Hello!
I have installed: Exim 4.92-8+deb10u7, Dovecot 1:2.3.4.1-5+deb10u7.
I'm trying to deny users successful authentication if they connect not
from the internal network but from the Internet. At the same time, I
have a file with exception users.
server_condition is used to deny authentication. At the same time, this
works for CRAM_MD5, but does not work for PLAIN (an error message
appears in the log, but the message is sent as coming from an authorized
user).
Used macros:
LAN = 127.0.0.1 : ::::1 : 192.168.0.0/16 : 172.16.0.0/12 : 10.0.0.0/8
AUTH_EXCEPTIONS = CONFDIR/auth_exceptions
And here are my auth config:
dovecot_cram_md5:
driver = dovecot
public_name = CRAM-MD5
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
server_advertise_condition = AUTH_ADVERTISE_CONDITION
server_condition = ${if
or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}}
dovecot_login:
driver = dovecot
public_name = LOGIN
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
server_advertise_condition = AUTH_ADVERTISE_CONDITION
dovecot_plain:
driver = dovecot
public_name = PLAIN
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
server_advertise_condition = AUTH_ADVERTISE_CONDITION
server_condition = ${if
or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}}
What could be wrong with PLAIN?
There are also notes for PLAIN in the documentation: "This option must
be set for a plaintext server authenticator, where it is used directly
to control authentication. See section 34.3 for details." I don't know
how to apply or bypass this in my case.
Maybe there is some other way to implement my idea with authentication
rejection?
Thanks!
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/