Pkg exim4 users - Apr 2008 - How to do mandatory SMTP AUTH plus exceptions

I''m running exim4 on Debian (Etch) machine, so far I have virtual users
in MySQL database
and courier packages for SSL POP3 and IMAP access. Users are authenticated by
courier
authdemon. This is very easy to set up on Debian and there are great tutorial
out there, too.

My problem is that I need to set up following:

 1) Mandatory SMTP AUTH + TLS for virtual users'' MUAs (simply said: no
authentication,
 no delivery).

 2) As an exception to rule (1) to enable non authenticated plain SMTP for _one_
specific
 host (ip address). That host (actually antispam and antivir security appliance)
will act as
 smarthost and will also route incoming MTA traffic to my server (a kind of
"bi-directional
 smarthost").

I guess some customized ACLs should do the trick. I''m still not
familiar with debianized exim4
setup (and I''m still learning exim, too), so I''d be really
grateful for some examples of (a) _what_
ACLs would I need and (b) _where_ to put them.

I''m using single file configuration (exim4.conf.template).

Thanks a lot in advance!


Vit

On Mon, Apr 21, 2008 at 12:02:46PM +0200, vitko at post.cz
wrote:
> I''m running exim4 on Debian (Etch) machine, so far I have virtual
> users in MySQL database and courier packages for SSL POP3 and IMAP
> access. Users are authenticated by courier authdemon. This is very
> easy to set up on Debian and there are great tutorial out there, too.
> 
> My problem is that I need to set up following:
> 
>  1) Mandatory SMTP AUTH + TLS for virtual users'' MUAs (simply
said: no
>  authentication, no delivery).
Not even a delivery to addresses hosted on the same machine? How are
messages coming in from the internet accepted?
>  2) As an exception to rule (1) to enable non authenticated plain SMTP
>  for _one_ specific host (ip address). That host (actually antispam
>  and antivir security appliance) will act as smarthost and will also
>  route incoming MTA traffic to my server (a kind of "bi-directional
>  smarthost").
If you can live with your users being able to mail themselves and each
other without authentication, you can simply set dc_relay_nets to the
address of the smarthost and you have all you need.

If you want authentication even for local mail, you need to change
your acl_check_rcpt. The following is untested, but I think that it is
enough to add after

  accept
    authenticated = *
    control = submission/sender_retain

a

  deny
    message = authentication required

so that the ACL reads

  accept
    authenticated = *
    control = submission/sender_retain

  deny
    message = authentication required

The rest of the ACL will thus never be looked at again.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

Marc Haber p??e v ?t 22. 04. 2008 v 12:34 +0200:
 
> > My problem is that I need to set up following:
> > 
> >  1) Mandatory SMTP AUTH + TLS for virtual users'' MUAs (simply
said: no
> >  authentication, no delivery).
> 
> Not even a delivery to addresses hosted on the same machine? How are
> messages coming in from the internet accepted?
Thanks for your reply!

Messages from internet send to mailboxes on my server will be delivered
using security appliance described below. (My machine hosts 3rd domain
mailboxes, whereas security appliance is defined as MX for 2nd level
domain. Mail for 3rd level domain should end up on 2nd level MX
automatically as there will be not explicit MX for 3rd level and the
appliance will forward 3rd level domain SMTP traffic to my server.)
> >  2) As an exception to rule (1) to enable non authenticated plain SMTP
> >  for _one_ specific host (ip address). That host (actually antispam
> >  and antivir security appliance) will act as smarthost and will also
> >  route incoming MTA traffic to my server (a kind of
"bi-directional
> >  smarthost").
> 
> If you can live with your users being able to mail themselves and each
> other without authentication
...
> If you want authentication even for local mail
Did you mean ''local'' related to domain managed by exim
(mailboxes with
domain address), or ''local'' related to system, e.g. login
users?

All mail enabled users are virtual, I keep mailboxes on my server so the
real people can access their mail using SSL IMAP and also send e-mail to
the rest of the world using SMTP + TLS, provided they have
authenticated.
> you need to change your acl_check_rcpt.
...
> so that the ACL reads
> 
>   accept
>     authenticated = *
>     control = submission/sender_retain
> 
>   deny
>     message = authentication required
> 
> The rest of the ACL will thus never be looked at again.
Does this mean: IF not authenticated, THEN deny? And if ACL statement
says ''deny'', is it really final and no other ACLs are
processed?

Then I need also 

	accept   hosts = my.security.appliance

in front of your statements so get this ACL flow:

1) is the SMTP traffic coming from my.security.appliance? Accept
unconditionally and stop other ACL tests (how do I do the latter?)

2) can sender authenticate? Accept unconditionally (we trust our users),
no other ACL tests required.

3) (and this is where I''m a bit lost) Accept any locally generated
non-SMTP messages (e.g. cron scripts reports).

As a last step I need to put all this to exim4.conf.template, any
idea to to integrate all this smoothly on debianized configuration?


Vit

On Tue, Apr 22, 2008 at 02:34:01PM +0200, Vitezslav Kotrla
wrote:
> Marc Haber p??e v ?t 22. 04. 2008 v 12:34 +0200:
> > > My problem is that I need to set up following:
> > > 
> > >  1) Mandatory SMTP AUTH + TLS for virtual users'' MUAs
(simply said: no
> > >  authentication, no delivery).
> > 
> > Not even a delivery to addresses hosted on the same machine? How are
> > messages coming in from the internet accepted?
> 
> Thanks for your reply!
> 
> Messages from internet send to mailboxes on my server will be delivered
> using security appliance described below.
And that''s the only way in?
> > >  2) As an exception to rule (1) to enable non authenticated plain
SMTP
> > >  for _one_ specific host (ip address). That host (actually
antispam
> > >  and antivir security appliance) will act as smarthost and will
also
> > >  route incoming MTA traffic to my server (a kind of
"bi-directional
> > >  smarthost").
> > 
> > If you can live with your users being able to mail themselves and each
> > other without authentication
> ...
> > If you want authentication even for local mail
> 
> Did you mean ''local'' related to domain managed by exim
(mailboxes with
> domain address), or ''local'' related to system, e.g. login
users?
"Local" means that a message will be delivered by the exim in question
to a mailbox or some other storage, contrary to the MTA forwarding the
message somewhere, for example via SMTP.
> > you need to change your acl_check_rcpt.
> ...
> > so that the ACL reads
> > 
> >   accept
> >     authenticated = *
> >     control = submission/sender_retain
> > 
> >   deny
> >     message = authentication required
> > 
> > The rest of the ACL will thus never be looked at again.
> 
> Does this mean: IF not authenticated, THEN deny?
Yes. The mail gateway will be able to deliver to the box by virtue of
the relay_nets clause that I didn''t show here.
>  And if ACL statement says ''deny'', is it really final and
no other
>  ACLs are processed?
It is really final for this recipient, resulting in a 550 reply.
> Then I need also 
> 
> 	accept   hosts = my.security.appliance
> 
> in front of your statements so get this ACL flow:
That''s already in the default ACL.
> 1) is the SMTP traffic coming from my.security.appliance? Accept
> unconditionally and stop other ACL tests (how do I do the latter?)
Yes.
> 2) can sender authenticate? Accept unconditionally (we trust our users),
> no other ACL tests required.
Yes.
> 3) (and this is where I''m a bit lost) Accept any locally generated
> non-SMTP messages (e.g. cron scripts reports).
accept hosts = :

You might want to add 127.0.0.1 as well.
> As a last step I need to put all this to exim4.conf.template, any
> idea to to integrate all this smoothly on debianized configuration?
editing exim4.conf.template is as smooth as you can get with a
non-split config.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

Marc Haber p??e v ?t 22. 04. 2008 v 15:00 +0200:
> > Messages from internet send to mailboxes on my server will be
delivered
> > using security appliance described below.
> 
> And that''s the only way in?
Users (mailbox holders) will submit messages via their MUAs using SMTP
AUTH + TLS, all other incoming SMTP traffic (MTAs) will be delivered
through the security appliance (tcp 25 and plain SMTP as the appliance
doesn''t speak TLS).

(Have I forgotten something? :-)


Vit

On Tue, Apr 22, 2008 at 03:12:19PM +0200, Vitezslav Kotrla
wrote:
> (tcp 25 and plain SMTP as the appliance
> doesn''t speak TLS).
A security appliance not capable of encryption? Yay, that''s a roaring
success in enhancing security.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190