[Pkg-exim4-users] How to do mandatory SMTP AUTH plus exceptions

Vitezslav Kotrla vitko at post.cz
Tue Apr 22 12:34:01 UTC 2008 

Marc Haber píše v Út 22. 04. 2008 v 12:34 +0200:
 
> > My problem is that I need to set up following:
> > 
> >  1) Mandatory SMTP AUTH + TLS for virtual users' MUAs (simply said: no
> >  authentication, no delivery).
> 
> Not even a delivery to addresses hosted on the same machine? How are
> messages coming in from the internet accepted?

Thanks for your reply!

Messages from internet send to mailboxes on my server will be delivered
using security appliance described below. (My machine hosts 3rd domain
mailboxes, whereas security appliance is defined as MX for 2nd level
domain. Mail for 3rd level domain should end up on 2nd level MX
automatically as there will be not explicit MX for 3rd level and the
appliance will forward 3rd level domain SMTP traffic to my server.)

> >  2) As an exception to rule (1) to enable non authenticated plain SMTP
> >  for _one_ specific host (ip address). That host (actually antispam
> >  and antivir security appliance) will act as smarthost and will also
> >  route incoming MTA traffic to my server (a kind of "bi-directional
> >  smarthost").
> 
> If you can live with your users being able to mail themselves and each
> other without authentication
...
> If you want authentication even for local mail

Did you mean 'local' related to domain managed by exim (mailboxes with
domain address), or 'local' related to system, e.g. login users?

All mail enabled users are virtual, I keep mailboxes on my server so the
real people can access their mail using SSL IMAP and also send e-mail to
the rest of the world using SMTP + TLS, provided they have
authenticated.

> you need to change your acl_check_rcpt.
...
> so that the ACL reads
> 
>   accept
>     authenticated = *
>     control = submission/sender_retain
> 
>   deny
>     message = authentication required
> 
> The rest of the ACL will thus never be looked at again.

Does this mean: IF not authenticated, THEN deny? And if ACL statement
says 'deny', is it really final and no other ACLs are processed?

Then I need also 

	accept   hosts = my.security.appliance

in front of your statements so get this ACL flow:

1) is the SMTP traffic coming from my.security.appliance? Accept
unconditionally and stop other ACL tests (how do I do the latter?)

2) can sender authenticate? Accept unconditionally (we trust our users),
no other ACL tests required.

3) (and this is where I'm a bit lost) Accept any locally generated
non-SMTP messages (e.g. cron scripts reports).

As a last step I need to put all this to exim4.conf.template, any
idea to to integrate all this smoothly on debianized configuration?


Vit

More information about the Pkg-exim4-users mailing list