Marek Szuba | 1 Dec 01:54 2003
Picon

Selective AUTH LOGIN failures with exim4+PAM

Hello,

Trying to enable SMTP AUTH over SSL/TLS with exim version 4.22 as found
in Debian sarge packages, I have noticed that authentication fails for
certain users.

The system in question handles user accounts provided in many different
ways, it was therefore quite natural for us to employ PAM for
authentication purposes. In exim, the following rule has been put into
auth configuration:

login:
   driver = plaintext
   public_name = LOGIN
   server_prompts = "Username:: : Password::"
   server_condition = "${if pam{$1:${sg{$2}{:}{::}}}{yes}{no}}"
   server_set_id = $1

whereas /etc/pam.d/exim4 and exim (just in case) both contain:

auth     sufficient     pam_ldap.so
auth     required       pam_unix.so try_first_pass
account  sufficient     pam_ldap.so
account  required       pam_unix.so
session  sufficient     pam_ldap.so
session  required       pam_unix.so

This setup works. The bad news is that, for a reason unknown to me, it
doesn't work for certain users (error 535). At first, knowing about the
colon issue, I thought the cause of that behaviour were non-alphanumeric
(Continue reading)

Pat Lashley | 1 Dec 04:46 2003

Callout -vs- SMTP AUTH

Hi Folks,

I have a setup with  Exim 4.24 and Cyrus 2.2.2.  Exim is doing server
side SMTP AUTH with no problems.  (And, of course, Cyrus is doing
IMAP AUTH.)  I'm doing deliveries via the SMTP transport with protocol
set to LMTP so that I can do recipient/callout checks in the ACLs.
I have Cyrus set up to run the lmtp daemon in pre-authenticated mode
and listening only on the loopback port.  This all works fine; and
the only people with shell access to the machine are admins; so there
isn't much worry about direct access to the LMTP port.

Now I need to set up a similar system; but at a site where the Cyrus
and Exim servers will be on separate machines.  So I need further
protection of the LMTP port.  I added the client-side parameters to
the cram-md5 authenticator in Exim, using a Cyrus admin user.  My
initial tests worked fine; but the logs are showing external messages
being rejected with (sender host obscured and linebreaks added):

	H=example.com [10.0.0.1] Warning: ACL "warn" statement skipped:
	condition test deferred: response to "MAIL FROM:<>" from 127.0.0.1
	[127.0.0.1] was: 430 Authentication required

	2003-11-30 18:43:40 H=example.com [10.0.0.1]
	F=<owner-mumble <at> example.com> temporarily rejected RCPT
	<me+list <at> volant.org>: response to "MAIL FROM:<>" from
	127.0.0.1 [127.0.0.1] was: 430 Authentication required

Before I dig any further into this, does the callout code do
authentication if the transport has hosts_{try,require}_auth
set?  Or do I need to look for some other way to protect the
(Continue reading)

David Höhn | 1 Dec 07:58 2003
Picon

Migrating Exim3 settings to Exim4 (complete newbie coming from teh sendmail corner)


Hello everyone.

I am trying to setup a mailing list server and I just wanted to verify
that I did the "right thing"tm.

I am using Sympa, which has configuration instructions for Exim3 but not
Exim4 and thus I am unsure if I have done this correctly. My setup looks
as follows:

trusted_users = mail:sympa (The exim user is called mail on that
system, 				sympa is the user of the mailing list
				service)

Further down:

system_aliases:
~  driver = redirect
~  allow_fail
~  allow_defer
~  data = ${lookup{$local_part}lsearch{SYSTEM_ALIASES_FILE}}
~  user = mail
~  file_transport = address_file
~  pipe_transport = address_pipe
~  file = /etc/aliases
~  search_type = lsearch
~  user = sympa

(I guess /etc/aliases would hold the same data that is used on a
sendmail system?)
(Continue reading)

Sheldon Hearn | 1 Dec 09:01 2003
Picon

Re: String expansion: repeat a character sequence n times

On (2003/11/30 15:11), Christian Vogel wrote:

> >       match {$h_X-Spam-Score:}{${repeat{\\\\+}{MAILBOX_SPAMTAG_THRESH}}} \
>
> have you tried this?
>         match {$header}{\+{MAILBOX_SPAMTAG_THRESH,}}
>
> In regular expressions you can use "pattern{1,5}" to mean
> "from one up to 5 times the pattern" or pattern{7,} to mean
> "minimum of 7 times the pattern".

Duh, that's much simpler than what I came up with.

Nice idea, thanks.

Ciao,
Sheldon.

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at
http://www.exim.org/ ##

David Höhn | 1 Dec 09:01 2003
Picon

Re: Migrating Exim3 settings to Exim4 (complete newbie coming from teh sendmail corner)


Derrick MacPherson wrote:

| Try using the conversion script that comes with the source code, works
very
| well..
|
This will also work only on a portion of "Exim3" config? I do not have
an Exim3 config, I started out with Exim4, yet the recommendations on
sympa.org are only meant for Exim3. If those scripts work also for but a
portion of a full exim3 config file, then I am indee dmost happy

-d
--
nee amata wo mitsukete soshite midoto wasrezu
~     domma mi mumega itakutemo soba mi iru mo
~                        zutto...zutto...zutto
Thomas Kinghorn | 1 Dec 10:03 2003
Picon

vexim

Hi List.

Sorry for the OT posting.

I am running exim-4.24, SA 2.60, sa-exim-3.1, exiscan, clam and vexim.

When i send a mail to my virtual domain, with no local-account (mysql auth),
I get
the following error:

<snip>
2003-12-01 10:46:14 1AQjgc-0000BU-9z <= thomask <at> mail-rbk.mtnns.net
H=(protea.int.citec.net) [209.212.109.146] P=esmtp S=1952
id=4625C59C329BC447AFFB52E7F8BFF2750E1F1D3C <at> protea.int.citec.net
2003-12-01 10:46:14 1AQjgc-0000BU-9z ==
/var/mail/ack-sys.co.za/thomas/Maildir <thomas <at> ack-sys.co.za>
R=virtual_domains T=mysql_delivery defer (20): Not a directory: while
creating file
/var/mail/ack-sys.co.za/thomas/Maildir/temp.719.mail.ack-sys.co.za
<snip>

Sorry for this really DUMB question, but where does exim store the mail?
mbox or maildir?

Have never thought of it as I have only built relay (gateway) servers
which relay to our exchange server.

Regards,
Tom Kinghorn

(Continue reading)

Avleen Vig | 1 Dec 10:29 2003

Re: vexim

(hmm there is a vexim mailing list linked from
http://silverwraith.com/vexim :-)

Answers below..

> I am running exim-4.24, SA 2.60, sa-exim-3.1, exiscan, clam and vexim.
> When i send a mail to my virtual domain, with no local-account (mysql auth),
> I get
> the following error:
>
> <snip>
> 2003-12-01 10:46:14 1AQjgc-0000BU-9z <= thomask <at> mail-rbk.mtnns.net
> H=(protea.int.citec.net) [209.212.109.146] P=esmtp S=1952
> id=4625C59C329BC447AFFB52E7F8BFF2750E1F1D3C <at> protea.int.citec.net
> 2003-12-01 10:46:14 1AQjgc-0000BU-9z ==
> /var/mail/ack-sys.co.za/thomas/Maildir <thomas <at> ack-sys.co.za>
> R=virtual_domains T=mysql_delivery defer (20): Not a directory: while
> creating file
> /var/mail/ack-sys.co.za/thomas/Maildir/temp.719.mail.ack-sys.co.za
> <snip>
>
>
> Sorry for this really DUMB question, but where does exim store the mail?
> mbox or maildir?

Does /var/mail exist?
If so, I usually change the ownership of that directory to 1777. This
lets Exim create the directories it needs to.
It looks like "/var/mail/ack-sys.co.za/thomas/Maildir" does not exist.
Are you using the example configure file from vexim?
(Continue reading)

Philip Hazel | 1 Dec 12:17 2003
Picon
Picon

Re: Malware and Spam Scanning in an ISP environment with "Mandantenfaehigkeit"

On Sun, 30 Nov 2003, Marc Haber wrote:

> pipe delivery and re-submit:
...
> - exim -bt only shows the pipe delivery instead of the real target

You should add  address_test=false  to the router that sets up the pipe.

> system filter:
> - runs at the start of every delivery attempt
> - re-scans queued message on each queue run

You should add  "if not first_delivery then finish"  at the start of
your filter.

> I think it would be a good idea if it would be possible to have a
> local_scan_late function which is called after exim has taken
> responsibility for the message and the SMTP transaction has been
> completed. The API would be the same, with the sole difference that
> the REJECT return codes of the function would cause a delivery failure
> which would in turn result in a bounce being generated.

This is effectively a "system filter" with a different API.

> Philip, would you consider applying a patch to exim that adds a
> local_scan-to-Milter-Interface to exim? Thanks for your consideration.

I don't know anything about milter, but I have the impression that it is
a daemon that listens on a socket? Is this right? If so, it should not
be too hard to write an interface for it. This has in fact been on the
(Continue reading)

Philip Hazel | 1 Dec 12:18 2003
Picon
Picon

Re: Callout -vs- SMTP AUTH

On Sun, 30 Nov 2003, Pat Lashley wrote:

> Before I dig any further into this, does the callout code do
> authentication if the transport has hosts_{try,require}_auth
> set?

No.

--
Philip Hazel            University of Cambridge Computing Service,
ph10 <at> cus.cam.ac.uk      Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book:    http://www.uit.co.uk/exim-book

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at
http://www.exim.org/ ##

Nigel Metheringham | 1 Dec 12:33 2003
Picon

Re: Malware and Spam Scanning in an ISP environment with "Mandantenfaehigkeit"

On Mon, 2003-12-01 at 11:17, Philip Hazel wrote:
> On Sun, 30 Nov 2003, Marc Haber wrote:
> > Philip, would you consider applying a patch to exim that adds a
> > local_scan-to-Milter-Interface to exim? Thanks for your consideration.
>
> I don't know anything about milter, but I have the impression that it is
> a daemon that listens on a socket? Is this right? If so, it should not
> be too hard to write an interface for it. This has in fact been on the
> Wish List for quite a long time.

I'm not exactly sure of the mechanics of milters, but when ages ago I
looked at the API for hooking in milters there appeared to be a very
sendmail-like smell about parts of it - ie redefining some of the
sendmail cf class macros appeared to be doable within the API, which
would be seriously hard to do in exim.

Now having milter support in exim would be very nice because there are a
pile of things (for sendmail) that use it and leveraging someone elses
software base is good.

However if the only way we can do milter is to pick out the major part
of the API and drop the rest may make our milter compatibility very
limited.  I wonder how much of the API most milter apps use - is it just
a "give me the message, take back a return/disposition code" or is there
more to it than that.

	Nigel.
--
[ Nigel Metheringham           Nigel.Metheringham <at> InTechnology.co.uk ]
[ - Comments in this message are my own and not ITO opinion/policy - ]
(Continue reading)


Gmane