0

I am attempting to use Exim to function as an SMTP server which relays mail as a smarthost to our Mandrill service. (The point of this would be using Exim to authenticate our users for IMAP mail and auth them against our LDAP server while relying on Mandrill for delivery.)

I initially had Exim set up to smarthost and had the Mandrill settings in the .client file in the Exim folder. This worked correctly and I was able to use telnet or an MUA to send mail and it was relayed by Mandrill properly.

Then I enabled TLS and authentication and blocked non-authenticated users from using Exim. This also worked properly -- TLS is operational and I can connect and authenticate. But something in this authentication has broken the smarthost relay -- I suspect because Exim is passing my "local" LDAP auth credentials to Mandrill instead of the .client credentials I specified. The error in my mainlog file looks like this:

2014-04-24 06:54:53 1WchYz-0007Db-3E SMTP error from remote mail server after RCPT TO:: host smtp.us-east-1.mandrillapp.com [54.237.217.91]: 454 4.7.1 : Relay access denied

How can I set up Exim to authenticate incoming users, but use a different set of credentials to authenticate to the SMTP relay?

BastianW
  • 2,868
  • 4
  • 20
  • 34
Christian Sieber
  • 3
  • 1
  • 1
  • 3

1 Answers1

2

The two authentications are independent.

You enable Exim to authenticate on outgoing connections, with a client authenticator. You will need to configure a line in the Exim passwd.client file for each server you need to authenticate to. The man page for exim_passwd_client describes the format of the password file.

Incoming authentication is done with a server authenticator. These are likely commented out in the default configuration. The man page for exim_passwd describes the passwd file. You should consider enabling TLS on the submission port (587) for users to send messages. The following macros at the star of the file should enable incoming authentication.

auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
daemon_smtp_ports = 25 : 587

To allow authenticate users to send outgoing mail you will need to accept the connections at certain points. Where your configuration has rule to handle local senders like:

accept
   hosts = +relay_from_hosts
   control = submission/sender_retain

Add a rule like: 

accept
   authenticated = *
   control = submission/sender_retain
BillThor
  • 27,737
  • 3
  • 37
  • 69
  • Thanks for your answer Bill -- unfortunately, I have all of this done properly. I have both of the ACL blocks you listed and authenticated users make it through the ACL and are passing their message to Mandrill (my chosen relay). I also have incoming user auth set up exactly as you suggested, so no non-authenticated users can send mail. The problem is that my relay is somehow rejecting all mail from all authenticated users, when it was sending fine with un-authenticated SMTP users before I set up authentication. This naturally leads me to think that the user auth is the problem somehow... – Christian Sieber Apr 28 '14 at 18:50
  • @ChristianSieber Setting the server to run in queue-only mode will allow you to separate receiving messages from sending messages. There are tools like `swaks` that will allow you to setup repeatable tests. The reason messages were rejected should be logged in the exim `rejectlog` file. – BillThor Apr 28 '14 at 20:19
  • Sadly nothing is in rejectlog. I get the incoming SMTP connection and process the message to be relayed properly. But it appears that I'm not passing credentials to Mandrill at all despite the correct settings in my passwd.client file -- none of my SMTP attempts show up in my Mandrill account at all. So I'll have to drill into what exact settings activate the operation of the SMTP client and figure out what is going wrong. – Christian Sieber Apr 29 '14 at 01:36
  • As it turns out, adding client_send with the appropriate creds to one of my authenticators fixed the issue. No idea why that wasn't being picked up automatically from the passwd.client file. – Christian Sieber Apr 29 '14 at 02:25