Re: [exim] Require authentication from local users
On 2009-06-18 at 08:55 -0700, Yan Seiner wrote:
I'm hot in pursuit of my time-limited ACL. I've run into yet another
stumbling block; my exim config allows local users to send mail without
authentication.
Can I get a couple of hints on how to configure exim to:
1. Allow unlimited receipt of emails for the local domains
2. Require local users to authenticate at all times
3. Prevent open relaying
Obviously I'm concerned about inadvertently causing 3. 1 and 2 are
somewhat contradictory as I would like to authenticate all local users,
even if they're sending local email.
So your children haven't yet figured out how to create a Gmail account
and send mail via Submission on that, back in? Or are you firewalling
25 and 587 outbound except from the mailbox? Note that firewalling off
587 is normally unfriendly by ISPs, but it's your house and your
rules. I hope you don't have work-related household visitors who expect
to be able to handle mail ...
As long as you have inbound unauthenticated, outbound authentication for
the purposes of controlling sending at all is problematic;
authentication for making sure that those who wish to send mail have
credentials to do so is another matter, and useful for those trying to
enforce accountability and reduce spam-sources within their
organisations.
You can create an ACL on the MAIL command (acl_smtp_mail sets the ACL
name); because some clients allegedly get upset by 4xx/5xx failures on
MAIL, rather than reject there you reject at RCPT stage.
Something like this (untested):
8 cut here 8--
# main section:
hostlist home_net = 192.0.2.0/24
acl_smtp_mail = acl_check_mail
acl_smtp_rcpt = acl_check_rcpt
#...
begin acl
acl_check_mail:
warnset acl_c_denied_by_mail = no
set acl_c_dbm_message = Because my configs are broken
accept hosts = !+home_net
accept hosts = +home_net
condition = ${!=={$received_port}{587}}
set acl_c_denied_by_mail = yes
set acl_c_dbm_message = You should use the submission port (587) to
send email
denyhosts = +home_net
!authenticated = *
set acl_c_denied_by_mail = yes
set acl_c_dbm_message = Papers, please.
accept
# This one will already exist
acl_check_rcpt:
denycondition = $acl_c_denied_by_mail
message = $acl_c_dbm_message
# ALL THE REST OF THE EXISTING ACL GOES HERE
8 cut here 8--
Note that you're just adding an extra rejection step at the start of
acl_check_rcpt, so if you keep all the rest of that logic the same then
you won't risk an open mail relay (unless you're already an OMR).
Regards,
-Phil
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Require authentication from local users
Phil Pennock wrote:
On 2009-06-18 at 08:55 -0700, Yan Seiner wrote:
I'm hot in pursuit of my time-limited ACL. I've run into yet another
stumbling block; my exim config allows local users to send mail without
authentication.
Can I get a couple of hints on how to configure exim to:
1. Allow unlimited receipt of emails for the local domains
2. Require local users to authenticate at all times
3. Prevent open relaying
Obviously I'm concerned about inadvertently causing 3. 1 and 2 are
somewhat contradictory as I would like to authenticate all local users,
even if they're sending local email.
So your children haven't yet figured out how to create a Gmail account
and send mail via Submission on that, back in? Or are you firewalling
25 and 587 outbound except from the mailbox? Note that firewalling off
587 is normally unfriendly by ISPs, but it's your house and your
rules. I hope you don't have work-related household visitors who expect
to be able to handle mail ...
It's a sort of because I can - it teaches me a lot about proxies,
acls, and so on, and when my kids get to the point of hacking around my
assorted firewalls and proxies we'll all learn together. Know a better
way to learn? ;-)
As long as you have inbound unauthenticated, outbound authentication for
the purposes of controlling sending at all is problematic;
authentication for making sure that those who wish to send mail have
credentials to do so is another matter, and useful for those trying to
enforce accountability and reduce spam-sources within their
organisations.
I definitely want to do the latter.
You can create an ACL on the MAIL command (acl_smtp_mail sets the ACL
name); because some clients allegedly get upset by 4xx/5xx failures on
MAIL, rather than reject there you reject at RCPT stage.
Thanks. I'll play with it.
Something like this (untested):
8 cut here 8--
# main section:
hostlist home_net = 192.0.2.0/24
acl_smtp_mail = acl_check_mail
acl_smtp_rcpt = acl_check_rcpt
#...
begin acl
acl_check_mail:
warnset acl_c_denied_by_mail = no
set acl_c_dbm_message = Because my configs are broken
accept hosts = !+home_net
accept hosts = +home_net
condition = ${!=={$received_port}{587}}
set acl_c_denied_by_mail = yes
set acl_c_dbm_message = You should use the submission port (587) to
send email
denyhosts = +home_net
!authenticated = *
set acl_c_denied_by_mail = yes
set acl_c_dbm_message = Papers, please.
accept
# This one will already exist
acl_check_rcpt:
denycondition = $acl_c_denied_by_mail
message = $acl_c_dbm_message
# ALL THE REST OF THE EXISTING ACL GOES HERE
8 cut here 8--
Note that you're just adding an extra rejection step at the start of
acl_check_rcpt, so if you keep all the rest of that logic the same then
you won't risk an open mail relay (unless you're already an OMR).
Regards,
-Phil
!DSPAM:4a3ac0a8271031804284693!
--
Yan Seiner
Support my bid for the 4J School Board.
Visit http://www.seiner.com/schoolboard
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Require authentication from local users
Yan Seiner wrote: Phil Pennock wrote: Note that you're just adding an extra rejection step at the start of acl_check_rcpt, so if you keep all the rest of that logic the same then you won't risk an open mail relay (unless you're already an OMR). Actually, the only thing that's needed is this: denyhosts = +home_net !authenticated = * set acl_c_denied_by_mail = yes set acl_c_dbm_message = Papers, please. That blocks both 25 and 587 unless the user is authenticated. Submissions to the local domain work fine. Just outgoing email needs an authenticated user. That's pretty neat. --Yan -- Yan Seiner -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
