tower wrote:
On 10/13/2011 11:30 AM, tower wrote:
On 10/13/2011 10:58 AM, W B Hacker wrote:
tower wrote:
Hi
I want to allow sending mail without authentication for single account.
I'm trying to not add another IP to relay_from_hosts, beacuse many
normal users send from that IP. How can I gently modify my acl.conf to
do that?
#************************************
acl_check_mail_submission:
#************************************
accept hosts = +relay_from_hosts
require message = Please turn on authentication in
your email client.
authenticated = *
deny message = Mailbox $authenticated_id is
disable. Please contact with number xx-xxxxxx
condition = ${if eq \
{0} \
{${lookup mysql {SELECT
active FROM mailbox \
WHERE
username='${quote_mysql:$authenticated_id}'} \
}} \
}
control = dkim_disable_verify
accept
Have you considered using the same IP, and/or an uncommon port and
protocol for that one account?
Non-routable IPv6 if local, for example.
Even so, I'd want to use matching PEM certs.
You only have to configure the submitter to do SOME form of auth ONCE.
Opening the door to compromise OTOH, can lead to a great deal more work.
HTH,
Bill
Unfortunately that account is configured on very old MFP, which is
sending emails only to port 25 and of course without authentication.
Can i use something like that:
#************************************
acl_check_mail_submission:
#************************************
accept hosts = +relay_from_hosts
*accept local_parts = dumbaccount
domains = example.com*
require message = Please turn on authentication in your email client.
authenticated = *
deny message = Mailbox $authenticated_id is disable. Please contact
with number xx-xxxxxx
condition = ${if eq {0} {${lookup mysql {SELECT active FROM mailbox
WHERE username='${quote_mysql:$authenticated_id}'}}}}
control = dkim_disable_verify
accept
The order is right?
No, I can't do that, log says:
rejected MAIL [email protected]: cannot test local_parts condition
in MAIL ACL
You do not have to do so.
Save anything not already being preserved into variables, transfer any
acl_c into acl_m at the appropriate point if need be.
THEN apply the test anytime before end of acl_smtp_data phase.
Earlier is better as far as freeing-up resources, but if you are looking
for a COMBINATION of conditions to be met or failed, you have to wait
'til ALL votes can be counted.
Don't forget that having SQL already handy can allow you to do some
non-standard and creative stuff.
If you cannot change the submission port and protocol of the sending
fossil, what about format or content?
Think of how MLM's do that in their 'administrivia', and look at use of
an X-header, body preamble, body footer, attachment, 'token' or PGP sig.
HTH,
Bill
--
韓家標
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
