On 2009-06-18 at 08:55 -0700, Yan Seiner wrote: > I'm hot in pursuit of my time-limited ACL. I've run into yet another > stumbling block; my exim config allows local users to send mail without > authentication. > > Can I get a couple of hints on how to configure exim to: > > 1. Allow unlimited receipt of emails for the local domains > 2. Require local users to authenticate at all times > 3. Prevent open relaying > > Obviously I'm concerned about inadvertently causing 3. 1 and 2 are > somewhat contradictory as I would like to authenticate all local users, > even if they're sending local email.
So your children haven't yet figured out how to create a Gmail account and send mail via Submission on that, back in? Or are you firewalling 25 and 587 outbound except from the mailbox? Note that firewalling off 587 is normally "unfriendly" by ISPs, but it's your house and your rules. I hope you don't have work-related household visitors who expect to be able to handle mail ... As long as you have inbound unauthenticated, outbound authentication for the purposes of controlling sending at all is problematic; authentication for making sure that those who wish to send mail have credentials to do so is another matter, and useful for those trying to enforce accountability and reduce spam-sources within their organisations. You can create an ACL on the MAIL command (acl_smtp_mail sets the ACL name); because some clients allegedly get upset by 4xx/5xx failures on MAIL, rather than reject there you reject at RCPT stage. Something like this (untested): ----------------------------8< cut here >8------------------------------ # main section: hostlist home_net = 192.0.2.0/24 acl_smtp_mail = acl_check_mail acl_smtp_rcpt = acl_check_rcpt #... begin acl acl_check_mail: warn set acl_c_denied_by_mail = no set acl_c_dbm_message = Because my configs are broken accept hosts = !+home_net accept hosts = +home_net condition = ${!=={$received_port}{587}} set acl_c_denied_by_mail = yes set acl_c_dbm_message = You should use the submission port (587) to send email deny hosts = +home_net !authenticated = * set acl_c_denied_by_mail = yes set acl_c_dbm_message = Papers, please. accept # This one will already exist acl_check_rcpt: deny condition = $acl_c_denied_by_mail message = $acl_c_dbm_message # ALL THE REST OF THE EXISTING ACL GOES HERE ----------------------------8< cut here >8------------------------------ Note that you're just adding an extra rejection step at the start of acl_check_rcpt, so if you keep all the rest of that logic the same then you won't risk an open mail relay (unless you're already an OMR). Regards, -Phil -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/