Phil Pennock wrote: > On 2009-06-18 at 08:55 -0700, Yan Seiner wrote: > >> I'm hot in pursuit of my time-limited ACL. I've run into yet another >> stumbling block; my exim config allows local users to send mail without >> authentication. >> >> Can I get a couple of hints on how to configure exim to: >> >> 1. Allow unlimited receipt of emails for the local domains >> 2. Require local users to authenticate at all times >> 3. Prevent open relaying >> >> Obviously I'm concerned about inadvertently causing 3. 1 and 2 are >> somewhat contradictory as I would like to authenticate all local users, >> even if they're sending local email. >> > > So your children haven't yet figured out how to create a Gmail account > and send mail via Submission on that, back in? Or are you firewalling > 25 and 587 outbound except from the mailbox? Note that firewalling off > 587 is normally "unfriendly" by ISPs, but it's your house and your > rules. I hope you don't have work-related household visitors who expect > to be able to handle mail ... > It's a sort of "because I can" - it teaches me a lot about proxies, acls, and so on, and when my kids get to the point of hacking around my assorted firewalls and proxies we'll all learn together. Know a better way to learn? ;-)
> As long as you have inbound unauthenticated, outbound authentication for > the purposes of controlling sending at all is problematic; > authentication for making sure that those who wish to send mail have > credentials to do so is another matter, and useful for those trying to > enforce accountability and reduce spam-sources within their > organisations. > I definitely want to do the latter. > You can create an ACL on the MAIL command (acl_smtp_mail sets the ACL > name); because some clients allegedly get upset by 4xx/5xx failures on > MAIL, rather than reject there you reject at RCPT stage. > Thanks. I'll play with it. > Something like this (untested): > > ----------------------------8< cut here >8------------------------------ > # main section: > hostlist home_net = 192.0.2.0/24 > acl_smtp_mail = acl_check_mail > acl_smtp_rcpt = acl_check_rcpt > #... > begin acl > > acl_check_mail: > > warn set acl_c_denied_by_mail = no > set acl_c_dbm_message = Because my configs are broken > > accept hosts = !+home_net > > accept hosts = +home_net > condition = ${!=={$received_port}{587}} > set acl_c_denied_by_mail = yes > set acl_c_dbm_message = You should use the submission port (587) to > send email > > deny hosts = +home_net > !authenticated = * > set acl_c_denied_by_mail = yes > set acl_c_dbm_message = Papers, please. > > accept > > # This one will already exist > acl_check_rcpt: > > deny condition = $acl_c_denied_by_mail > message = $acl_c_dbm_message > > # ALL THE REST OF THE EXISTING ACL GOES HERE > ----------------------------8< cut here >8------------------------------ > > Note that you're just adding an extra rejection step at the start of > acl_check_rcpt, so if you keep all the rest of that logic the same then > you won't risk an open mail relay (unless you're already an OMR). > > Regards, > -Phil > > !DSPAM:4a3ac0a8271031804284693! > > -- Yan Seiner Support my bid for the 4J School Board. Visit http://www.seiner.com/schoolboard -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/