1

I need to make an Dovecot IMAP email account receive-only so that the users can browse, move, delete existing emails but without being able to send email from that account.

Sending is done via exim accepting SMTP connections from MUAs. It uses Dovecot as an authenticator like so:

dovecot_plain:
     driver = dovecot
     public_name = PLAIN
     server_socket = /var/run/dovecot/auth-client
     server_set_id = $auth1

How can I do something like:

   unless_login_name_is = notallowed1@mydomain.com : notallowed2@mydomain.com

Edit: here's what is not working...

acl_smtp_mailauth = acl_check_mailauth

...

acl_check_mailauth:                                                                                                                                                                           
  deny condition = ${if eq{$authenticated_sender}{banned.user@example.com} {yes}{no}}

I thought it might be the condition that's wrong, but doing this:

acl_check_mailauth:                                                                                                                                                                           
  deny

also has no effect. I've read the manual but didn't find it helped me understand what's going on.

Edit 2: trying acl_smtp_auth

As suggested by @wurtel, I tried using this ACL instead. However I am now stuck with another problem: the AUTH comes in PLAIN form which looks like

PLAIN <base64encodedvalue>

To get to the username, I need to decode it, however ${base64d:${sg{$smtp_command_argument}{^PLAIN }{}}} retuns an empty string.

I think this is because the <base64encodedvalue> when decoded starts with a NUL byte!

artfulrobot
  • 2,949
  • 13
  • 36
  • 60
  • You could define an ACL `acl_smtp_mailauth` which is run when a user authenticates, and use that to filter which users may authenticate to exim. You can test `$authenticated_sender` in that ACL. – wurtel Nov 28 '19 at 16:06
  • @wurtel thanks, I've tried (and failed) at that - see edited question. – artfulrobot Nov 28 '19 at 17:20
  • I've since read that acl_check_mailauth is only if AUTH is supplied on the MAIL SMTP command, try acl_check_auth as well. You do have exim configured to only allow authenticated users to send mail? If not, the ACL doesn't help, a deny only removes the AUTH part of the SMTP transaction. – wurtel Nov 29 '19 at 08:19
  • @wurtel again, thanks, I see that mailauth is not going to work. I AM authenticating users before accepting mail. But now I've hit another brick wall (see edit 2) – artfulrobot Nov 29 '19 at 09:44

1 Answers1

1

(Thanks to the comments from @wurtel which were helpful in ruling out my initial aproaches)

I've achieved this by altering acl_smtp_auth with the following ACL:

acl_check_mail:

  deny
    condition   = ${lookup{$authenticated_id}lsearch{/etc/exim4/users-not-allowed-to-send-mail}{yes}{no}}
    message     = "Sending mail is not enabled for this account"
    log_message = "Denied sending mail as '$authenticated_id'"

  # Uncomment the following to debug:
  # warn log_message = "acl_check_mail is accepting mail for '$authenticated_id'"

  accept

Then I have a file at /etc/exim4/users-not-allowed-to-send-mail with lines like

disabled.account@example.com
also.disabled@example.com

Note that ${lookup} is helpful enough to not match an empty $authenticated_id with a line in the file.

artfulrobot
  • 2,949
  • 13
  • 36
  • 60