2

Is it possible to set up Exim so that, based on the username passed along to it, it can reject an authentication attempt before it will try to do a password lookup for that username? I've done similar with Dovecot for incoming mail check attempts through a deny passdb and want to do the same for outgoing mail attempts as well. The main reason why we can't just let them keep trying and failing stems from IP blocks that occur will sometimes affect other people.

I've gone over the Exim documentation for what seems relevant (ACLs, authenticators, the variable index, etc) but I'm not too confident that my interpretation of it is accurate. There are a few ACLs that seem relevant but my initial attempts at using them haven't panned out.

The two ACLs I attempted to work with were acl_smtp_auth and acl_smtp_connect, with the following code:

deny condition = ${if exists{/etc/virtual/blacklist_smtp_email_accounts}}
    condition = ${lookup{$sender_address}lsearch{/etc/virtual/blacklist_smtp_email_accounts}{1}{0}}
    message = E-Mail $sender_address is blacklisted
    logwrite = E-Mail $sender_address is blacklisted

Would this instead require modifying the authenticators, which would mean whatever I do must be secure, or am I just using the wrong ACL/wrong code?

Any assistance would be appreciated.

Best regards,

Bastille
  • 21
  • 1

1 Answers1

0

If you need to allow AUTH for the client but based on the address replied you want to prevent the actual password lookup then indeed the most logical place seems to be the authenticator:

Q_AUTH_USERBL = ${lookup{$auth2}lsearch{.../blacklist}{true}}
Q_AUTH_PLAIN =  ${if eq{ ${lookup{$auth2}lsearch{.../users}} }{ $auth3 } {true}{false}}

or using SQL:

Q_AUTH_USERBL = ${lookup pgsql{SELECT count(*) FROM user WHERE uid='${quote_pgsql:$auth2}' AND blacklisted}{true}}

Q_AUTH_PLAIN = ${lookup pgsql{SELECT count(*) FROM user WHERE uid='${quote_pgsql:$auth2}' AND pw=encrypt('${quote_pgsql:$auth3}')}{$value}fail}


fixed_plain:
  driver = plaintext
  public_name = PLAIN
  server_condition = ${if !bool{Q_AUTH_USERBL} {Q_AUTH_PLAIN}{false}}
  server_set_id = $2
  server_prompts = :
  .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
    server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  .endif

In the case of SQL it's quite pointless since one would end up using two lookups instead of one and would reach the same conclusion by using

SELECT COUNT(*) FROM users WHERE uid=$1 AND pw=$2 AND NOT blacklisted;

kind of SQL, and could simply use server_condition=Q_AUTH_PLAIN.

As for ACLs I'd examine acl_smtp_mailauth but I've never have needed it.

(I hope I haven't made any mind slips or typos.)

grin
  • 304
  • 1
  • 8