I use Debian 7.x amd64 + Exim 4.82 on a dedicated server, I also have a working SMTP server on a shared hosting. I would like to setup an SMTP on my VPS that will have some special delivery scripts/filters (e.g. send a copy of all the out-coming emails for some accounts)
Currently the situation on the VPS is the following:
- it sends local (inbound) email via smart-host without any authentication
- it sends all the outbound email via smart-host without any authentication <== Unwanted behavior
- if the SMTP client has authentication type set to "Normal password" it ask for the credentials and delivers email correctly
- all the above cases behave in the same way with or without TLS encryption enabled on client side
/etc/exim4/update-exim4.conf.conf
dc_eximconfig_configtype='smarthost'
dc_other_hostnames='myhost.mycompany.com; localhost'
dc_local_interfaces='127.0.0.1; xxx.xxx.xxx.xxx' <=== public IPv4 address
dc_readhost='mycompany.com'
dc_relay_domains='*'
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost='smtp.external.com'
CFILEMODE='644'
dc_use_split_config='false'
dc_hide_mailname='true'
dc_mailname_in_oh='true'
dc_localdelivery='maildir_home'
/etc/exim4/passwd.client
content:
*:smtp.external.com:secret
I have generated self-signed certificates and enabled TLS /etc/exim4/exim4.conf.localmacros
MAIN_TLS_ENABLE = 1
I've tried to use plan_text and plain_login, now I'm using saslauthd (I'm sure it works, because I've already tested it with previously with postfix).
exim -bP authenticator_list
output:
plain_saslauthd_server
login_saslauthd_server
cram_md5
plain
login
telnet myhost.mycompany.com 25
output:
EHLO test
250-myhost.mycompany.com Hello xxxxxxxxx [xxx.xxx.xxx.xxx]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-STARTTLS
250 HELP
...
AUTH PLAIN <random string>
503 AUTH command used when not advertised
I assume that it's because no authenticator is advertised (there is no 250-AUTH... row in EHLO response), but by default ALL the standard authenticators have this condition
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
.endif
So I assume that I have to add AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
to my /etc/exim4/exim4.conf.localmacros
file to get server_advertise_condition condition processed, but it won't be considered anyway if the client doesn't have use TLS encryption enabled (I'm I right?).
So I'm a little bit confused on what to do now.. I want my configuration to work as follows:
- local fetchmail (mail) requests are routed locally without any authentication (i.e. cron jobs)
- remote (plain or encrypted, it doesn't matter) requests should work from any destination (my colleagues' laptops) to any other destination (our customers) routing through an external SMTP (smarthost) and MUST require user authentication, therwise it will reject/deny the request