Re: exim and relaying -- for ONE user
will trillich wrote: > could you be a little less specific? (just kidding. ;) > > "You set up your server to support TLS"... at which point i > start slamming the oven door on my head again. Really, it's not that hard. apt-get install -tls. They set up certs for you. I went the extra mile to set up myself as a top-level CA (http://kitenet.net/~joey/ca/), but that is strictly optional. I used openssl to convert my laptop's /etc/exim/exit.crt to a fingerprint, and added the fingerprint to /etc/postfix/relay_clientcerts on the server: 00:EE:19:03:A5:01:B3:F6:16:BE:5A:C4:10:AA:E7:BE dragon To /etc/postfix/main.cf on the server I added these lines: smtpd_use_tls = yes smtpd_tls_ask_ccert = yes smtpd_recipient_restrictions = permit_tls_clientcerts,permit_mynetworks,check_relay_domains relay_clientcerts = hash:/etc/postfix/relay_clientcerts smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache I used postmap to hash the relay_clientcerts file. > and how does he generate such a certificate? (he's using > microso~1 outhouse, of course.) Oh, I had assumed your friend was using free software. No idea how or if you can use TLS with proprietary software, sorry. -- see shy jo msg28625/pgp0.pgp Description: PGP signature
Re: exim and relaying -- for ONE user
On Mon, Feb 03, 2003 at 09:58:50PM -0500, Joey Hess wrote:
> will trillich wrote:
> > is there some way to further restrict the relaying? i DO NOT
> > want any black hats turning my server into spam-o-rama.
> > ideas welcome.
>
> As an alternative to the SMTP auth stuff proposed by others, I
> suggest you just set up TLS and use certificate based
> authentication. It works like this:
>
> Your friend sets up his mail client to use TLS for outgoing
> mail and relay through your server. You set up your server to
> support TLS for incoming mail (at least). Your friend
> generates a SSL certificate and private key for his mail
> server to use, and sends you the certificate. Then you set up
> your server to allow relaying for TLS connections set up using
> that certificate.
could you be a little less specific? (just kidding. ;)
"You set up your server to support TLS"... at which point i
start slamming the oven door on my head again.
and how does he generate such a certificate? (he's using
microso~1 outhouse, of course.)
aside from "apt-get install exim-tls" there must be much
handwaving to do. i've even dragged my eyeballs over
engelschall's mod_ssl documentation (it's for apache, but the
concepts are no doubt similar) for hours and hours and it reads
as doctoral level stuff to my third-grade education, as clear as
trying to read wiles' proof of fermat's last theorem.
> I have a setup like this for all of my laptops and other
> devices on dynamic or varying IP addresses; each computer has
> its own certificate, and uses exim; my server uses postfix
> which is easy to set up to allow relaying based on SSL
> certificates.
i'd like to stay with exim -- i think -- after having invested
this much in getting it to do as much as it does. :)
your situation sounds like exactly what i'm looking for. if i
can find the right shoehorn to cram that ssl stuff into my
brain, i might be able to move forward.
--
I use Debian/GNU Linux version 3.0;
Linux server 2.4.20-k6 #1 Mon Jan 13 23:49:14 EST 2003 i586 unknown
DEBIAN NEWBIE TIP #116 from Karsten M. Self <[EMAIL PROTECTED]>
:
Wondering WHICH PACKAGE IS USING UP ALL YOUR DISK SPACE?
You can verify a package's installed size with the dpkg -s command:
dpkg -s
And the following script will grab all your installed packages and show
their installed size, sorted and ranked by size:
#!/bin/sh
PATH=/bin:/usr/bin
time dpkg --get-selections |
grep ' install' |
awk '{print $1}' |
xargs -n 1 dpkg -s |
egrep '^(Package|Installed-Size):' |
awk '{printf( "%s: ", $2 ); getline; printf( "%s\n", $2 )}' |
sort -k2nr |
cat -n=20
Also see http://newbieDoc.sourceForge.net/ ...
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: exim and relaying -- for ONE user
will trillich wrote: > then he can certainly send email from @serensoft to @out-there > but then SO CAN ANYBODY ELSE using that small, tiny, > insignificant worldnet.att.net network (of thousands and > thousands). > > is there some way to further restrict the relaying? i DO NOT want > any black hats turning my server into spam-o-rama. ideas welcome. As an alternative to the SMTP auth stuff proposed by others, I suggest you just set up TLS and use certificate based authentication. It works like this: Your friend sets up his mail client to use TLS for outgoing mail and relay through your server. You set up your server to support TLS for incoming mail (at least). Your friend generates a SSL certificate and private key for his mail server to use, and sends you the certificate. Then you set up your server to allow relaying for TLS connections set up using that certificate. I have a setup like this for all of my laptops and other devices on dynamic or varying IP addresses; each computer has its own certificate, and uses exim; my server uses postfix which is easy to set up to allow relaying based on SSL certificates. As a bonus you add to the amount of encrypted email traffic, and so reduce the effectiveness of various rumoured evil government projects. And you get cool headers: Received: from dragon.kitenet.net (as5800-82-86.access.naxs.com [216.98.82.86]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN "Joey Hess", Issuer "Joey Hess" (verified OK)) by kitenet.net (Postfix) with ESMTP id 193F7BC039 -- see shy jo msg28450/pgp0.pgp Description: PGP signature
Re: exim and relaying -- for ONE user
On Fri, 2003-01-31 at 06:51, will trillich wrote:
> 5:05am? whassa matter, couldn't sleep? (that's *my* problem --
> one of them, anyway...)
>
(I get most of my best work done after 2 am. :)
> i noticed (below) you used "basic" instead of "plain" so i
> munged my setup to match:
Actually, that was my mistake. :) I am using PLAIN.
> it may be only cosmetic -- then again it may not! (are there
> some pieces missing there? looks kinda scant.)
I don't remember if I cut some pieces out or not. Either way, here is my
plain: section in its entirety:
plain:
driver = plaintext
public_name = PLAIN
server_prompts = User Name : Password
server_condition = ${if pam{$2:${sg{$3}{:}{::}}}{yes}{no}}
server_set_id = $2
Just to make sure you're generating the right passwords here, I made a
dummy account for testing. This is what the python script spit out:
user: testuser
password: password
script output: testuser:teobtLiiDGEOk
base64 encoded user and pass: AHRlc3R1c2VyAHBhc3N3b3Jk
Gandalf:/etc/exim# ls /etc/exim/passwd
-rw---1 mail mail 24 Jan 30 04:16 /etc/exim/passwd
and
Gandalf:/etc/exim# ls /etc/pam.d/exim
-rw---1 mail mail 91 Jan 30 04:11 /etc/pam.d/exim
And just to be COMPLETELY thorough, here's all the related packages I
have installed:
libpam-modules 0.76-7
libpam-runtime 0.76-7
libpam0g 0.76-7
libpam-pwdfile 0.6-2
exim-tls 3.35-3
That's about all I can think to check. :) Good luck.
-Alex
> account requiredpam_permit.so
> authrequiredpam_pwdfile.so pwdfile /etc/exim/passwd
>
> i'm trying a skeleton /etc/exim/passwd until something starts
> working, anyhow -- then i'll customize from there.
>
> > of course, you'll need to replace /etc/exim/passwd with the
> > path to your actual password file. Also double check to make
> > sure you made the passwd file and make sure you've got the
> > same username/password combo in there that you're trying to
> > log in with. I used the script that Derrick posted and it
> > worked great for me. (not counting the fact that it's in
> > python and not perl, but I guess I can't win 'em all... :)
>
> and i made it "chmod 600" and "chown mail.mail" as well.
>
> > Then just do an "exim -bh 127.0.0.1" and then:
> >
> > EHLO hereiam
> > AUTH BASIC
> >
> > And it SHOULD work. (Should being the key term. If it doesn't,
> > just post the error message and we'll go from there.) Good
> > luck. :)
>
> and here it comes--
>
> # exim -bh 192.168.1.2
>
> SMTP testing session as if from host 192.168.1.2
> Not for real!
>
> >>> host in host_lookup? yes (*)
> >>> looking up host name for 192.168.1.2
> >>> IP address lookup yielded duo
> >>> Alias duo.lan
> >>> host in host_reject? no (option unset)
> >>> host in host_reject_recipients? no (option unset)
> >>> host in auth_hosts? no (option unset)
> >>> host in sender_unqualified_hosts? no (option unset)
> >>> host in receiver_unqualified_hosts? no (option unset)
> >>> host in helo_verify? no (option unset)
> >>> host in helo_accept_junk_hosts? no (option unset)
>
> [no mention of "host_auth_accept_relay = *" ?]
>
> 220 server ESMTP Exim 3.35 #1 Fri, 31 Jan 2003 06:23:44 -0600
> ehlo herewego
> 250-server Hello duo [192.168.1.2]
> 250-SIZE
> 250-PIPELINING
> 250-AUTH BASIC
> 250 HELP
> auth basic [base64-encoded-\0user\0passwd\0]
> >>> plain authenticator:
> >>> $1 =
> >>> $2 = [username-was-here]
> >>> $3 = [passwd-went-here]
> >>> expanded string: no
> 535 Incorrect authentication data
> LOG: Authentication failed for duo (herewego) [192.168.1.2]: 535 Incorrect
>authentication data
>
> (also tried \0user\0passwd without trailing \0, no good.) so
> it's still retching on me. and yet...
>
> # exim -be
> > ${if pam{[username]:[bad-password]}{y}{nope}}
> nope
> > ${if pam{[username]:[right-password]}{y}{nope}}
> y
>
> so who the hell's in charge, that's what i want to know.
> apparently pam is working, but the config is rejecting it for
> some reason.
>
> tres mucho oddness. the story of my day. and the documentation is
> prfect. sure it is.
>
> > p.s. And once you're done with that you can start messing
> > around with TLS support. That was my 2nd project and today I
> > was able to, for the first time ever, send mail from my home
> > mail server while away from home using username/password
> > authentication over a secure connection. I was so proud. :)
>
> you are *exactly* where *i* want to be. (i can tell the view is
> awesome!) let me guess -- you've also got the imap thing working.
> of course, adding md5 as well wouldn't hurt, but that'll be
> another nail in the coffin. (mine, perhaps.) i just need a few
> more breadcrumbs along the path...
>
> --
> I use Debian/GNU Linux version 3.0;
> Linux server 2.4.20
Re: exim and relaying -- for ONE user
Pardon me for coming into the middle of this thread, but I now need to set up secure relaying on my stable box running Exim. If I read the messages back from the EHLO command correctly, the "regular" Exim package is not compiled with authentication options enabled. This means, does it not, that no authentications methods are available for Exim using the "regualr" package? which in turn means one must install Exim-tsl to have any form of authentication absent compiling your own? TIA Ed Lawson -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: exim and relaying -- for ONE user
5:05am? whassa matter, couldn't sleep? (that's *my* problem --
one of them, anyway...)
On Fri, Jan 31, 2003 at 05:05:32AM -0600, Alex Malinovich wrote:
> It's a very complicated and technical discovery process that I
> have dubbed "guessing". :) (Actually, the best way is to use
> exim -bh to test. That'll give you about as useful a bit of
> info as you're likely to get. :)
yes, it's a nice feature. you can see whether the user/passwd is
going into $1/$2 or $2/$3 for example...
> Ok, so you've got libpam-pwdfile installed. Everything you've
> posted from within your exim.conf appears to be in order. Make
> sure you've put the plain: stuff inside the authentication
> section. That was one of the first mistakes I made actually.
> :)
i noticed (below) you used "basic" instead of "plain" so i
munged my setup to match:
plain:
driver = plaintext
public_name = BASIC
server_condition = ${if pam{$2:${sg{$3}{:}{::}}}{yes}{no}}
server_set_id = $2
it may be only cosmetic -- then again it may not! (are there
some pieces missing there? looks kinda scant.)
> Next, check your /etc/pam.d/exim and make sure it looks a
> little something like this:
>
> account requiredpam_permit.so
> authrequiredpam_pwdfile.so pwdfile /etc/exim/passwd
it looks a /lot/ like that:
# /etc/pam.d/exim
# Note: exim requires an account as well as auth!
account requiredpam_permit.so
authrequiredpam_pwdfile.so pwdfile /etc/exim/passwd
i'm trying a skeleton /etc/exim/passwd until something starts
working, anyhow -- then i'll customize from there.
> of course, you'll need to replace /etc/exim/passwd with the
> path to your actual password file. Also double check to make
> sure you made the passwd file and make sure you've got the
> same username/password combo in there that you're trying to
> log in with. I used the script that Derrick posted and it
> worked great for me. (not counting the fact that it's in
> python and not perl, but I guess I can't win 'em all... :)
and i made it "chmod 600" and "chown mail.mail" as well.
> Then just do an "exim -bh 127.0.0.1" and then:
>
> EHLO hereiam
> AUTH BASIC
>
> And it SHOULD work. (Should being the key term. If it doesn't,
> just post the error message and we'll go from there.) Good
> luck. :)
and here it comes--
# exim -bh 192.168.1.2
SMTP testing session as if from host 192.168.1.2
Not for real!
>>> host in host_lookup? yes (*)
>>> looking up host name for 192.168.1.2
>>> IP address lookup yielded duo
>>> Alias duo.lan
>>> host in host_reject? no (option unset)
>>> host in host_reject_recipients? no (option unset)
>>> host in auth_hosts? no (option unset)
>>> host in sender_unqualified_hosts? no (option unset)
>>> host in receiver_unqualified_hosts? no (option unset)
>>> host in helo_verify? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)
[no mention of "host_auth_accept_relay = *" ?]
220 server ESMTP Exim 3.35 #1 Fri, 31 Jan 2003 06:23:44 -0600
ehlo herewego
250-server Hello duo [192.168.1.2]
250-SIZE
250-PIPELINING
250-AUTH BASIC
250 HELP
auth basic [base64-encoded-\0user\0passwd\0]
>>> plain authenticator:
>>> $1 =
>>> $2 = [username-was-here]
>>> $3 = [passwd-went-here]
>>> expanded string: no
535 Incorrect authentication data
LOG: Authentication failed for duo (herewego) [192.168.1.2]: 535 Incorrect
authentication data
(also tried \0user\0passwd without trailing \0, no good.) so
it's still retching on me. and yet...
# exim -be
> ${if pam{[username]:[bad-password]}{y}{nope}}
nope
> ${if pam{[username]:[right-password]}{y}{nope}}
y
so who the hell's in charge, that's what i want to know.
apparently pam is working, but the config is rejecting it for
some reason.
tres mucho oddness. the story of my day. and the documentation is
prfect. sure it is.
> p.s. And once you're done with that you can start messing
> around with TLS support. That was my 2nd project and today I
> was able to, for the first time ever, send mail from my home
> mail server while away from home using username/password
> authentication over a secure connection. I was so proud. :)
you are *exactly* where *i* want to be. (i can tell the view is
awesome!) let me guess -- you've also got the imap thing working.
of course, adding md5 as well wouldn't hurt, but that'll be
another nail in the coffin. (mine, perhaps.) i just need a few
more breadcrumbs along the path...
--
I use Debian/GNU Linux version 3.0;
Linux server 2.4.20-k6 #1 Mon Jan 13 23:49:14 EST 2003 i586 unknown
DEBIAN NEWBIE TIP #90 from Der.Hans <[EMAIL PROTECTED]>
and Joey Hess <[EMAIL PROTECTED]>
:
Wonde
Re: exim and relaying -- for ONE user
On Fri, 2003-01-31 at 00:56, will trillich wrote:
> On Thu, Jan 30, 2003 at 06:10:52PM -0600, Alex Malinovich wrote:
> > On Thu, 2003-01-30 at 16:09, will trillich wrote: As for your
> > earlier post about the auth not working, have you checked to
> > see if you have libpam-pwdfile installed? I just set up SMTP
> > plain auth last night following the directions that were given
> > earlier and it all went pretty smoothly. The only things that
> > I had to do that weren't mentioned were install libpam-pwdfile
> > and change the if line for auth to use $2 and $3 instead of $1
> > and $2. If you use an actual SMTP client (I was using
> > Evolution) it'll still send the beginning \0, so you have to
> > manually modify the rule to allow for it. Other than that, all
> > went quite smoothly.
>
> i appreciate your helpful pointers. i don't appreciate exim's
> determination to reject all my 'advances'. :( (and that the
> documentation keeps bouncing rudely off the back of my eyeballs.
> i hope to reach critical mass soon where it all sinks in at
> once, but apparently i need several more iterations.)
>
> i've got libpam-pwdfile (how do you know, when pam fails, what
> exactly went wrong, by the way?). and exim.config includes
It's a very complicated and technical discovery process that I have
dubbed "guessing". :) (Actually, the best way is to use exim -bh to
test. That'll give you about as useful a bit of info as you're likely to
get. :)
> plain:
> driver = plaintext
> public_name = PLAIN
> server_condition = ${if pam{$2:${sg{$3}{:}{::}}}{yes}{no}}
> server_set_id = $2
> [snipsnip]
>
> i've found ${sg} (like perl's "s/pat/repl/g") and ${pam} (a bit
> scanty on what's going on or where to look when things go south)
> in the docs; so the server_condition takes string $3 (the
> password) and doubles all colons, and sends "$2:$3-fixed" to
> pam, which does (is supposed to do) something magical with
> handwaving and hacks up furballs --
>
> when i try emailing via smtp @serensoft.com from outside i get
> rejected...
Ok, so you've got libpam-pwdfile installed. Everything you've posted
from within your exim.conf appears to be in order. Make sure you've put
the plain: stuff inside the authentication section. That was one of the
first mistakes I made actually. :)
Next, check your /etc/pam.d/exim and make sure it looks a little
something like this:
account requiredpam_permit.so
authrequiredpam_pwdfile.so pwdfile /etc/exim/passwd
of course, you'll need to replace /etc/exim/passwd with the path to your
actual password file. Also double check to make sure you made the passwd
file and make sure you've got the same username/password combo in there
that you're trying to log in with. I used the script that Derrick posted
and it worked great for me. (not counting the fact that it's in python
and not perl, but I guess I can't win 'em all... :)
Then just do an "exim -bh 127.0.0.1" and then:
EHLO hereiam
AUTH BASIC
And it SHOULD work. (Should being the key term. If it doesn't, just post
the error message and we'll go from there.) Good luck. :)
-Alex
p.s. And once you're done with that you can start messing around with
TLS support. That was my 2nd project and today I was able to, for the
first time ever, send mail from my home mail server while away from home
using username/password authentication over a secure connection. I was
so proud. :)
signature.asc
Description: This is a digitally signed message part
Re: exim and relaying -- for ONE user
On Thu, Jan 30, 2003 at 06:10:52PM -0600, Alex Malinovich wrote:
> On Thu, 2003-01-30 at 16:09, will trillich wrote: As for your
> earlier post about the auth not working, have you checked to
> see if you have libpam-pwdfile installed? I just set up SMTP
> plain auth last night following the directions that were given
> earlier and it all went pretty smoothly. The only things that
> I had to do that weren't mentioned were install libpam-pwdfile
> and change the if line for auth to use $2 and $3 instead of $1
> and $2. If you use an actual SMTP client (I was using
> Evolution) it'll still send the beginning \0, so you have to
> manually modify the rule to allow for it. Other than that, all
> went quite smoothly.
i appreciate your helpful pointers. i don't appreciate exim's
determination to reject all my 'advances'. :( (and that the
documentation keeps bouncing rudely off the back of my eyeballs.
i hope to reach critical mass soon where it all sinks in at
once, but apparently i need several more iterations.)
i've got libpam-pwdfile (how do you know, when pam fails, what
exactly went wrong, by the way?). and exim.config includes
[snippage]
host_accept_relay = 127.0.0.1 : 1
host_auth_accept_relay = *
[snippety]
plain:
driver = plaintext
public_name = PLAIN
server_condition = ${if pam{$2:${sg{$3}{:}{::}}}{yes}{no}}
server_set_id = $2
[snipsnip]
i've found ${sg} (like perl's "s/pat/repl/g") and ${pam} (a bit
scanty on what's going on or where to look when things go south)
in the docs; so the server_condition takes string $3 (the
password) and doubles all colons, and sends "$2:$3-fixed" to
pam, which does (is supposed to do) something magical with
handwaving and hacks up furballs --
when i try emailing via smtp @serensoft.com from outside i get
rejected...
This message was created automatically by mail delivery software (Exim).
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
[EMAIL PROTECTED]
SMTP error from remote mailer after RCPT TO:<[EMAIL PROTECTED]>:
host mail.serensoft.com [208.33.90.85]: 550 relaying to
<[EMAIL PROTECTED]> prohibited by administrator
-- This is a copy of the message, including all the headers. --
Return-path: <[EMAIL PROTECTED]>
Received: from will by duo.lan with local (Exim 3.35 #1 (Debian))
id 18eRer-000265-00
for <[EMAIL PROTECTED]>; Thu, 30 Jan 2003 21:16:01 -0600
To: [EMAIL PROTECTED]
Subject: testing @ Thu Jan 30 21:15:51 CST 2003
Message-Id: <[EMAIL PROTECTED]>
From: will trillich <[EMAIL PROTECTED]>
Date: Thu, 30 Jan 2003 21:16:01 -0600
nothing fancy (and nothing sent)
rejectlog says [line break added]
refused relay (host) to <[EMAIL PROTECTED]> from
<[EMAIL PROTECTED]> H=gate (duo.lan) [192.168.0.5]
the server (exim) is 192.168.0.1 (and 208.33.90.85); my
clarkconnect firewall is 192.168.0.5 and 192.168.1.5; duo.lan
(debian workstation) is 192.168.1.2 -- not that it's really
significant. (and gate is the firewall 192.168.*.5)
i even tried, via "exim -bh 192.168.1.2" using AUTH LOGIN
based on the
login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if
crypteq{$2}{${extract{1}{:}{${lookup{$1}lsearch{/etc/exim/passwd}{$value}{*:*}{1}{0}}"
server_set_id = $1
auth section. (both as all-in-one-line and as AUTH LOGIN, dialog,
, dialog, , reject.) the debug
display shows the strings are accepted and interpreted properly,
but exim rejects everything i've tried.
(and since $1/$2 are used in the condition, i did user\0passwd\0
instead of \0user\0passwd.)
this is almost as much fun as a root canal. very nearly.
--
I use Debian/GNU Linux version 3.0;
Linux server 2.4.20-k6 #1 Mon Jan 13 23:49:14 EST 2003 i586 unknown
DEBIAN NEWBIE TIP #120 from Oliver Elphick <[EMAIL PROTECTED]>
:
So you want to ENTER UMLAUTS ON AN ENGLISH KEYBOARD -- here's
how, in Vim: control-k u " (control-K, then 'U', then '"').
Simple! To see all of vim's currently-defined digraphs, try
:dig
Also see http://newbieDoc.sourceForge.net/ ...
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: exim and relaying -- for ONE user
On Thu, Jan 30, 2003 at 09:07:55PM -0600, Gary Turner wrote: > >anybody got a pointer to an english version of how to set up > >smtp authentication via exim 3.3? > > I won't pretend to own a clue, myself. Maybe you should try > the O'Reilly book, _Exim_, "Official Guide For Release 3", by > Philip Hazel (talk about straight from the horse's mouth). > Chapter 15, *Authentication, Encryption, and Other SMTP > Processing* would seem to be the answer to your problem. > > The author cites common cases, among them; > > "An employee with a laptop is away from base, and wants to > be able to connect from arbitrary locations and send > outgoing mail via the server back at home. Even without a > laptop, someone might want to do this from a cybercafe, or > other 'foreign' client. > > "An employee has a dial-up ISP account at home that uses a > different IP address each time a new connection is made, so > host_accept_relay cannot be used." yep, that's exactly the solution i'm looking for. and from your excerpt (thanks much, for that, by the way) i can tell it's not just an exact replica of the manual. $ grep -ri cybercafe /usr/share/doc/exim/manual.html/ $ cool. my hopes rise... (and thank you for that.) > -- > gt kk5st@sbcglobal > If what you're doing doesn't work, stop doing it. tell me about it. i've been quite nearly there. (if i get this nailed before my sanity leaves for dubuque, i'll CERTAINLY post my own how-to, probably as a permanent addition to the newbiedoc project. if not, i'll miss my mind sumthin' turribul.) -- I use Debian/GNU Linux version 3.0; Linux server 2.4.20-k6 #1 Mon Jan 13 23:49:14 EST 2003 i586 unknown DEBIAN NEWBIE TIP #102 from Karsten M. Self <[EMAIL PROTECTED]> : Trying to LEARN ABOUT DEBIAN? Check out the links here: http://pub13.ezboard.com/fiwetheylinux.showMessage?topicID=649.topic&index=39 Also see http://newbieDoc.sourceForge.net/ ... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: exim and relaying -- for ONE user
will trillich wrote: >On Thu, Jan 30, 2003 at 12:37:32AM -0500, Derrick 'dman' Hudson wrote: >> On Wed, Jan 29, 2003 at 08:48:17PM -0600, will trillich wrote: >> | On Wed, Jan 29, 2003 at 03:59:40PM -0500, Jeremy Gaddis wrote: >> | > SMTP Authentication sounds like a prime candidate. [...] > >no clue given HOW to determine which "available authenticators" >are supplied, WHAT they might be called, nor HOW TO FIND OUT. >what is an authenticator? will "strings `which exim`" tell me? >where are they defined? how can you make more (or less) of them >available or change their parameters? > [...] >hence the conclusion that the documentation is poopy. > > >anybody got a pointer to an english version of how to set up >smtp authentication via exim 3.3? I won't pretend to own a clue, myself. Maybe you should try the O'Reilly book, _Exim_, "Official Guide For Release 3", by Philip Hazel (talk about straight from the horse's mouth). Chapter 15, *Authentication, Encryption, and Other SMTP Processing* would seem to be the answer to your problem. The author cites common cases, among them; "An employee with a laptop is away from base, and wants to be able to connect from arbitrary locations and send outgoing mail via the server back at home. Even without a laptop, someone might want to do this from a cybercafe, or other 'foreign' client. "An employee has a dial-up ISP account at home that uses a different IP address each time a new connection is made, so host_accept_relay cannot be used." -- gt kk5st@sbcglobal If what you're doing doesn't work, stop doing it. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: exim and relaying -- for ONE user
On Thu, Jan 30, 2003 at 04:09:10PM -0600, will trillich wrote: > On Thu, Jan 30, 2003 at 12:37:32AM -0500, Derrick 'dman' Hudson wrote: > > On Wed, Jan 29, 2003 at 08:48:17PM -0600, will trillich wrote: > > | well it sounds good. isn't that what exim already does? (i guess > > | not. lead on, mcduff!) > > > > Yeah, once you configure it. > > right. here's why people (read as 'non-geeks') insist that > documentation is lacking in the linux world: > > 35.1 Generic options for authenticators > > driver > > Type: string > Default: unset > > This option must always be set. It specifies which of the > available authenticators is to be used. > > period, end of section. > > > no clue given HOW to determine which "available authenticators" > are supplied, WHAT they might be called, nor HOW TO FIND OUT. > what is an authenticator? will "strings `which exim`" tell me? > where are they defined? how can you make more (or less) of them > available or change their parameters? Did you read the immediately preceding section of the exim spec, which describe what authenticators are and how they are made available, or the immediately following chapters, which describe the available authenticators in detail? It would appear not ... you've just taken a single section in complete isolation from the text around it and ranted about how it's, well, lacking in context. That seems quite unfair. Cheers, -- Colin Watson [[EMAIL PROTECTED]] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: exim and relaying -- for ONE user
On Thu, 2003-01-30 at 16:09, will trillich wrote: --snip-- > right. here's why people (read as 'non-geeks') insist that > documentation is lacking in the linux world: --snip-- > > no clue given HOW to determine which "available authenticators" > are supplied, WHAT they might be called, nor HOW TO FIND OUT. > what is an authenticator? will "strings `which exim`" tell me? > where are they defined? how can you make more (or less) of them > available or change their parameters? If you look in the table of contents, you'll see there's a section on different types of authentication which are available. (all 3 of 'em. :) As for your earlier post about the auth not working, have you checked to see if you have libpam-pwdfile installed? I just set up SMTP plain auth last night following the directions that were given earlier and it all went pretty smoothly. The only things that I had to do that weren't mentioned were install libpam-pwdfile and change the if line for auth to use $2 and $3 instead of $1 and $2. If you use an actual SMTP client (I was using Evolution) it'll still send the beginning \0, so you have to manually modify the rule to allow for it. Other than that, all went quite smoothly. Hope this helps. :) -Alex signature.asc Description: This is a digitally signed message part
Re: exim and relaying -- for ONE user
On Thu, Jan 30, 2003 at 12:37:32AM -0500, Derrick 'dman' Hudson wrote: > On Wed, Jan 29, 2003 at 08:48:17PM -0600, will trillich wrote: > | On Wed, Jan 29, 2003 at 03:59:40PM -0500, Jeremy Gaddis wrote: > | > SMTP Authentication sounds like a prime candidate. > | > | well it sounds good. isn't that what exim already does? (i guess > | not. lead on, mcduff!) > > Yeah, once you configure it. right. here's why people (read as 'non-geeks') insist that documentation is lacking in the linux world: 35.1 Generic options for authenticators driver Type: string Default: unset This option must always be set. It specifies which of the available authenticators is to be used. period, end of section. no clue given HOW to determine which "available authenticators" are supplied, WHAT they might be called, nor HOW TO FIND OUT. what is an authenticator? will "strings `which exim`" tell me? where are they defined? how can you make more (or less) of them available or change their parameters? [[ reminds me of microso~1's visual basic documentation: DATE x = date() x now contains the system date. no clue how to get tomorrow's date from that, nor how to determine which month we're in, how to affect the formatting of it on output... ]] is "available authenticators" even the right term? at the bottom of my exim.conf there's some commented-out stuff like plain: driver = plaintext public_name = PLAIN which when uncommented, leads "exim -bP authenticator_list" to display plain leading me to believe that *i* (via the exim.conf file) am defining which authenticators are avilable, and that the drivers are something else entirely. "plain" would be the authenticator, which i'm setting up; "plaintext" is the driver, which is used *by* the authenticator. hence the conclusion that the documentation is poopy. anybody got a pointer to an english version of how to set up smtp authentication via exim 3.3? -- I use Debian/GNU Linux version 3.0; Linux server 2.4.20-k6 #1 Mon Jan 13 23:49:14 EST 2003 i586 unknown DEBIAN NEWBIE TIP #50 from Will Trillich <[EMAIL PROTECTED]> : Want to specify EDITOR SETTINGS WHEN LAUNCHING FROM MUTT? Put something like this in your ~/.muttrc file: set editor="vim -c 'set ft=mail tw=64'" That ensures that Vim syntax highlighting is set for "mail" patterns, and that text will wrap automatically at 64 columns. (For more info, try ":help tw" or ":help ft" when inside Vim. Also, browse /usr/share/doc/mutt/html/manual.html for the full scoop on customizing Mutt.) Also see http://newbieDoc.sourceForge.net/ ... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: exim and relaying -- for ONE user
On Thu, Jan 30, 2003 at 12:37:32AM -0500, Derrick 'dman' Hudson wrote:
> Are you still using exim 3? (probably, the DD is behind on the releases)
yup -- server ESMTP Exim 3.35 #1 Thu, 30 Jan 2003 13:43:20 -0600
[whatever's standard on woody...]
root: /etc/exim# exim -bh 24.128.69.142
SMTP testing session as if from host 24.128.69.142
Not for real!
>>> host in host_lookup? yes (*)
>>> looking up host name for 24.128.69.142
>>> IP address lookup yielded h0002557aff3d.ne.client2.attbi.com
>>> host in host_reject? no (option unset)
>>> host in host_reject_recipients? no (option unset)
>>> host in auth_hosts? no (option unset)
>>> host in sender_unqualified_hosts? no (option unset)
>>> host in receiver_unqualified_hosts? no (option unset)
>>> host in helo_verify? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)
220 server ESMTP Exim 3.35 #1 Thu, 30 Jan 2003 13:43:20 -0600
> ## exim.conf
> plain:
> driver = plaintext
> public_name = PLAIN
> server_condition = "${if
>crypteq{$2}{${extract{1}{:}{${lookup{$1}lsearch{/etc/exim/passwd}{$value}{*:*}{1}{0}}"
> server_set_id = $1
tried this (uncommented it in the config file :) and using the
"\0user\0password" (base64 encrypted as mentioned in the manual)
it decrypts properly and shows up in strings 2 and 3:
AUTH plain [base-64-stuff-went-here]
>>> plain authenticator:
>>> $1 =
>>> $2 = [username-was-here]
>>> $3 = [password-was-here]
>>> expanded string: 0
535 Incorrect authentication data
i try it without the leading \0 to see if that's the trouble:
AUTH plain [base-64-stuff]
>>> plain authenticator:
>>> $1 = [username]
>>> $2 = [password]
>>> expanded string: 0
535 Incorrect authentication data
now it's strings 1 and 2, but still no luck.
> First it allows exim to advertise "AUTH PLAIN" in response to
> an EHLO command. Secondly, it takes the user/pass pair from
> the client and looks it up in the file /etc/exim/passwd. The
> file should look like
> user:crypted-password
i tried it both "user:crypted-passwd" and "user:plaintext". still
no cigar.
> An alternative to using exim's own lookup and crypt
> capabilities is to defer to pam.
>
> ## exim.conf
> plain:
> driver = plaintext
> public_name = PLAIN
> server_condition = ${if pam{$1:${sg{$2}{:}{::}}}{yes}{no}}
> server_set_id = $1
>
> Then configure pam in /etc/pam.d/exim. One way of doing that,
> to duplicate the above authenticator, is like this :
>
> ## /etc/pam.d/exim
> # Note: exim requires an account as well as auth!
> account requiredpam_permit.so
> authrequiredpam_pwdfile.so pwdfile /etc/exim/passwd
results for this looked EXACTLY like that for the above.
(in a word, poopy.)
the logs aren't helping much, either...
2003-01-30 14:04:41 refused relay (host) to <[EMAIL PROTECTED]> from
<[EMAIL PROTECTED]> H=gate (duo.lan) [192.168.0.5]
i disabled my local lan at exim's host_accept_relay to force
internal-source (outbound) email to do the authentication as
well, for testing:
#host_accept_relay = 127.0.0.1 : 1 : 192.168.1.1/24 : 192.168.0.1/24
host_accept_relay = 127.0.0.1 : 1
now the only email i can send out is that which i generate
directly from the server itself.
maybe there's another config somewhere that's occluding this?
> Another alternative is to use the CRAM-MD5 authentication
> method. That, however, requires the password file to store the
> password in plain text. (note: pam can't work with cram-md5
> because pam doesn't provide the cleartext password for use in
> generating the md5 challenge string)
>
> cram_md5:
> driver = cram_md5
> public_name = CRAM-MD5
> server_secret = ${lookup{$1}lsearch{/etc/exim/passwd}{$value}fail}
> server_set_id = $1
this looks no more promising. i haven't even tried it (not having
a clue what i'm doing wrong with the simpler ones, i'm not gonna
head to the deep end of the pool any time soon).
go ahead, whap me with the clue stick. :(
===
i tried making clear that this is a local user, didn't i? he's
just connecting from Way Out There so that he can smtp mail FROM
serensoft.com to his targets, using the email client on his
laptop, which is five states away. (this is relaying, right?)
--
I use Debian/GNU Linux version 3.0;
Linux server 2.4.20-k6 #1 Mon Jan 13 23:49:14 EST 2003 i586 unknown
DEBIAN NEWBIE TIP #38 from Alvin Oga <[EMAIL PROTECTED]>
:
Curious about your NETWORK TRAFFIC? There's a whole bunch of
ways to monitor it: iptraf, showtraf, netwatch, tcpview, statnet,
or even
tcpdump | grep 'what you want to see'
lsof -i | grep 'LISTEN'
For network statistics try "mrtg". See the ethernet section
over at http://www.Linux-Sec.net/
Also see http://newbieDoc.sourceForge.net/ .
Re: exim and relaying -- for ONE user
Derrick 'dman' Hudson wrote: > On Thu, Jan 30, 2003 at 10:59:46AM +0100, Hendrik Sattler wrote: > | Derrick 'dman' Hudson wrote: > | > | > Note, however, that AUTH PLAIN isn't very secure. You should only > | > allow it if the client has first initiated a TLS connection. That > | > requires first setting up TLS. I don't know if exim 3 can restrict it > | > to a TLS session only, or how to do it. Either read the docs or > | > upgrade to exim 4 (I know how to check that in exim4). > | > | Exim3 can restrict it like exim4. > > That's good. What's the conf setting to achieve that? http://www.exim.org/exim-html-3.30/doc/html/spec_11.html#IDX636 So shortly: auth_over_tls_hosts = * ACL handling in exim4 might be better but above works: $ telnet abc 26 Trying 129.13.114.79... Connected to abc. Escape character is '^]'. 220 abc ESMTP Exim 3.35 #1 Thu, 30 Jan 2003 20:19:43 +0100 ehlo test 250-abc Hello xyz [xxx.xxx.xxx.xxx] 250-SIZE 250-PIPELINING 250-STARTTLS 250 HELP AUTH 503 STARTTLS required before AUTH > | You forgot the LOGIN method that is needed by some clients. > > I did leave it out. The configuration side is basically the same as > for PLAIN. Some docs I read said LOGIN was never actually > standardized, so I thought it was a good idea not to use it. IIRC old > netscape and old lookout only handle LOGIN, and one (or both) of those > won't recognize it unless the server incorrectly advertises it. Well, putting it into the config doesn't hurt, either. > | CRAM-MD5 should not be needed as TLS should really be secure enough, > | isn't it? ;) > > Depends on whether you want to use TLS or not. Well, TLS/SSL is way more common that CRAM-MD5. Additionally, CRAM-MD5 does not work with PAM. HS -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: exim and relaying -- for ONE user
On Thu, Jan 30, 2003 at 10:59:46AM +0100, Hendrik Sattler wrote: | Derrick 'dman' Hudson wrote: | | > Note, however, that AUTH PLAIN isn't very secure. You should only | > allow it if the client has first initiated a TLS connection. That | > requires first setting up TLS. I don't know if exim 3 can restrict it | > to a TLS session only, or how to do it. Either read the docs or | > upgrade to exim 4 (I know how to check that in exim4). | | Exim3 can restrict it like exim4. That's good. What's the conf setting to achieve that? | You forgot the LOGIN method that is needed by some clients. I did leave it out. The configuration side is basically the same as for PLAIN. Some docs I read said LOGIN was never actually standardized, so I thought it was a good idea not to use it. IIRC old netscape and old lookout only handle LOGIN, and one (or both) of those won't recognize it unless the server incorrectly advertises it. | CRAM-MD5 should not be needed as TLS should really be secure enough, | isn't it? ;) Depends on whether you want to use TLS or not. | > An alternative to using exim's own lookup and crypt capabilities is to | > defer to pam. There are several advantages of this, for one you can | > use any backend (flat file, system account, LDAP, SQL, etc.) that pam | > supports. If you use shadow passwords for system accounts and want | > exim to use the same for SMTP AUTH you'll have to either run exim as | > the 'shadow' group, or make the shadow file readable by the exim | > group. To configure this method : | | Did you tried using pam_exim? It works great, letting exim continue to run | as non-root and still using pam (using an external suid-root pam helper). No, I hadn't seen pam_exim. That design sounds a lot like the sasldb method provided by cyrus-sasl (postfix uses cyrus-sasl). -D -- You have heard the saying that if you put a thousand monkeys in a room with a thousand typewriters and waited long enough, eventually you would have a room full of dead monkeys. (Scott Adams - The Dilbert principle) http://dman.ddts.net/~dman/ msg27425/pgp0.pgp Description: PGP signature
Re: exim and relaying -- for ONE user
Derrick 'dman' Hudson wrote: > Note, however, that AUTH PLAIN isn't very secure. You should only > allow it if the client has first initiated a TLS connection. That > requires first setting up TLS. I don't know if exim 3 can restrict it > to a TLS session only, or how to do it. Either read the docs or > upgrade to exim 4 (I know how to check that in exim4). Exim3 can restrict it like exim4. You forgot the LOGIN method that is needed by some clients. CRAM-MD5 should not be needed as TLS should really be secure enough, isn't it? ;) > An alternative to using exim's own lookup and crypt capabilities is to > defer to pam. There are several advantages of this, for one you can > use any backend (flat file, system account, LDAP, SQL, etc.) that pam > supports. If you use shadow passwords for system accounts and want > exim to use the same for SMTP AUTH you'll have to either run exim as > the 'shadow' group, or make the shadow file readable by the exim > group. To configure this method : Did you tried using pam_exim? It works great, letting exim continue to run as non-root and still using pam (using an external suid-root pam helper). HS -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: exim and relaying -- for ONE user
On Wed, Jan 29, 2003 at 08:48:17PM -0600, will trillich wrote:
| On Wed, Jan 29, 2003 at 03:59:40PM -0500, Jeremy Gaddis wrote:
| > SMTP Authentication sounds like a prime candidate.
|
| well it sounds good. isn't that what exim already does? (i guess
| not. lead on, mcduff!)
Yeah, once you configure it.
Are you still using exim 3? (probably, the DD is behind on the releases)
Something like this should work (for v3, untested but based on the
example config file) :
## exim.conf
plain:
driver = plaintext
public_name = PLAIN
server_condition = "${if
crypteq{$2}{${extract{1}{:}{${lookup{$1}lsearch{/etc/exim/passwd}{$value}{*:*}{1}{0}}"
server_set_id = $1
First it allows exim to advertise "AUTH PLAIN" in response to an EHLO
command. Secondly, it takes the user/pass pair from the client and
looks it up in the file /etc/exim/passwd. The file should look like
user:crypted-password
Note, however, that AUTH PLAIN isn't very secure. You should only
allow it if the client has first initiated a TLS connection. That
requires first setting up TLS. I don't know if exim 3 can restrict it
to a TLS session only, or how to do it. Either read the docs or
upgrade to exim 4 (I know how to check that in exim4).
An alternative to using exim's own lookup and crypt capabilities is to
defer to pam. There are several advantages of this, for one you can
use any backend (flat file, system account, LDAP, SQL, etc.) that pam
supports. If you use shadow passwords for system accounts and want
exim to use the same for SMTP AUTH you'll have to either run exim as
the 'shadow' group, or make the shadow file readable by the exim
group. To configure this method :
## exim.conf
plain:
driver = plaintext
public_name = PLAIN
server_condition = ${if pam{$1:${sg{$2}{:}{::}}}{yes}{no}}
server_set_id = $1
Then configure pam in /etc/pam.d/exim. One way of doing that, to
duplicate the above authenticator, is like this :
## /etc/pam.d/exim
# Note: exim requires an account as well as auth!
account requiredpam_permit.so
authrequiredpam_pwdfile.so pwdfile /etc/exim/passwd
Another alternative is to use the CRAM-MD5 authentication method.
That, however, requires the password file to store the password in
plain text. (note: pam can't work with cram-md5 because pam doesn't
provide the cleartext password for use in generating the md5
challenge string)
cram_md5:
driver = cram_md5
public_name = CRAM-MD5
server_secret = ${lookup{$1}lsearch{/etc/exim/passwd}{$value}fail}
server_set_id = $1
The script below will generate a password file on stdout (once you
fill in the list of users and passwords) for use in the first
examples. It also has the framework for using md5 instead of crypt,
as long as you configure the software (exim or pam) to use md5 as
well.
#!/usr/bin/python2.2
DATA = (
('user1' , 'pass1') ,
('user2', 'pass2') ,
)
import crypt
#import md5
for user , pass_ in DATA :
salt =user[:2]
secret = crypt.crypt(pass_, salt)
# use md5
##phash = md5.new(pass_)
##secret = phash.hexdigest()
print "%s:%s" % (user, secret)
---
HTH,
-D
--
He who scorns instruction will pay for it,
but he who respects a command is rewarded.
Proverbs 13:13
http://dman.ddts.net/~dman/
msg27341/pgp0.pgp
Description: PGP signature
Re: exim and relaying -- for ONE user
On Wed, Jan 29, 2003 at 03:59:40PM -0500, Jeremy Gaddis wrote: > SMTP Authentication sounds like a prime candidate. well it sounds good. isn't that what exim already does? (i guess not. lead on, mcduff!) -- I use Debian/GNU Linux version 3.0; Linux server 2.4.20-k6 #1 Mon Jan 13 23:49:14 EST 2003 i586 unknown DEBIAN NEWBIE TIP #52 from Will Trillich <[EMAIL PROTECTED]> : Would you like to GET APACHE TO HIDE CERTAIN FILES? It's as easy as adding this to your /etc/apache/httpd.conf: PerlModule Apache::Constants SetHandler perl-script PerlInitHandler Apache::Constants::NOT_FOUND Your scripts, behind the scenes, still have free access to everything; but web browsers will be told they don't exist! Also see http://newbieDoc.sourceForge.net/ ... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: exim and relaying -- for ONE user
SMTP Authentication sounds like a prime candidate. j. -- Jeremy L. Gaddis <[EMAIL PROTECTED]> <http://www.gaddis.org> > -Original Message- > From: will trillich [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, January 29, 2003 12:31 PM > To: [EMAIL PROTECTED] > Subject: exim and relaying -- for ONE user > > > looking for a way to accept HARDLY ANY relays -- hopefully more > than just "anybody from worldnet.att.net"... > > i've got a partner who'd like to be able to send email from > serensoft.com -- but he's way out in the northeast using > worldnet.att.net, and i'm way out here in the midwest using > podunk-isp-r-us. > > when he tries sending email as coming from @serensoft.com, it's > accepted if it's TO another serensoft user; but for any external > destination it gets bounced as a relay attempt, because of the > line > > relay_domains = > > in the /etc/exim/exim.conf file. > > if i change it to > > relay_domains = worldnet.att.net > > then he can certainly send email from @serensoft to @out-there > but then SO CAN ANYBODY ELSE using that small, tiny, > insignificant worldnet.att.net network (of thousands and > thousands). > > is there some way to further restrict the relaying? i DO NOT want > any black hats turning my server into spam-o-rama. ideas welcome. > > -- > I use Debian/GNU Linux version 3.0; > Linux server 2.4.20-k6 #1 Mon Jan 13 23:49:14 EST 2003 i586 unknown > > DEBIAN NEWBIE TIP #109 from Dave Thayer <[EMAIL PROTECTED]> > : > Puzzled about HOW TO READ COMPRESSED FILES? In /usr/share/doc > there are tons of *.gz files -- they're "gzipped" to save space. > I like to use lynx to read the stuff in /usr/share/doc/*. It > handles gzip textfiles just fine and makes it easy to navigate > between files. If there is HTML documentation you can follow > the hyperlinks. > BTW, if you install the doc-linux-html package you get the > HOWTOs in hypertext. > > Also see http://newbieDoc.sourceForge.net/ ... > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: exim and relaying -- for ONE user
On Wed, 29 Jan 2003 11:30:35 -0600 will trillich <[EMAIL PROTECTED]> wrote: > looking for a way to accept HARDLY ANY relays -- hopefully more > than just "anybody from worldnet.att.net"... > > i've got a partner who'd like to be able to send email from > serensoft.com -- but he's way out in the northeast using > worldnet.att.net, and i'm way out here in the midwest using > podunk-isp-r-us. > > when he tries sending email as coming from @serensoft.com, it's > accepted if it's TO another serensoft user; but for any external > destination it gets bounced as a relay attempt, because of the > line > > relay_domains = > > in the /etc/exim/exim.conf file. > > if i change it to > > relay_domains = worldnet.att.net > > then he can certainly send email from @serensoft to @out-there > but then SO CAN ANYBODY ELSE using that small, tiny, > insignificant worldnet.att.net network (of thousands and > thousands). > > is there some way to further restrict the relaying? i DO NOT want > any black hats turning my server into spam-o-rama. ideas welcome. If your partner has fixed IP, then you could try adding to host_accept_relay otherwise I'll have to defer to those who really know what they are doing. James -- James Tappin, O__ "I forget the punishment for using [EMAIL PROTECTED] -- \/`Microsoft --- Something lingering http://www.tappin.me.uk/with data loss in it I fancy" -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
exim and relaying -- for ONE user
looking for a way to accept HARDLY ANY relays -- hopefully more than just "anybody from worldnet.att.net"... i've got a partner who'd like to be able to send email from serensoft.com -- but he's way out in the northeast using worldnet.att.net, and i'm way out here in the midwest using podunk-isp-r-us. when he tries sending email as coming from @serensoft.com, it's accepted if it's TO another serensoft user; but for any external destination it gets bounced as a relay attempt, because of the line relay_domains = in the /etc/exim/exim.conf file. if i change it to relay_domains = worldnet.att.net then he can certainly send email from @serensoft to @out-there but then SO CAN ANYBODY ELSE using that small, tiny, insignificant worldnet.att.net network (of thousands and thousands). is there some way to further restrict the relaying? i DO NOT want any black hats turning my server into spam-o-rama. ideas welcome. -- I use Debian/GNU Linux version 3.0; Linux server 2.4.20-k6 #1 Mon Jan 13 23:49:14 EST 2003 i586 unknown DEBIAN NEWBIE TIP #109 from Dave Thayer <[EMAIL PROTECTED]> : Puzzled about HOW TO READ COMPRESSED FILES? In /usr/share/doc there are tons of *.gz files -- they're "gzipped" to save space. I like to use lynx to read the stuff in /usr/share/doc/*. It handles gzip textfiles just fine and makes it easy to navigate between files. If there is HTML documentation you can follow the hyperlinks. BTW, if you install the doc-linux-html package you get the HOWTOs in hypertext. Also see http://newbieDoc.sourceForge.net/ ... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
