Exim

exim:針對經過身份驗證的使用者驗證別名?

  • December 23, 2015

是否可以針對經過身份驗證的使用者驗證發件人別名,而無需重寫 From 欄位?例如,給定一個(非常簡化的)別名文件,例如:

a1@example.com:       user1@mydomain.com
a2@other.example.com: user1@mydomain.com
a3@example.com: a4@example.com
a4@example.com:       user1@mydomain.com

a5@example.com:       user2@mydomain.com

我希望經過身份驗證的 user1 能夠作為 a1、a2、a3 或 a4@example.com 發送,但不是 a5@example.com,我只希望經過身份驗證的 user2 能夠作為 a5@example.com 發送並且我希望他們能夠在他們發送的電子郵件的 From: 欄位中使用別名(即我不希望 Exim 重寫 From/Sender 欄位,例如“control=submission”)。

從功能上講,這將要求 Exim 將發件人別名減少為最終的可路由地址,然後允許我訪問 acl 中的該值,以將其與經過身份驗證的使用者進行比較。我認為 verify=sender 會這樣做,但測試並沒有顯示出這種情況。

在我的 acl_check_rcpt 我嘗試了以下沒有效果,因為任何經過身份驗證的使用者仍然可以作為任何有效的別名或其他本地使用者發送,並且 $sender_address 是別名而不是底層真實帳戶:

 accept
   authenticated = *
   verify = sender
   logwrite = authenticated user '$authenticated_id' sending as '$sender_address' which \
       is '$sender_address_data' or '$address_data', if error: '$sender_verify_failure'

根據Exim 文件(第 26 節),$sender_address_data 應包含驗證 = 發件人後發件人查找的結果,但日誌顯示該變數始終為空:

authenticated user 'user1' sending as 'a5@example.com' which is '' or '', if error: ''

(請注意,除了重寫 From/Sender 標頭之外,control=submission 對此幾乎沒有影響。)

我只是在做錯事嗎?有沒有辦法驗證經過身份驗證的使用者可以有效地發送他們發送的別名?

我得到了這個工作,這就是我所做的。

首先,在所有處理本地使用者的路由器中,將 exim 變數 address_data 設置為 ${local_part}:

real_local:
 driver              = accept
 domains             = +local_domains
 local_part_prefix   = real-
 check_local_user
 transport           = LOCAL_DELIVERY
 # Set this so acl can use it
 address_data        = ${local_part}

然後設置一個 acl 來檢查發件人與經過身份驗證的使用者:

acl_smtp_mail = acl_check_sender_vs_auth

並讓新的 acl 將經過身份驗證的使用者與 address_data 變數的值進行比較,並確保它是相同的:

# Ensure that the MAIL FROM: address matches what the authenticated
# user is, if authentiation is used
acl_check_sender_vs_auth:
   accept
      authenticated = *
      # verify MUST be above condition to resolve $sender_address_data
      verify = sender
      condition = ${if eqi{$authenticated_id}{$sender_address_data}{yes}{no}}
      endpass
      logwrite = AUTH OK - authenticated user '$authenticated_id' sending email from '$sender_address', which belongs to '$sender_address_data'

   deny
      authenticated = *
      # verify MUST be above condition to resolve $sender_address_data
      verify = sender
      !condition = ${if eqi{$authenticated_id}{$sender_address_data}{yes}{no}}
      message = User '$authenticated_id' tried to send mail from '$sender_address', but that email address belongs to someone else
      logwrite = AUTH ERROR - authenticated user '$authenticated_id' tried sending from '$sender_address', but that address belongs to '$sender_address_data'

   accept

引用自:https://serverfault.com/questions/731208