[Pkg-exim4-users] How to do mandatory SMTP AUTH plus exceptions

Marc Haber mh+pkg-exim4-users at zugschlus.de
Tue Apr 22 13:00:12 UTC 2008 

On Tue, Apr 22, 2008 at 02:34:01PM +0200, Vitezslav Kotrla wrote:
> Marc Haber píše v Út 22. 04. 2008 v 12:34 +0200:
> > > My problem is that I need to set up following:
> > > 
> > >  1) Mandatory SMTP AUTH + TLS for virtual users' MUAs (simply said: no
> > >  authentication, no delivery).
> > 
> > Not even a delivery to addresses hosted on the same machine? How are
> > messages coming in from the internet accepted?
> 
> Thanks for your reply!
> 
> Messages from internet send to mailboxes on my server will be delivered
> using security appliance described below.

And that's the only way in?

> > >  2) As an exception to rule (1) to enable non authenticated plain SMTP
> > >  for _one_ specific host (ip address). That host (actually antispam
> > >  and antivir security appliance) will act as smarthost and will also
> > >  route incoming MTA traffic to my server (a kind of "bi-directional
> > >  smarthost").
> > 
> > If you can live with your users being able to mail themselves and each
> > other without authentication
> ...
> > If you want authentication even for local mail
> 
> Did you mean 'local' related to domain managed by exim (mailboxes with
> domain address), or 'local' related to system, e.g. login users?

"Local" means that a message will be delivered by the exim in question
to a mailbox or some other storage, contrary to the MTA forwarding the
message somewhere, for example via SMTP.

> > you need to change your acl_check_rcpt.
> ...
> > so that the ACL reads
> > 
> >   accept
> >     authenticated = *
> >     control = submission/sender_retain
> > 
> >   deny
> >     message = authentication required
> > 
> > The rest of the ACL will thus never be looked at again.
> 
> Does this mean: IF not authenticated, THEN deny?

Yes. The mail gateway will be able to deliver to the box by virtue of
the relay_nets clause that I didn't show here.

>  And if ACL statement says 'deny', is it really final and no other
>  ACLs are processed?

It is really final for this recipient, resulting in a 550 reply.

> Then I need also 
> 
> 	accept   hosts = my.security.appliance
> 
> in front of your statements so get this ACL flow:

That's already in the default ACL.

> 1) is the SMTP traffic coming from my.security.appliance? Accept
> unconditionally and stop other ACL tests (how do I do the latter?)

Yes.

> 2) can sender authenticate? Accept unconditionally (we trust our users),
> no other ACL tests required.

Yes.

> 3) (and this is where I'm a bit lost) Accept any locally generated
> non-SMTP messages (e.g. cron scripts reports).

accept hosts = :

You might want to add 127.0.0.1 as well.

> As a last step I need to put all this to exim4.conf.template, any
> idea to to integrate all this smoothly on debianized configuration?

editing exim4.conf.template is as smooth as you can get with a
non-split config.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

More information about the Pkg-exim4-users mailing list