Hello, I''d like to set up exim to * force TLS encryption from clients * force SMTP auth. from clients I tried switching around a couple of settings, but I still can send mails from thunderbird without authentication and without TLS. My current setup: MAIN_TLS_ENABLE = true MAIN_TLS_ADVERTISE_HOSTS = * --- dc_eximconfig_configtype=''internet'' dc_other_hostnames=''*******'' dc_local_interfaces='''' dc_readhost='''' dc_relay_domains='''' <- this will be changed to ''*'' dc_minimaldns=''false'' dc_relay_nets='''' dc_smarthost='''' CFILEMODE=''644'' dc_use_split_config=''false'' dc_hide_mailname='''' dc_mailname_in_oh=''true'' dc_localdelivery=''maildir_home'' --- I really don''t know why this isn''t working. All I could think of to set for TLS was tls_require_ciphers = AES : 3DES but that didn''t help. I''m also using dovecot, so I tried to comment everything after begin authenticators and use the dovecot authenticator: dovecot_plain: driver = dovecot public_name = PLAIN server_socket = /var/run/dovecot/auth-client server_set_id = $auth1 but exim complained about "unknown driver dovecot" So I replaced this with the cram_md5 driver, but I still could send mails without auth. That''s a bit frustrating :/ Looks like I''ve overlooked (probably) something trivial!? Any help is greatly appreciated, thanks. PS: my use case of the server: I want authenticated/local users to be able to send mails to anyone, mails from other server or clients should just be accepted, if the "target" is a local user (I don''t want this machine to be abused) -- http://www.fastmail.fm - IMAP accessible web-mail
Eliteforce escreveu:> Hello, > > I''d like to set up exim to > > * force TLS encryption from clients > * force SMTP auth. from clients > > [snip] > dc_relay_domains='''' <- this will be changed to ''*'' >Don''t, this is a list of domains for which you will relay mail always, regardless of authentication.> [snip] > PS: my use case of the server: > I want authenticated/local users to be able to send mails to anyone, > mails from other server or clients should just be accepted, if the > "target" is a local user (I don''t want this machine to be abusedThat should be the default configuration. The only thing you need is to setup the authentication mechanisms. -- Eduardo M Kalinowski eduardo at kalinowski.com.br
On Thu, 18 Sep 2008 16:31:18 -0300, "Eduardo M KALINOWSKI" <eduardo at kalinowski.com.br> said:> Don''t, this is a list of domains for which you will relay mail always, > regardless of authentication.so where do I set up the list of domains mails will be relayed for *after* the client authenticated?> > [snip] > > PS: my use case of the server: > > I want authenticated/local users to be able to send mails to anyone, > > mails from other server or clients should just be accepted, if the > > "target" is a local user (I don''t want this machine to be abused > > That should be the default configuration. The only thing you need is to > setup the authentication mechanisms.I don''t think this works out of the box, because of this: # Insist that any other recipient address that we accept is either in one of # our local domains, or is in a domain for which we explicitly allow # relaying. Any other domain is rejected as being unacceptable for relaying. require message = relay not permitted domains = +local_domains : +relay_to_domains -- http://www.fastmail.fm - A fast, anti-spam email service.
Eliteforce escreveu:> On Thu, 18 Sep 2008 16:31:18 -0300, "Eduardo M KALINOWSKI" > <eduardo at kalinowski.com.br> said: > >> Don''t, this is a list of domains for which you will relay mail always, >> regardless of authentication. >> > > so where do I set up the list of domains mails will be relayed for > *after* the client authenticated? >You would need to configure that in the ACL that allows authenticated users to relay mail. By default, it allows relaying all mail from authenticated users.> I don''t think this works out of the box, because of this: > # Insist that any other recipient address that we accept is either in > one of > # our local domains, or is in a domain for which we explicitly allow > # relaying. Any other domain is rejected as being unacceptable for > relaying. > require > message = relay not permitted > domains = +local_domains : +relay_to_domainJust before that ACL, there is another: # Accept if the message arrived over an authenticated connection, from # any host. Again, these messages are usually from MUAs, so recipient # verification is omitted, and submission mode is set. And again, we do this # check before any black list tests. accept authenticated = * control = submission/sender_retain You should take a look at README.Debian in your exim package (also available online at http://pkg-exim4.alioth.debian.org/ ), and the exim documentation (http://www.exim.org/exim-html-current/doc/html/spec_html/ ). Chapter 7 deals with the default configuration file. While the Debian configuration is somewhat different in form, the differences in content are not that big. You''ll probably want to take a look at the chapters about authentication, TLS/SSL and ACLs, at the mininum. -- Eduardo M Kalinowski eduardo at kalinowski.com.br