Mailing List Archive: exim: users

Realming authenticated users

Index | Next | Previous | View Threaded

rblayzor.bulk at inoc

Jul 9, 2012, 9:31 AM

Post #1 of 3 (234 views)
Permalink

Realming authenticated users

Looking for a possible way to "realm" users who use SMTP authentication.

Currently looking to use the Dovecot authenticator driver.

We have several ISP domains on their own IP address on the same Exim server. When a user authenticates they may or may not have their full email address as the login. Obviously we'd like the fully "realmed" login to be there, ie: user [at] isp123

So if a name comes in that does not have a fully email address, we want to look at re-writing the username before it's handed off to the authenticator. If it already has a realm (no matter what it is), we just pass it through.

We're hopefully looking to use the expansion string {$received_ip_address}, which allow us to build a map file of IP address to domain.

Possible?

--
Robert Blayzor
INOC, LLC
rblayzor [at] inoc
http://www.inoc.net/~rblayzor/

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

mcn4 at leicester

Jul 9, 2012, 9:44 AM

Post #2 of 3 (235 views)
Permalink

Re: Realming authenticated users [In reply to]

On Mon, Jul 09, 2012 at 12:31:06PM -0400, Robert Blayzor wrote:
> We're hopefully looking to use the expansion string
> {$received_ip_address}, which allow us to build a map file of IP
> address to domain.
>
> Possible?

Something like

AUTH1LOOKUP = ${if eq{${domain:${quote:$auth1}}}{}\
{${lookup{$received_ip_address}lsearch{/lookup/file}{$value}fail}\
{${quote:$auth1}}}

server_set_id = AUTH1LOOKUP
server_condition = ...test access here using AUTH1LOOKUP as the username...

maybe?

Totally untested, but might be the right direction you want to go
in. Although preferably I'd just block access from non-qualified
usernames and tell them to fix their system, otherwise you'll be
forever maintaining a 'fix-up' list when they move IP, etc.

Matthew

--
Matthew Newton, Ph.D. <mcn4 [at] le>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp [at] le>

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

rblayzor.bulk at inoc

Jul 9, 2012, 10:10 AM

Post #3 of 3 (231 views)
Permalink

Re: Realming authenticated users [In reply to]

On Jul 9, 2012, at 12:44 PM, Matthew Newton wrote:
> AUTH1LOOKUP = ${if eq{${domain:${quote:$auth1}}}{}\
> {${lookup{$received_ip_address}lsearch{/lookup/file}{$value}fail}\
> {${quote:$auth1}}}
>
> server_set_id = AUTH1LOOKUP
> server_condition = ...test access here using AUTH1LOOKUP as the username...
>
> maybe?
>
> Totally untested, but might be the right direction you want to go
> in. Although preferably I'd just block access from non-qualified
> usernames and tell them to fix their system, otherwise you'll be
> forever maintaining a 'fix-up' list when they move IP, etc.

Unfortunately that would be several thousand users, and legacy ISP's don't like to change a lot. The only IP's that would possibly change is the server IP, which would be very rare.

I'll look at what you have, it's a good starting point, thanks.

--
Robert Blayzor
INOC, LLC
rblayzor [at] inoc
http://www.inoc.net/~rblayzor/

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads