I found where the problem was!
It turns out that the Thunderbird mail client uses two types of
authentication with an unencrypted password at the same time: PLAIN and
LOGIN. First it tries PLAIN (and my condition just worked correctly and
there was a standard entry about "Incorrect authentication data" in the
log), and then, since PLAIN failed, Thunderbird used LOGIN (I did not
add a condition) and the mail was successfully sent. Yesterday I did not
pay attention to the authenticator of the second (successful)
authentication attempt in the log, where instead of PLAIN there was
already LOGIN.
Summarizing everything, it is correct to immediately add conditions to
all authenticators.
Thank you all for your participation and help!
P.S. I love Exim because it allows me to implement all my ideas... :)
Here is the resulting auth config (suddenly it will come in handy for
someone):
dovecot_cram_md5:
driver = dovecot
public_name = CRAM-MD5
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
server_advertise_condition = AUTH_ADVERTISE_CONDITION
server_condition = ${if
or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}}
dovecot_login:
driver = dovecot
public_name = LOGIN
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
server_advertise_condition = AUTH_ADVERTISE_CONDITION
server_condition = ${if
or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}}
dovecot_plain:
driver = dovecot
public_name = PLAIN
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
server_advertise_condition = AUTH_ADVERTISE_CONDITION
server_condition = ${if
or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}}
31.03.2023 14:39, Jeremy Harris via Exim-users write:
On 30/03/2023 13:58, Dzmitry Shykuts via Exim-users wrote:
I'm trying to deny users successful authentication if they connect
not from the internal network but from the Internet. At the same
time, I have a file with exception users.
server_condition is used to deny authentication. At the same time,
this works for CRAM_MD5, but does not work for PLAIN (an error
message appears in the log, but the message is sent as coming from an
authorized user).
What error message? In what fashion does it "not work"?
Show us an example. Use the debug facilities (quite likely,
doing that will show you where your issue is).
There are also notes for PLAIN in the documentation: "This option
must be set for a plaintext server authenticator, where it is used
directly to control authentication. See section 34.3 for details." I
don't know how to apply or bypass this in my case.
As it says, for a plaintext authenticator. You are not using one,
you are using dovecot authenticators.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
