (30_exim4-config_check_rcpt), the test for authentication of the
> > incoming SMTP connection (accept authenticated = *) is run next to last,
> > right before the final "deny message = relay not permitted" stanza in
> > the ACL. Why does the authentication test run so late in the ACL?
> 
> Hello,
> I cannot remember, I guess it simply grew.

It is that way in upstream's default configure file from where we
originally started. Especially the rcpt acl has been severely modified
since then.

> > In particular, I use the DNSBL check, which runs earlier in the
> > check_rcpt ACL, as a blocklist. Because the authentication test runs
> > later, incoming mail from an authenticated SMTP connection will be
> > blocked if the sender is listed in the DNSBL blacklist.
> 
> > Will I break anything if I move the test for SMTP authentication to the
> > beginning of the ACL?
> 
> I think moving it to the beginning of the ACL is no good idea, there
> is a number of checks where special-casing of relayed messages does not
> make sense, e.g.
> 
> - accepting undeliverable mail.
> - accepting blacklisted from. (e.g. viruses)
> etc.

Agreed.

> I'd suggest moving accept authenticated = * after
> 
> .ifdef CHECK_RCPT_REVERSE_DNS
> ...
> .endif
> 
> Thoughts?

Tony's configuration from cambridge does sender verification after
accepting authenticated senders, so that authenticators senders
receive a bounce to their inbox instead of having the message rejected
(and the SMTP error message probably hidden from them by their
"user-friendly" MUA). I am not sure whether we should go with Tony's
idea which surely is appropriate for the University.

> BTW, I wonder whether we should add
> control = submission/sender_retain
> to the 'accept authenticated = *' statement.[1]

Since we set local_from_check = false and local_sender_retain = true
globally by default, setting submission/sender_retain is a no-op for
our default configuration.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

More information about the Pkg-exim4-users mailing list