Exim4 & SMTP auth für jeden Client

[Milla]

Hallo,
nachdem ich mein altes Problem erflogreich gelöst habe (https://serversupportforum.de/threads/exim4-cyrus21.4927/)
stehe ich auch schon vor einem neuen.
Ich möchte das sich jeder Client beim Versenden über smtp am Exim4 Server authentifizieren muss!
Die Authentifizerung klappt auch immerhin schon mit der Hilfe von sasl , aber irgendwie funktioniert das senden auch noch,wenn man kein Login angibt...doch genau dies sollte nicht gehen.
Danke schonmal für eure Vorschläge

Milla

 

[Tobster]

Hast du getrennte Conf oder alles in einer Datei?

 

[Milla]

hab alles in einer datei...
das Problem ist das ich sowohl mit authentifizierung als auch ohne emails verschicken kann...und genau letzteres soll net gehen..das heißt das ich jeden Client dazu zwingen will,sich über smtp auth authentifizieren zu müssen

Milla

 

[HornOx]

Es ist normal das der Server E-Mails ohne Authentifizierung annimmt solange die Mail lokal zugestellt werden kann. Wenn du das deaktivierst kannst du keine Mails mehr empfangen. Sicher das du das so haben willst?
Poste mal den "acl/30_exim4-config_check_rcpt" Abschnitt deiner Konfigurationsdatei.

 

[Milla]

das problem ist aber das er auch mails dir außerhalb der lokalen domäne gesendet werden, auch ohne authentifizierung versendet werden können... mein exim4 agiert als smarthost und gibt die mails an fremde domänen an einen mail relay bei meinem Provider weiter...

#####################################################
### acl/30_exim4-config_check_rcpt
#####################################################

### acl/30_exim4-config_check_rcpt
#################################

# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.
#
acl_check_rcpt:
# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
# testing for an empty sending host field.
accept
hosts = :

# Add missing Date and Message-ID header for relayed messages
warn
hosts = +relay_from_hosts
control = submission/sender_retain


# The following section of the ACL is concerned with local parts that contain
# certain non-alphanumeric characters. Dots in unusual places are
# handled by this ACL as well.
#
# Non-alphanumeric characters other than dots are rarely found in genuine
# local parts, but are often tried by people looking to circumvent
# relaying restrictions. Therefore, although they are valid in local
# parts, these rules disallow certain non-alphanumeric characters, as
# a precaution.
#
# Empty components (two dots in a row) are not valid in RFC 2822, but Exim
# allows them because they have been encountered. (Consider local parts
# constructed as "firstinitial.secondinitial.familyname" when applied to
# a name without a second initial.) However, a local part starting
# with a dot or containing /../ can cause trouble if it is used as part of a
# file name (e.g. for a mailing list). This is also true for local parts that
# contain slashes. A pipe symbol can also be troublesome if the local part is
# incorporated unthinkingly into a shell command line.
#
# Two different rules are used. The first one has a quite strict
# default, and is applied to messages that are addressed to one of the
# local domains handled by this host.
# If you have local accounts that include strange characters, you can
# use the macro provided to change the ACL range or to disable the
# check completely.
.ifdef CHECK_RCPT_LOCAL_LOCALPARTS
deny
domains = +local_domains
local_parts = CHECK_RCPT_LOCAL_LOCALPARTS
message = restricted characters in address
.endif


# The second rule applies to all other domains, and its default is
# considerably less strict.
.ifdef CHECK_RCPT_REMOTE_LOCALPARTS
deny
domains = !+local_domains
local_parts = CHECK_RCPT_REMOTE_LOCALPARTS
message = restricted characters in address
.endif


# Accept mail to postmaster in any local domain, regardless of the source,
# and without verifying the sender.
#
accept
.ifndef CHECK_RCPT_POSTMASTER
local_parts = postmaster
.else
local_parts = CHECK_RCPT_POSTMASTER
.endif
domains = +local_domains


# deny bad senders (envelope sender)
# CONFDIR/local_sender_blacklist holds a list of envelope senders that
# should have their access denied to the local host. Incoming messages
# with one of these senders are rejected at RCPT time.
#
# The explicit white lists are honored as well as negative items in
# the black list. See /usr/share/doc/exim4-config/default_acl for details.
deny
message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
!acl = acl_whitelist_local_deny
senders = ${if exists{CONFDIR/local_sender_blacklist}\
{CONFDIR/local_sender_blacklist}\
{}}


# deny bad sites (IP address)
# CONFDIR/local_host_blacklist holds a list of host names, IP addresses
# and networks (CIDR notation) that should have their access denied to
# The local host. Messages coming in from a listed host will have all
# RCPT statements rejected.
#
# The explicit white lists are honored as well as negative items in
# the black list. See /usr/share/doc/exim4-config/default_acl for details.
deny
message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
!acl = acl_whitelist_local_deny
hosts = ${if exists{CONFDIR/local_host_blacklist}\
{CONFDIR/local_host_blacklist}\
{}}


# Deny unless the sender address can be verified.
#
# This is disabled by default so that DNSless systems don't break. If
# your system can do DNS lookups without delay or cost, you might want
# to enable this feature.
.ifdef CHECK_RCPT_VERIFY_SENDER
deny
message = Sender verification failed
!acl = acl_whitelist_local_deny
!verify = sender
.endif

# For some sender domains, we do callout to verify if a sender
# exists.
deny
!acl = acl_whitelist_local_deny
senders = ${if exists{CONFDIR/local_sender_callout}\
{CONFDIR/local_sender_callout}\
{}}
!verify = sender/callout


# For some recipient domains, we do callout to verify if a recipient
# exists. This is especially handy for customers that receive a lot of
# spam to non-existent addresses.
deny
!acl = acl_whitelist_local_deny
recipients = ${if exists{CONFDIR/local_rcpt_callout}\
{CONFDIR/local_rcpt_callout}\
{}}
!verify = recipient/callout


# Warn if the sender host does not have valid reverse DNS.
#
# If your system can do DNS lookups without delay or cost, you might want
# to enable this.
# If sender_host_address is defined, it's a remote call. If
# sender_host_name is not defined, then reverse lookup failed. Use
# this instead of !verify = reverse_host_lookup to catch deferrals
# as well as outright failures.
.ifdef CHECK_RCPT_REVERSE_DNS
warn
message = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\
{yes}{no}}
.endif


# Check against classic DNS "black" lists (DNSBLs) which list
# sender IP addresses
.ifdef CHECK_RCPT_IP_DNSBLS
warn
message = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
dnslists = CHECK_RCPT_IP_DNSBLS
.endif


# Check against DNSBLs which list sender domains, with an option to locally
# whitelist certain domains that might be blacklisted. If you want one
# blacklist per domain, you need to replicate the stanza for each DNSBL.
.ifdef CHECK_RCPT_DOMAIN_DNSBLS
warn
message = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
!senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\
{CONFDIR/local_domain_dnsbl_whitelist}\
{}}
dnslists = CHECK_RCPT_DOMAIN_DNSBLS/$sender_address_domain
.endif


# This hook allows you to hook in your own ACLs without having to
# modify this file. If you do it like we suggest, you'll end up with
# a small performance penalty since there is an additional file being
# accessed. This doesn't happen if you leave the macro unset.
.ifdef CHECK_RCPT_LOCAL_ACL_FILE
.include CHECK_RCPT_LOCAL_ACL_FILE
.endif


# Accept if the address is in a local domain, but only if the recipient can
# be verified. Otherwise deny. The "endpass" line is the border between
# passing on to the next ACL statement (if tests above it fail) or denying
# access (if tests below it fail).
#
accept
domains = +local_domains
endpass
message = unknown user
verify = recipient


# Accept if the address is in a domain for which we are relaying, but again,
# only if the recipient can be verified.
#
# If you want to use the more conservative "unknown user" error
# message in case of a non-existing local part, you might want to
# set CHECK_RCPT_GIVE_UNKNOWN_USER. However, this might reveal
# local information, which is the cause for it not being enabled by
# default.
accept
domains = +relay_to_domains
endpass
.ifdef CHECK_RCPT_GIVE_UNKNOWN_USER
message = ${if eq{$acl_verify_message}{Unrouteable address}{unknown user}{$acl_verify_message}}
.else
message = unrouteable address
.endif
verify = recipient


############
# If control reaches this point, the domain is neither in +local_domains
# nor in +relay_to_domains.
############

# Accept if the message comes from one of the hosts for which we are an
# outgoing relay. Recipient verification is omitted here, because in many
# cases the clients are dumb MUAs that don't cope well with SMTP error
# responses. If you are actually relaying out from MTAs, you should probably
# add recipient verification here.
#
accept
hosts = +relay_from_hosts


# Accept if the message arrived over an authenticated connection, from
# any host. Again, these messages are usually from MUAs, so recipient
# verification is omitted.
#
accept
authenticated = *


# Reaching the end of the ACL causes a "deny", but we might as well give
# an explicit message.
#
deny
message = relay not permitted

 

[HornOx]

Das ist die Standart ACL, da sollte also kein Fehler sein. Probier mal folgendes:

exim4 -bh 1.2.3.4
helo ich
mail from: irgendwer@irgend.wo
rcpt to: irgendwer@irgend.wo
data
irgendwas
.

Bitte manuell eintippen oder nur zeilenweise per copy&paste übernehmen, exim mag es nicht wenn man den ganzen Abschnitt ohne Wartezeit eingibt.
Dann les dir mal die Ausgabe durch, vermutlich findest du da selber das Problem

 

[Milla]

mmh also irgendwie kann ich da nix raus erkennen...muss dazu sagen das es auch das erste mal ist das ich so en exim4 aufsetze...ich poste mal die Ausgabe schritt für schritt:

******:~# exim4 -bh 1.2.3.4

**** SMTP testing session as if from host 1.2.3.4
**** but without any ident (RFC 1413) callback.
**** This is not for real!

>>> host in hosts_connection_nolog? no (option unset)
>>> host in host_lookup? yes (matched "*")
>>> looking up host name for 1.2.3.4
>>> IP address lookup using gethostbyaddr()
>>> IP address lookup failed: h_errno=1
LOG: no host name found for IP address 1.2.3.4
>>> host in host_reject_connection? no (option unset)
>>> host in sender_unqualified_hosts? no (option unset)
>>> host in recipient_unqualified_hosts? no (option unset)
>>> host in helo_verify_hosts? no (option unset)
>>> host in helo_try_verify_hosts? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)
220 ******* ESMTP Exim 4.50 Fri, 02 Dec 2005 09:03:00 +0100

helo ich
>>> ich in helo_lookup_domains? no (end of list)
250 ******** Hello ich [1.2.3.4]

mail from: irgendwer@irgend.wo
250 OK

rcpt to: irgendwer@irgend.wo
>>> using ACL "acl_check_rcpt"
>>> processing "accept"
>>> check hosts = :
>>> host in ":"? no (end of list)
>>> accept: condition test failed
>>> processing "warn"
>>> check hosts = +relay_from_hosts
>>> host in "127.0.0.1 : ::::1 : 10.0.0.0/8"? no (end of list)
>>> host in "+relay_from_hosts"? no (end of list)
>>> warn: condition test failed
>>> processing "deny"
>>> check domains = +local_domains
>>> irgend.wo in "@:localhost:bbs1-kl.de"? no (end of list)
>>> irgend.wo in "+local_domains"? no (end of list)
>>> deny: condition test failed
>>> processing "deny"
>>> check domains = !+local_domains
>>> irgend.wo in "!+local_domains"? yes (end of list)
>>> check local_parts = ^[./|] : ^.*[@%!\'`#&?] : ^.*/\\.\\./
>>> irgendwer in "^[./|] : ^.*[@%!'`#&?] : ^.*/\.\./"? no (end of list)
>>> deny: condition test failed
>>> processing "accept"
>>> check local_parts = postmaster
>>> irgendwer in "postmaster"? no (end of list)
>>> accept: condition test failed
>>> processing "deny"
>>> check !acl = acl_whitelist_local_deny
>>> using ACL "acl_whitelist_local_deny"
>>> processing "accept"
>>> check hosts = ${if exists{/etc/exim4/local_host_whitelist}{/etc/exim4/local_host_whitelist}{}}
>>> host in ""? no (end of list)
>>> accept: condition test failed
>>> processing "accept"
>>> check senders = ${if exists{/etc/exim4/local_sender_whitelist}{/etc/exim4/local_sender_whitelist}{}}
>>> irgendwer@irgend.wo in ""? no (end of list)
>>> accept: condition test failed
>>> end of ACL "acl_whitelist_local_deny": implicit DENY
>>> check senders = ${if exists{/etc/exim4/local_sender_blacklist}{/etc/exim4/local_sender_blacklist}{}}
>>> irgendwer@irgend.wo in ""? no (end of list)
>>> deny: condition test failed
>>> processing "deny"
>>> check !acl = acl_whitelist_local_deny
>>> using ACL "acl_whitelist_local_deny"
>>> processing "accept"
>>> check hosts = ${if exists{/etc/exim4/local_host_whitelist}{/etc/exim4/local_host_whitelist}{}}
>>> host in ""? no (end of list)
>>> accept: condition test failed
>>> processing "accept"
>>> check senders = ${if exists{/etc/exim4/local_sender_whitelist}{/etc/exim4/local_sender_whitelist}{}}
>>> irgendwer@irgend.wo in ""? no (end of list)
>>> accept: condition test failed
>>> end of ACL "acl_whitelist_local_deny": implicit DENY
>>> check hosts = ${if exists{/etc/exim4/local_host_blacklist}{/etc/exim4/local_host_blacklist}{}}
>>> host in ""? no (end of list)
>>> deny: condition test failed
>>> processing "deny"
>>> check !acl = acl_whitelist_local_deny
>>> using ACL "acl_whitelist_local_deny"
>>> processing "accept"
>>> check hosts = ${if exists{/etc/exim4/local_host_whitelist}{/etc/exim4/local_host_whitelist}{}}
>>> host in ""? no (end of list)
>>> accept: condition test failed
>>> processing "accept"
>>> check senders = ${if exists{/etc/exim4/local_sender_whitelist}{/etc/exim4/local_sender_whitelist}{}}
>>> irgendwer@irgend.wo in ""? no (end of list)
>>> accept: condition test failed
>>> end of ACL "acl_whitelist_local_deny": implicit DENY
>>> check senders = ${if exists{/etc/exim4/local_sender_callout}{/etc/exim4/local_sender_callout}{}}
>>> irgendwer@irgend.wo in ""? no (end of list)
>>> deny: condition test failed
>>> processing "deny"
>>> check !acl = acl_whitelist_local_deny
>>> using ACL "acl_whitelist_local_deny"
>>> processing "accept"
>>> check hosts = ${if exists{/etc/exim4/local_host_whitelist}{/etc/exim4/local_host_whitelist}{}}
>>> host in ""? no (end of list)
>>> accept: condition test failed
>>> processing "accept"
>>> check senders = ${if exists{/etc/exim4/local_sender_whitelist}{/etc/exim4/local_sender_whitelist}{}}
>>> irgendwer@irgend.wo in ""? no (end of list)
>>> accept: condition test failed
>>> end of ACL "acl_whitelist_local_deny": implicit DENY
>>> check recipients = ${if exists{/etc/exim4/local_rcpt_callout}{/etc/exim4/local_rcpt_callout}{}}
>>> irgendwer@irgend.wo in ""? no (end of list)
>>> deny: condition test failed
>>> processing "accept"
>>> check domains = +local_domains
>>> irgend.wo in "+local_domains"? no (end of list)
>>> accept: condition test failed
>>> processing "accept"
>>> check domains = +relay_to_domains
>>> irgend.wo in ""? no (end of list)
>>> irgend.wo in "+relay_to_domains"? no (end of list)
>>> accept: condition test failed
>>> processing "accept"
>>> check hosts = +relay_from_hosts
>>> host in "+relay_from_hosts"? no (end of list)
>>> accept: condition test failed
>>> processing "accept"
>>> check authenticated = *
>>> accept: condition test failed
>>> processing "deny"
>>> deny: condition test succeeded
550 relay not permitted
LOG: H=(ich) [1.2.3.4] F=<irgendwer@irgend.wo> rejected RCPT irgendwer@irgend.wo: relay not permitted

Das Problem steckt im "RCPT to" oder? Sieht mir auch wie wenn da nirgends irgendein Auth Befehl aufgerufen wird. Aber irgendwie ist die Ausgabe mehr als unverständlich für mich,wäre nett wenn du mir da nochma helfen könntest.

Milla

 

[HornOx]

Sieht mir auch wie wenn da nirgends irgendein Auth Befehl aufgerufen wird.

Ja, aber dir geht es ja auch um die Mailweiterleitung ohne Authentifizierung...
Wenn du dich authentifizieren willst wird das, spätestens wenn anstatt Klartextpasswörter Hashwerte verlangt werden, kompliziert. http://www.ietf.org/rfc/rfc2554.txt

aber irgendwie funktioniert das senden auch noch,wenn man kein Login angibt...

In den letzten Zeilen steht das exim die Mail nicht annimmt, also genau das was du haben willst und was die Standardeinstellung von Exim ist. Mach mal ein genaues Beispiel wie das auch ohne Login funktioniert.

 

[Milla]

sprich ich nehme jetzt mal Thunderbird als Client.
Ich kann sowohl mit smtp authentifizierung akitiviert als auch ohne, Emails an lokale und externe Adressen verschicken.
Wobei ja eben genau letzterer Fall nicht funktionieren soll, sprich er soll ein versenden ohne SMTP Authentifizierung garnicht erst erlauben.

Milla


//edit:
argh, das Geheimnis meines Problem lag in "dc_relay_nets" , da dort mein heimnetzwerk eingetragen war,hat er jeden SMTP Versand, der von diesen ips gekommen ist,ohne jegliche Authentifizierung akzeptiert.
Der SMTP Versand an externe Adressen funkioniert jetzt nur noch mit Authentifizierung.
Was bleibt ist es den versand an lokale Adressen auch noch durch eine Authentifizierung abzufangen.
Mal schauen wie ich dies noch gelöst bekomme...

Mixry