Here's the full authenticator:
begin authenticators
login:
driver = plaintext
server_set_id = $auth1
server_prompts = <| Username: | Password:
server_advertise_condition = ${if def:tls_in_cipher }
server_condition = ${if and{ \
{ !eq{}{$auth1} } \
{ ldapauth { \
user=${lookup
ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
pass="password" ldaps://
auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
\
pass=${quote:$auth2} \
ldaps://auth.example.com/ \
} \
} \
} \
}
I'm unsure how much of the exim.conf file you'd like me to post--it's
three-hundred-some lines. Here's the ACL which checks for authentication:
acl_check_rcpt:
accept hosts = :
control = dkim_disable_verify
deny message = Sender address $sender_address denied - contact
IT Services for assistance
senders = +deny_from_senders
discard message = Sender address $sender_address discarded -
contact IT Services for assistance
senders = +discard_from_senders
deny message = Unauthorized use of SMTPA by $authenticated_id -
contact IT Services for assistance
authenticated = *
condition = ${lookup
{$authenticated_id}lsearch{/etc/exim/allowed_accounts}{no}{yes} }
log_message = auth_rejection not_allowed $authenticated_id
deny message = Encrypted connection required - contact IT
Services for assistance
!encrypted = *
condition = ${if ={$interface_port}{587}}
deny message = Authentication required - contact IT Services for
assistance
!authenticated = *
condition = ${if ={$interface_port}{587}}
deny message = Restricted characters in address - contact IT
Services for assistance
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
deny message = Over rate limit for host $sender_host_address
log_message = ratelimit_deny: sender host rate for
$sender_host_address is $sender_rate / $sender_rate_period
hosts = !+skip_all_ratelimit : !+skip_host_ratelimit
ratelimit = ${eval:RATELIMIT_THRESHOLD*2} / RATELIMIT_PERIOD
/ strict
defer message = Over rate limit for host $sender_host_address
log_message = ratelimit_defer: sender host rate for
$sender_host_address is $sender_rate / $sender_rate_period
hosts = !+skip_all_ratelimit : !+skip_host_ratelimit
ratelimit = RATELIMIT_THRESHOLD / RATELIMIT_PERIOD / strict
defer message = Over rate limit for sender $sender_address
log_message = ratelimit_defer: sender address rate for
$sender_address is $sender_rate / $sender_rate_period
hosts = +enforce_sender_ratelimit : !+skip_all_ratelimit
: !+accept_from_mta_hosts
senders = !+skip_sender_ratelimit
ratelimit = RATELIMIT_THRESHOLD / RATELIMIT_PERIOD / strict /
key=$sender_address
warn add_header = X-UALR-Submitted-From: $sender_host_address
deny message = Restricted characters in address - contact IT
Services for assistance
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
accept local_parts = postmaster
domains = +local_domains
require verify = sender
accept hosts = +accept_from_mta_hosts
control = dkim_disable_verify
accept hosts = +accept_from_mua_hosts
control = submission/sender_retain
control = dkim_disable_verify
accept authenticated = *
control = submission
control = dkim_disable_verify
require message = Initial HELO is required - contact IT Services for
assistance
condition = ${if def:sender_helo_name}
require message = Relay not permitted - contact IT Services for assistance
domains = +local_domains : +relay_to_domains
require verify = recipient
accept
Thanks,
John A
On Thu, Apr 10, 2025 at 11:07 AM Jeremy Harris via Exim-users <
[email protected]> wrote:
> On 2025/04/10 4:43 PM, Johnnie W Adams via Exim-users wrote:
> > So the bind authorization is succeeding, which leaves me with the
> question
> > of why I can do a 'real' authentication with the account 'foo' and the
> > password 'foo':
>
> So you ned to look at how that result is being used, with reference
> to the requirements of that authenticator driver and your config.
>
> Which you haven't shown us.
> --
> Cheers,
> Jeremy
>
> --
> ## subscription configuration (requires account):
> ##
> https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
> ## unsubscribe (doesn't require an account):
> ## [email protected]
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>
--
John Adams
Senior Linux/Middleware Administrator | Information Technology Services
+1-501-916-3010 | [email protected] | http://ualr.edu/itservices
*UA Little Rock*
Reminder: IT Services will never ask for your password over the phone or
in an email. Always be suspicious of requests for personal information that
come via email, even from known contacts. For more information or to
report suspicious email, visit IT Security
<http://ualr.edu/itservices/security/>.
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## [email protected]
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
