Date: Mon, 2 Dec 2002 10:35:06 +0000
From: Mike Richardson <doctor@mcc.ac.uk>
Hiya,
I thought I'd submit this as an example of an authenticated mail hub
configuration. Several people have asked for it so I thought it
might be of interest.
Authenticated mail hubs using LDAP to authenticate against which simply
forward mail to central mailrouters. X headers are added for audit
trail purposes.
Config:
#########################################################################
acl_smtp_rcpt = acl_check_rcpt
ignore_bounce_errors_after = 12h
timeout_frozen_after = 3d
# LDAP server:
hide ldap_default_servers=ldap.your.site
# SSL options. advertise TLS but don't insist on it.
tls_advertise_hosts=*
tls_certificate=/var/cert/securemail.your.site.cert
tls_privatekey=/var/cert/securemail.your.site.key
tls_verify_hosts= *
# Remove the queue runner logs and add logging of the interface, protocols
# and connections. Useful for debugging when users are having difficulty
# configuring and connecting. Many ISPs use Transparent Proxying
log_selector= +incoming_interface -queue_run +smtp_protocol_error
+smtp_syntax_error +smtp_connection
# SMTP input limits. Some connections are reserved for local users.
smtp_accept_max=200
smtp_accept_queue=150
smtp_accept_reserve=10
smtp_reserve_hosts=130.88.0.0/16
smtp_connect_backlog=100
# Overloading
queue_only_load=5
deliver_queue_load_max=7
# Message size limits
message_size_limit=10M
return_size_limit=65535
# Spool space check
check_spool_space=100M
# directory splitting
split_spool_directory
# Parallel remote deliver
remote_max_parallel = 10
# My system filter is to create extra logging info for X-Mailer info.
system_filter=/etc/systemfilter
system_filter_user=exim
# Listen of multiple interfaces to defeat transparent proxying
local_interfaces = 130.88.200.47.25 : 130.88.200.47.465 : 130.88.200.47.587
# Only accept local traffic and authenticated stuff.
# Error message points to useful web page.
acl_check_rcpt:
accept hosts = :
deny local_parts = ^.*[@%!/|]
require verify = sender
accept authenticated = *
deny message = Not authenticated, see http://www.useful.web.page/
######################################################################
# ROUTERS CONFIGURATION #
# Specifies how addresses are handled #
######################################################################
begin routers
# Manual route to force all traffic through our hubs which handle all
# the alias expansion, domain routing etc.
# I add an X header for audit trail purposes but no more information that
# would be expected from a legitimate email. Don't want to upset the DPA
# people
smarthost:
driver = manualroute
headers_add =X-Authenticated-Sender: ${lookup ldap\
{ldap:///o=ac,c=uk?cn?sub?(&(uid=$authenticated_id))}{$value}{no}} from \
${sender_fullhost}\nX-Authenticated-From: ${lookup ldap\
{ldap:///o=ac,c=uk?mail?sub?(&(uid=$authenticated_id))}{$value}{no}}
transport = remote_smtp
domains = ! +local_domains
route_list=* mailrouter.your.site
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more
# All other routes as per normal...
######################################################################
# AUTHENTICATION CONFIGURATION #
######################################################################
# This only supports PLAIN and LOGIN due to the nature of our LDAP server.
begin authenticators
plain:
driver= plaintext
public_name = PLAIN
server_condition="${lookup ldap {user=\"${lookup \
ldapdn{ldap:///o=ac,c=uk?sn?sub?(&(uid=$2))}{$value}{no}}\" pass=$3 \
ldap:///o=ac,c=uk?sn?sub?(&(uid=$2))}{yes}{no}}"
server_set_id = $2
login:
driver = plaintext
public_name= LOGIN
server_prompts = "Username:: : Password::"
server_condition="${lookup ldap {user=\"${lookup \
ldapdn{ldap:///o=ac,c=uk?sn?sub?(&(uid=$1))}{$value}{no}}\" pass=$2 \
ldap:///o=ac,c=uk?sn?sub?(&(uid=$1))}{yes}{no}}"
server_set_id=$1
# End of Exim configuration file
##########################################################################
distrib
>
Mandriva
>
2010.0
>
i586
>
media
>
contrib-release
>
by-pkgid
>
a4080654d049ad31b216b761b9173c1f
>
files
>
33
