Exim configuration in Stretch

To: debian-edu <debian-edu@lists.debian.org>
Subject: Exim configuration in Stretch
From: Wolfgang Schweer <w.schweer@gmx.de>
Date: Tue, 9 May 2017 13:56:29 +0200
Message-id: <[🔎] 20170509115629.ngpvkqum5pq5xpqh@star>
Mail-followup-to: debian-edu <debian-edu@lists.debian.org>

Hi,

while checking if the Thunderbird setup instructions are still ok for 
Stretch, I found out that SMTP configuration now requires to choose:
(1) no connection security and
(2) no authentication. 

This is due to a changed Exim configuration via commit 4beb721:

commit 4beb72119c924aff4f2c6c4353d4f49e5f82f32f
Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date:   Wed Oct 14 12:15:18 2015 +0200

    exim4 mainserver configuration: Allow Debian Edu clients on the 
default Debian Edu network to directly send mails to the main server (by 
white- listing the 10./8 network). This fixes console mailing and system 
mails on Debian Edu clients (Closes: #794602).

diff --git a/debian/changelog b/debian/changelog
index 7acaa265..6d343687 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -35,6 +35,10 @@ debian-edu-config (1.819) UNRELEASED; urgency=low
     #798435).
   * gosa-sync: Fix escaping double quotes and semicolons. (Closes: #794000).
   * Drop deprecated README.ldap file. (Closes: #621787).
+  * exim4 mainserver configuration: Allow Debian Edu clients on the default
+    Debian Edu network to directly send mails to the main server (by white-
+    listing the 10./8 network). This fixes console mailing and system mails
+    on Debian Edu clients (Closes: #794602).
 
  -- Petter Reinholdtsen <pere@debian.org>  Sat, 16 May 2015 23:12:06 +0200
 
diff --git a/etc/exim4/exim-ldap-server-v4.conf b/etc/exim4/exim-ldap-server-v4.conf
index 7b3fbc15..c2a2a3e7 100644
--- a/etc/exim4/exim-ldap-server-v4.conf
+++ b/etc/exim4/exim-ldap-server-v4.conf
@@ -192,14 +192,15 @@ acl_check_rcpt:
   # Make sure users can not fake sender address vis SMTP.  Reject
   # unauthenticated connections and check that the sender is the same
   # as the Kerberos ID.
+  accept  hosts = :
+  accept  hosts = +relay_hosts
+
   deny  !authenticated = *
         message = SMTP server requires authentication. Check your SMTP client configuration.
   deny condition = ${if eq{$authenticated_id}{$sender_address_local_part@INTERN}{false}{true}}
         message = Sender address $sender_address conflicts with authentication $authenticated_id.
 
-  accept  hosts = :
   accept  domains = +local_domains
-  accept  hosts = +relay_hosts
   deny    message = relay not permitted
 
 # ACL that is used after the DATA command
(END)

Such a configuration allows users to send mails with a faked sender 
address. I believe that fixing #794602 shouldn't introduce a side effect 
like this one. 

Wolfgang

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Exim configuration in Stretch
  - From: Wolfgang Schweer <w.schweer@gmx.de>

Prev by Date: Content and translation status for the debian-edu-stretch manual
Next by Date: IDS GmbH_15 x Kuka Roboter zu Verkaufen!
Previous by thread: Content and translation status for the debian-edu-stretch manual
Next by thread: Re: Exim configuration in Stretch
Index(es):
- Date
- Thread