[prev in list] [next in list] [prev in thread] [next in thread]
List: exim-users
Subject: Re: [exim] auth_relay_hosts and 587
From: Magnus Holmgren <holmgren () lysator ! liu ! se>
Date: 2007-08-29 16:43:35
Message-ID: 200708291843.41930 () proffe ! kibibyte ! se
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On Wednesday 29 August 2007 16:56, Matt wrote:
> I am running Directadmin email/web server that uses Exim.
>
> In my exim.conf I have this.
>
> domainlist local_domains = lsearch;/etc/virtual/domains
> domainlist relay_domains = lsearch;/etc/virtual/domains : localhost
> hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts :
> /etc/virtual/relay_ips : 127.0.0.1
> hostlist auth_relay_hosts = *
>
> and this:
>
> # to restrict port 587 to authenticated users only
> # see also daemon_smtp_ports above
> #accept hosts = +auth_relay_hosts
> # condition = ${if eq {$interface_port}{587} {yes}{no}}
> # endpass
> # message = relay not permitted, authentication required
> # authenticated = *
Where is that? It should be no earlier than the "MAIL FROM" ACL
(acl_smtp_mail).
> I want to restrict port 587 to authenticated users and trusted users.
> The pophosts file contains a dynamic list of IP's that have
> successfully pop3'd mail in the last 15 minutes. The relay_ips file
> contains a list of my subnets that belong to me. I want to allow all
> of these and users that utilize authenticated SMTP to use port 587 and
> no others on 587. Problem is that whenever I enable/uncomment this it
> only allows authenticated SMTP through. What do I need to change
> here?
Try this:
known_users:
accept hosts = +relay_hosts
accept authenticated = *
[...accepts for other kinds of users...]
check_sender:
accept condition = ${if eq {$interface_port}{587}}
endpass
message = Only authorised users may use the submission port.
acl = known_users
Without "endpass", which is semi-deprecated (not "best practice"), the
check_sender ACL can be written as
check_sender:
accept condition = ${if eq {$interface_port}{587}}
acl = known_users
deny message = Only authorised users may use the submission port.
condition = ${if eq {$interface_port}{587}}
or if you want to allow submission on port 25, delete the first condition.
I find a sub-ACL very useful here.
By the way, have you considered dropping POP-before-SMTP support? Many ISPs
and web hotels have done that since it's less reliable than SMTP AUTH, which
nearly all mail clients support nowadays.
--
Magnus Holmgren holmgren@lysator.liu.se
(No Cc of list mail needed, thanks)
"Exim is better at being younger, whereas sendmail is better for
Scrabble (50 point bonus for clearing your rack)" -- Dave Evans
[Attachment #5 (application/pgp-signature)]
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic