Re: [exim] Require authentication from local users
On 2009-06-18 at 08:55 -0700, Yan Seiner wrote: I'm hot in pursuit of my time-limited ACL. I've run into yet another stumbling block; my exim config allows local users to send mail without authentication. Can I get a couple of hints on how to configure exim to: 1. Allow unlimited receipt of emails for the local domains 2. Require local users to authenticate at all times 3. Prevent open relaying Obviously I'm concerned about inadvertently causing 3. 1 and 2 are somewhat contradictory as I would like to authenticate all local users, even if they're sending local email. So your children haven't yet figured out how to create a Gmail account and send mail via Submission on that, back in? Or are you firewalling 25 and 587 outbound except from the mailbox? Note that firewalling off 587 is normally unfriendly by ISPs, but it's your house and your rules. I hope you don't have work-related household visitors who expect to be able to handle mail ... As long as you have inbound unauthenticated, outbound authentication for the purposes of controlling sending at all is problematic; authentication for making sure that those who wish to send mail have credentials to do so is another matter, and useful for those trying to enforce accountability and reduce spam-sources within their organisations. You can create an ACL on the MAIL command (acl_smtp_mail sets the ACL name); because some clients allegedly get upset by 4xx/5xx failures on MAIL, rather than reject there you reject at RCPT stage. Something like this (untested): 8 cut here 8-- # main section: hostlist home_net = 192.0.2.0/24 acl_smtp_mail = acl_check_mail acl_smtp_rcpt = acl_check_rcpt #... begin acl acl_check_mail: warnset acl_c_denied_by_mail = no set acl_c_dbm_message = Because my configs are broken accept hosts = !+home_net accept hosts = +home_net condition = ${!=={$received_port}{587}} set acl_c_denied_by_mail = yes set acl_c_dbm_message = You should use the submission port (587) to send email denyhosts = +home_net !authenticated = * set acl_c_denied_by_mail = yes set acl_c_dbm_message = Papers, please. accept # This one will already exist acl_check_rcpt: denycondition = $acl_c_denied_by_mail message = $acl_c_dbm_message # ALL THE REST OF THE EXISTING ACL GOES HERE 8 cut here 8-- Note that you're just adding an extra rejection step at the start of acl_check_rcpt, so if you keep all the rest of that logic the same then you won't risk an open mail relay (unless you're already an OMR). Regards, -Phil -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Require authentication from local users
Phil Pennock wrote: On 2009-06-18 at 08:55 -0700, Yan Seiner wrote: I'm hot in pursuit of my time-limited ACL. I've run into yet another stumbling block; my exim config allows local users to send mail without authentication. Can I get a couple of hints on how to configure exim to: 1. Allow unlimited receipt of emails for the local domains 2. Require local users to authenticate at all times 3. Prevent open relaying Obviously I'm concerned about inadvertently causing 3. 1 and 2 are somewhat contradictory as I would like to authenticate all local users, even if they're sending local email. So your children haven't yet figured out how to create a Gmail account and send mail via Submission on that, back in? Or are you firewalling 25 and 587 outbound except from the mailbox? Note that firewalling off 587 is normally unfriendly by ISPs, but it's your house and your rules. I hope you don't have work-related household visitors who expect to be able to handle mail ... It's a sort of because I can - it teaches me a lot about proxies, acls, and so on, and when my kids get to the point of hacking around my assorted firewalls and proxies we'll all learn together. Know a better way to learn? ;-) As long as you have inbound unauthenticated, outbound authentication for the purposes of controlling sending at all is problematic; authentication for making sure that those who wish to send mail have credentials to do so is another matter, and useful for those trying to enforce accountability and reduce spam-sources within their organisations. I definitely want to do the latter. You can create an ACL on the MAIL command (acl_smtp_mail sets the ACL name); because some clients allegedly get upset by 4xx/5xx failures on MAIL, rather than reject there you reject at RCPT stage. Thanks. I'll play with it. Something like this (untested): 8 cut here 8-- # main section: hostlist home_net = 192.0.2.0/24 acl_smtp_mail = acl_check_mail acl_smtp_rcpt = acl_check_rcpt #... begin acl acl_check_mail: warnset acl_c_denied_by_mail = no set acl_c_dbm_message = Because my configs are broken accept hosts = !+home_net accept hosts = +home_net condition = ${!=={$received_port}{587}} set acl_c_denied_by_mail = yes set acl_c_dbm_message = You should use the submission port (587) to send email denyhosts = +home_net !authenticated = * set acl_c_denied_by_mail = yes set acl_c_dbm_message = Papers, please. accept # This one will already exist acl_check_rcpt: denycondition = $acl_c_denied_by_mail message = $acl_c_dbm_message # ALL THE REST OF THE EXISTING ACL GOES HERE 8 cut here 8-- Note that you're just adding an extra rejection step at the start of acl_check_rcpt, so if you keep all the rest of that logic the same then you won't risk an open mail relay (unless you're already an OMR). Regards, -Phil !DSPAM:4a3ac0a8271031804284693! -- Yan Seiner Support my bid for the 4J School Board. Visit http://www.seiner.com/schoolboard -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Require authentication from local users
Yan Seiner wrote: Phil Pennock wrote: Note that you're just adding an extra rejection step at the start of acl_check_rcpt, so if you keep all the rest of that logic the same then you won't risk an open mail relay (unless you're already an OMR). Actually, the only thing that's needed is this: denyhosts = +home_net !authenticated = * set acl_c_denied_by_mail = yes set acl_c_dbm_message = Papers, please. That blocks both 25 and 587 unless the user is authenticated. Submissions to the local domain work fine. Just outgoing email needs an authenticated user. That's pretty neat. --Yan -- Yan Seiner -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/